[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][upstream-next] 2756 commits: Fix Secure connection issue when server is down

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Thu Jan 12 19:52:23 GMT 2023



Timo Aaltonen pushed to branch upstream-next at FreeIPA packaging / dogtag-pki


Commits:
300fbb53 by Dinesh Prasanth M K at 2020-08-04T16:53:55-04:00
Fix Secure connection issue when server is down

When the PKI server is down, the server is temporarily
brought up using a temporary SSL server cert. This cert
needs to be trusted to enable secure connection.

This patch:

* allows passes instance's nssdb as the client nssdb to
  trust the SSL server created during cert-fix (offline
  cert renewal process).
* Gets the hostname using socket instead of from env
  variable

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
858d6a05 by Endi S. Dewata at 2020-08-04T15:55:38-05:00
Updated version number to 10.10.0-alpha1

- - - - -
b62d6960 by Stanislav Levin at 2020-08-04T15:56:02-05:00
Fix Version.__getnewargs__

According to the docs [0]:
>  object.__getnewargs__()
This method serves a similar purpose as __getnewargs_ex__(), but
supports only positional arguments. It must return a tuple of
arguments args which will be passed to the __new__() method upon
unpickling.

[0]: https://docs.python.org/3/library/pickle.html#object.__getnewargs__

Fixes: https://pagure.io/dogtagpki/issue/3200
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
b14b0268 by Stanislav Levin at 2020-08-04T15:58:12-05:00
Fix unittest DeprecationWarning

`assertEquals` is deprecated in favor of `assertEqual` since Python3.2:
https://docs.python.org/3/whatsnew/3.2.html

Fixes: https://pagure.io/dogtagpki/issue/3201
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
1baa5763 by Endi S. Dewata at 2020-08-05T14:01:09-05:00
Fixed exception message in ConfigClient

- - - - -
ff77811b by Endi S. Dewata at 2020-08-05T14:01:09-05:00
Updated ACME container to Fedora 31

- - - - -
49585867 by Dinesh Prasanth M K at 2020-08-05T16:35:58-04:00
Move from sudo to runuser

This patch migrates usage of sudo to runuser. In containers
sudo is not installed by default. Whereas, `runuser` is part of
'util-linux' pacakge, whcih is installed by default

Fixes: https://pagure.io/dogtagpki/issue/3171

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a2665b9f by jmagne at 2020-08-06T09:44:27-07:00
Address RHCS-1347 dd healthcheck to test the health of clone. (#496)

Simple test of clones associated with a pki instance.

Testing is predicated on locating within the given instance a CA security domain subsystem.

>From there the security domain is consulted for a list of cloned subsystems.
Each clone found is checked in a simple fashion for a connectivity and for simple data,
when appropriate. For now the OCSP , TKS, and TPS clones are checked for connectivity.

Another caveat: Originally I wanted to pair up each discoverd clone with it's master and compare data
within the CA and KRA to match them up. This round I was nota able to easily figure out this mapping, so for
now the actual clones are tested.

Simple command line to run the test directly:

pki-healthcheck --debug  --source pki.server.healthcheck.clones.connectivity_and_data --check ClonesConnectivyAndDataCheck

The test reaches out provides a result for each group of ca, kra, ocsp, tps, and tks clones.

Note that we have issues with tps and ocsp clones at this point.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
33623f6b by Endi S. Dewata at 2020-08-07T12:37:59-05:00
Added ACMEDatabase.getAccountOrders()

The ACMEDatabase.getAccountOrders() has been added to return
all order records created by an account.

- - - - -
f6c2f759 by Endi S. Dewata at 2020-08-07T12:37:59-05:00
Added ACMEAccountOrdersService

The ACMEAccountOrdersService has been added to return
non-invalid orders created by an account.

- - - - -
64e76602 by Alexander Scheel at 2020-08-07T14:03:42-04:00
Fix runuser to use absolute path

When pki-server is called as root, the following message is displayed
when trying to use runuser:

    DEBUG: Command: runuser -u pkiuser -- /usr/sbin/pki-server upgrade --debug pki-tomcat
    ERROR: [Errno 2] No such file or directory: 'runuser'
    Traceback (most recent call last):
      File "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 40, in <module>
        cli.execute(sys.argv)
      File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 143, in execute
        super(PKIServerCLI, self).execute(args)
      File "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 197, in execute
        module.execute(module_args)
      File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 770, in execute
        instance.run(
      File "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line 290, in run
        p = self.execute(
      File "/usr/lib/python3.9/site-packages/pki/server/instance.py", line 214, in execute
        subprocess.run(cmd, env=self.config, check=True)
      File "/usr/lib64/python3.9/subprocess.py", line 501, in run
        with Popen(*popenargs, **kwargs) as process:
      File "/usr/lib64/python3.9/subprocess.py", line 947, in __init__
        self._execute_child(args, executable, preexec_fn, close_fds,
      File "/usr/lib64/python3.9/subprocess.py", line 1819, in _execute_child
        raise child_exception_type(errno_num, err_msg, err_filename)
    FileNotFoundError: [Errno 2] No such file or directory: 'runuser'

This is because sudo lives under /usr/bin, which exists on PATH by
default, but because runuser lives under /usr/sbin (which is admin-only)
it doesn't live on PATH by default. Thus, an absolute path to the
executable needs to be provided.

This change was merged in 49585867207922479644a03078c29548de02cd03.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
26bb71ef by Alexander Scheel at 2020-08-07T14:03:52-04:00
Add server dependency on jaxb-api

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
acac6d87 by Dinesh Prasanth M K at 2020-08-10T18:22:25-04:00
Add nuxwdog status to pki-server status

Display whether nuxwdog is enabled on the system when executing
pki-server status

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a53957ec by Endi S. Dewata at 2020-08-10T19:10:18-05:00
Added pki-acme RPM package

The ACME-related files have been moved from pki-server to a new
pki-acme package. The pki-javadoc has been modified to include
ACME classes.

- - - - -
ce730f7f by Endi S. Dewata at 2020-08-12T08:33:14-05:00
Disabled AIA and cert policy extensions in ACME examples

The ACME NSS issuer has been modified to disable the AIA and
certificate policy extensions by default since they contain
non-functional URLs that might cause certbot to generate
error messages.

- - - - -
d7858a3b by Alexander Scheel at 2020-08-12T11:13:34-05:00
Start NSSCertExportCLI

Can be tested with pki nss-cert-export

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c5e1541f by Alexander Scheel at 2020-08-12T11:13:34-05:00
Fix export on FIPS-enabled HSMs

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
04c78d62 by Endi S. Dewata at 2020-08-12T11:13:34-05:00
Fixed cert nickname in NSSDatabase.export_cert_from_db()

The NSSDatabase.export_cert_from_db() has been modified to
no longer prepend the token name to the cert nickname since
the cert nickname obtained from serverCertNick.conf already
contains the token name.
- - - - -
2de8e580 by Endi S. Dewata at 2020-08-12T11:13:34-05:00
Removed blank lines in pki nss-cert-export output

The pki nss-cert-export has been modified to remove the extra
blank lines between certs and at the end of the output.
- - - - -
06ec7e93 by Endi S. Dewata at 2020-08-12T15:58:52-05:00
Added creation timestamps in ACME database

The ACME database has been modified to store the creation
timestamps of ACME records for further analysis.

- - - - -
06c90664 by Endi S. Dewata at 2020-08-13T09:10:00-05:00
Cleaned up log messages in FIPS.is_enabled()

- - - - -
dba65918 by Endi S. Dewata at 2020-08-13T09:10:00-05:00
Cleaned up log messages in NSSDatabase

- - - - -
78520ccf by Endi S. Dewata at 2020-08-13T09:13:46-05:00
Removed Configurator.importAndSetCertPermissionsFromHSM()

The Configurator.importAndSetCertPermissionsFromHSM()
is redundant since the import has been done and the
trust flags have been set earlier in configuration.py.

- - - - -
4976eef9 by Endi S. Dewata at 2020-08-13T09:17:51-05:00
Removed Configurator.verifySystemCertificates()

The Configurator.verifySystemCertificates() is redundant
since the certificates will be validated by the code that
actually uses the certificate.

- - - - -
dbe55769 by Endi S. Dewata at 2020-08-13T10:36:23-05:00
Removed CloneSetupRequest.setupReplication

The CloneSetupRequest.setupReplication is no longer needed
since the pki_clone_setup_replication will be checked before
calling SystemConfigService.setupClone().

- - - - -
d58a4d8e by Endi S. Dewata at 2020-08-13T12:35:23-05:00
Removed duplicate extension attributes

The X509CertImplMapper.mapObjectToLDAPAttributeSet() has been
modified to add the extensions as a single attribute with
multiple values instead of multiple attributes with single
values.

- - - - -
6642a31b by Endi S. Dewata at 2020-08-13T20:15:09-05:00
Moved ExtAttrDynMapper into a separate file

- - - - -
073ca9b9 by Endi S. Dewata at 2020-08-13T20:17:22-05:00
Moved RequestAttrsMapper into a separate file

- - - - -
8633de04 by Endi S. Dewata at 2020-08-13T20:18:38-05:00
Moved RequestIdMapper into a separate file

- - - - -
117dee93 by Endi S. Dewata at 2020-08-13T20:19:50-05:00
Moved RequestStateMapper into a separate file

- - - - -
4b7e3d9f by Endi S. Dewata at 2020-08-13T20:19:50-05:00
Updated log messages in DBSSession

- - - - -
35bd2159 by Endi S. Dewata at 2020-08-13T20:19:50-05:00
Updated log messages in UGSubsystem.addUser()

- - - - -
13406396 by Endi S. Dewata at 2020-08-13T20:19:50-05:00
Updated log messages in Configurator.createSecurityDomain()

- - - - -
c6f91404 by Endi S. Dewata at 2020-08-17T12:32:32-05:00
Moved ValidityConstraint to pki-ca

- - - - -
9d4d1496 by Endi S. Dewata at 2020-08-17T12:32:41-05:00
Moved CAValidityConstraint to pki-ca

- - - - -
dcd4af06 by Endi S. Dewata at 2020-08-17T12:32:43-05:00
Moved ValidityDefault to pki-ca

- - - - -
e1a09d37 by Endi S. Dewata at 2020-08-17T12:32:45-05:00
Moved CAValidityDefault to pki-ca

- - - - -
e3e8bb43 by Endi S. Dewata at 2020-08-17T12:32:47-05:00
Moved AuthorityKeyIdentifierExtDefault to pki-ca

- - - - -
8034c425 by Endi S. Dewata at 2020-08-17T12:32:49-05:00
Moved CAEnrollDefault to pki-ca

- - - - -
f62127f1 by Endi S. Dewata at 2020-08-17T12:32:51-05:00
Moved CAAdminServlet to pki-ca

- - - - -
fa66cef4 by Endi S. Dewata at 2020-08-17T12:32:53-05:00
Moved SearchReqs to pki-ca

- - - - -
b984169f by Endi S. Dewata at 2020-08-17T12:32:56-05:00
Moved ProcessCertReq to pki-ca

- - - - -
d414e4c4 by Endi S. Dewata at 2020-08-17T12:32:59-05:00
Moved CheckRequest to pki-ca

- - - - -
4ef8639d by Endi S. Dewata at 2020-08-17T12:33:04-05:00
Moved CertificateIssuedListener to pki-ca

- - - - -
deda4fc3 by Endi S. Dewata at 2020-08-17T12:33:07-05:00
Moved CertificateRevokedListener to pki-ca

- - - - -
b346f168 by Endi S. Dewata at 2020-08-17T12:36:02-05:00
Removed unused CloneSetupRequest.domainInfo

- - - - -
cfc48c72 by Endi S. Dewata at 2020-08-17T12:36:08-05:00
Removed unused CloneSetupRequest.installToken

- - - - -
087861ff by Endi S. Dewata at 2020-08-17T12:36:10-05:00
Removed unused CloneSetupRequest.cloneUri

- - - - -
b5971bdb by Endi S. Dewata at 2020-08-17T12:36:12-05:00
Removed unused CloneSetupRequest.systemCertsImported

- - - - -
cceb1851 by Endi S. Dewata at 2020-08-17T13:27:11-05:00
Updated log messages in UGSubsystem

- - - - -
75014d31 by Christina Fu at 2020-08-17T14:10:23-07:00
Bug1629025-DEV doc for: Server-Side Keygen for EE

This patch provides document: ServerSideKeygen.adoc

https://bugzilla.redhat.com/show_bug.cgi?id=1629025

- - - - -
09eaa014 by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ICertificateAuthority in CAService

- - - - -
3d7afcfe by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ICertificateAuthority in CTEngine.process()

- - - - -
2945a5b7 by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ISubsystem in CAPolicy.init()

- - - - -
df81fc3c by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ISubsystem in KRAPolicy.init()

- - - - -
bfc42c2e by Endi S. Dewata at 2020-08-17T17:10:02-05:00
Replaced ISubsystem in GenericPolicyProcessor.init()

- - - - -
f7134804 by Endi S. Dewata at 2020-08-17T17:11:41-05:00
Replaced ICertificateAuthority in CertificateAuthority.createSubCA()

- - - - -
f7e1591f by Endi S. Dewata at 2020-08-17T17:11:59-05:00
Replaced ICertificateAuthority in CertificateAuthority.createCA()

- - - - -
cb1e6f9e by Endi S. Dewata at 2020-08-17T17:12:02-05:00
Replaced ICertificateAuthority in CertificateAuthority.getCAs()

- - - - -
c2853e46 by Endi S. Dewata at 2020-08-17T17:12:05-05:00
Replaced ICertificateAuthority in CertificateAuthority.getCA(X500Name)

- - - - -
76d1e1a3 by Endi S. Dewata at 2020-08-17T17:12:08-05:00
Replaced ICertificateAuthority in CertificateAuthority.getCA(AuthorityID)

- - - - -
14c5298b by 06shalini at 2020-08-18T11:50:00+05:30
Added changes in ansible playbooks and role ymls to make tests run for following installations: (#509)

1. Fips enabled machine
2. Shared tomcat installation
3. Discrete tomcat installation
4. ecc discrete tomcat installation

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
ebf730d5 by Endi S. Dewata at 2020-08-18T11:58:34-05:00
Moved PublisherAdminServlet to pki-ca

- - - - -
e4b0b7f5 by Endi S. Dewata at 2020-08-18T11:58:42-05:00
Moved ChallengeRevocationServlet1 to pki-ca

- - - - -
d3814050 by Endi S. Dewata at 2020-08-18T11:58:44-05:00
Moved CMCRevReqServlet to pki-ca

- - - - -
61feb73c by Endi S. Dewata at 2020-08-18T11:58:45-05:00
Moved DisplayBySerial to pki-ca

- - - - -
50770ad9 by Endi S. Dewata at 2020-08-18T11:58:47-05:00
Moved GetCAChain to pki-ca

- - - - -
7379515c by Endi S. Dewata at 2020-08-18T11:58:49-05:00
Moved EnrollServlet to pki-ca

- - - - -
863f4e25 by Endi S. Dewata at 2020-08-18T11:58:51-05:00
Moved GetCertChain to pki-ca

- - - - -
06eefe1a by Endi S. Dewata at 2020-08-18T11:58:53-05:00
Moved LdapPublishModule to pki-ca

- - - - -
1b89140a by Endi S. Dewata at 2020-08-18T11:58:55-05:00
Moved PublishCertsJob to pki-ca

- - - - -
537f8ef3 by Endi S. Dewata at 2020-08-18T11:58:57-05:00
Moved RenewalNotificationJob to pki-ca

- - - - -
7f392e8d by Endi S. Dewata at 2020-08-18T11:59:00-05:00
Moved UnpublishExpiredJob to pki-ca

- - - - -
57610310 by Alexander Scheel at 2020-08-18T14:20:48-04:00
Make PKI use JDK8 everywhere again

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7a1a41b2 by Endi S. Dewata at 2020-08-18T13:41:46-05:00
Removed cfgPath parameter from CMSStartServlet

The cfgPath parameter has been removed from CMSStartServlet
since it is currently not used and it can only be specified
in web.xml which is not customizable either.

- - - - -
21a29c0e by Endi S. Dewata at 2020-08-18T13:41:46-05:00
Added id field for CMSEngine

A new id field has been added to CMSEngine to store the
subsystem ID.

- - - - -
27680c7b by Endi S. Dewata at 2020-08-18T18:23:58-05:00
Updated CMSEngine.startup()

The CMSEngine.startup() has been renamed to start(). The
code in CMSStartServlet that initializes and starts the
engine has been moved into this method.

- - - - -
bd850775 by Endi S. Dewata at 2020-08-18T19:50:35-05:00
Added ServletContextListener methods into CMSEngine

The CMSEngine has been modified to implement methods defined
in ServletContextListener interface for starting up and
shutting down the engine.

- - - - -
c5e1b24a by Endi S. Dewata at 2020-08-18T19:50:35-05:00
Updated engine parameter in CMSStartServlet

The engine parameter in CMSStartServlet has been modified to
become optional.

- - - - -
78aa0de8 by Endi S. Dewata at 2020-08-19T17:39:47-05:00
Fixed ACME schema installation

Previously the ACME schema was installed by default whenever
any PKI subsystem was installed. Since all ACME files have
been moved into an optional pki-acme package, the ACME schema
should no longer be installed by default. Instead, the ACME
schema should be installed separately as described in ACME
installation document.

- - - - -
526fd9a1 by Endi S. Dewata at 2020-08-19T20:34:49-05:00
Updated CA startup

The CAEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
760eabce by Endi S. Dewata at 2020-08-19T20:35:03-05:00
Updated KRA startup

The KRAEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
588fa0d5 by Endi S. Dewata at 2020-08-19T20:35:10-05:00
Updated OCSP startup

The OCSPEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
66899ea9 by Endi S. Dewata at 2020-08-19T20:35:10-05:00
Updated TKS startup

The TKSEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
9f861c26 by Endi S. Dewata at 2020-08-19T20:35:10-05:00
Updated TPS startup

The TPSEngine has been modified to implement
ServletContextListener which will start up and shut down
the subsystem.

- - - - -
9bdc201a by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved ReqCertSANameEmailResolver to pki-ca

- - - - -
62d4b779 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved GetBySerial to pki-ca

- - - - -
00f01dbf by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved HashEnrollServlet to pki-ca

- - - - -
bc15cefe by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CACertCAEnrollProfile to pki-ca

- - - - -
6ccdc795 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved ServerCertCAEnrollProfile to pki-ca

- - - - -
b07e3c9d by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved UserCertCAEnrollProfile to pki-ca

- - - - -
3b964a46 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CAEnrollProfile to pki-ca

- - - - -
acbd386f by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CMCOutputTemplate to pki-ca

- - - - -
a78fd603 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CMCUserSignedSubjectNameConstraint to pki-ca

- - - - -
ac605864 by Endi S. Dewata at 2020-08-20T12:12:56-05:00
Moved CMCUserSignedSubjectNameDefault to pki-ca

- - - - -
0485db3e by Endi S. Dewata at 2020-08-20T12:21:35-05:00
Moved CMCUserSignedAuth to pki-ca

- - - - -
f2e44afa by Endi S. Dewata at 2020-08-20T12:28:10-05:00
Moved CAEnrollConstraint to pki-ca

- - - - -
5a5013ed by Alexander Scheel at 2020-08-21T10:38:56-04:00
Add JAXB Implementation dependency for JDK11+

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0c7f54fe by Alexander Scheel at 2020-08-21T10:38:56-04:00
Add Jakarta Activation dependency for JDK11+

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
40857e61 by Alexander Scheel at 2020-08-24T09:11:02-04:00
Fix permissions when installing clone

When pkispawn runs, it executes as root. However, rarely is PKI
installed as root. The resulting permissions on ca.crt are 600,
preventing later pki-server migrate command from running, as it
runs as pkiuser, who doesn't have access to ca.crt. Fix the
permissions when we initially create ca.crt to be owned by pkiuser.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
87a44e92 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved CrossCertPairSubsystem to pki-ca

- - - - -
539e10ff by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved CertificatePair to pki-ca

- - - - -
b09df5c3 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved LdapEncryptCertPublisher to pki-ca

- - - - -
8fabafa5 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved PKCS7Output to pki-ca

- - - - -
dfd0f525 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved CMMFOutput to pki-ca

- - - - -
6a66f61e by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved UniqueKeyConstraint to pki-ca

- - - - -
b6548a1d by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved UniqueSubjectNameConstraint to pki-ca

- - - - -
1063c6c8 by Endi S. Dewata at 2020-08-24T11:03:31-05:00
Moved ServerKeygenUserKeyDefault to pki-ca

- - - - -
bd1f6853 by Endi S. Dewata at 2020-08-24T11:03:32-05:00
Moved SigningAlgConstraint to pki-ca

- - - - -
69a840f7 by Endi S. Dewata at 2020-08-24T11:03:32-05:00
Moved SigningAlgDefault to pki-ca

- - - - -
2ef0b184 by Endi S. Dewata at 2020-08-24T11:04:54-05:00
Updated log messages in AuthorityService

- - - - -
844268fd by Endi S. Dewata at 2020-08-24T11:29:14-05:00
Added CAEngine.getCA()

The CAEngine.getCA() has been added to return the main/host
CertificateAuthority instance.

- - - - -
987a4718 by Endi S. Dewata at 2020-08-24T19:06:28-05:00
Move CertificateAuthority.caMap to CAEngine

- - - - -
db000a35 by Endi S. Dewata at 2020-08-24T19:06:34-05:00
Move CertificateAuthority.getCAs() to CAEngine

- - - - -
d845df85 by Endi S. Dewata at 2020-08-24T19:06:41-05:00
Move CertificateAuthority.getCA(AuthorityID) to CAEngine

- - - - -
3ea58b7b by Endi S. Dewata at 2020-08-24T19:06:43-05:00
Move CertificateAuthority.getCA(X500Name) to CAEngine

- - - - -
e63f8b24 by Endi S. Dewata at 2020-08-24T19:10:35-05:00
Remove unused ITimeSource

- - - - -
40bc98ae by Endi S. Dewata at 2020-08-24T19:14:28-05:00
Move CertificateAuthority.createCA() to CAEngine

- - - - -
83129466 by Endi S. Dewata at 2020-08-24T19:14:28-05:00
Add CAEngine.addCA()

- - - - -
9de5a14b by Endi S. Dewata at 2020-08-24T19:14:28-05:00
Add CAEngine.removeCA()

- - - - -
652eadb5 by Endi S. Dewata at 2020-08-24T19:49:32-05:00
Move CertificateAuthority.keyRetrieverThreads to CAEngine

- - - - -
bd525e0b by Endi S. Dewata at 2020-08-24T19:49:33-05:00
Add CAEngine.hasKeyRetriever()

- - - - -
256248f9 by Endi S. Dewata at 2020-08-24T19:49:34-05:00
Add CAEngine.addKeyRetriever()

- - - - -
8e8ac282 by Endi S. Dewata at 2020-08-24T19:49:35-05:00
Add CAEngine.removeKeyRetriever()

- - - - -
c73824cb by Endi S. Dewata at 2020-08-24T19:49:36-05:00
Clean up CertificateAuthority.initDefCaAttrs()

- - - - -
4be50f84 by Endi S. Dewata at 2020-08-24T19:49:37-05:00
Clean up CMSEngine.initializePasswordStore()

- - - - -
ef6bd38d by Endi S. Dewata at 2020-08-24T19:49:38-05:00
Clean up CMSEngine.configureAutoShutdown()

- - - - -
b1135ba1 by Endi S. Dewata at 2020-08-24T20:59:12-05:00
Add CMSEngine.initSecurityDomain()

- - - - -
8371f813 by Endi S. Dewata at 2020-08-24T20:59:59-05:00
Add CMSEngine.configurePorts()

- - - - -
049aa69f by Endi S. Dewata at 2020-08-24T21:00:00-05:00
Add CMSEngine.initPlugins()

- - - - -
a8c1e749 by Endi S. Dewata at 2020-08-24T21:10:11-05:00
Add CMSEngine.initSecurityProvider()

- - - - -
790f90d9 by Endi S. Dewata at 2020-08-24T21:10:28-05:00
Add CMSEngine.initLogging()

- - - - -
ea4b82a6 by Endi S. Dewata at 2020-08-26T09:29:12-05:00
Remove unused ICertificateAuthority.PROP_CA_CHAIN_NUM

- - - - -
c2ede922 by Endi S. Dewata at 2020-08-26T09:29:13-05:00
Add CertificateAuthority.getCertChain()

- - - - -
39ed2641 by Endi S. Dewata at 2020-08-26T09:29:14-05:00
Add CMSEngine.initDatabase()

- - - - -
be4512dc by Endi S. Dewata at 2020-08-26T09:53:30-05:00
Move CertificateAuthority.dbFactory to CAEngine

- - - - -
b23f5d2f by Endi S. Dewata at 2020-08-26T09:57:38-05:00
Move CertificateAuthority.authorityBaseDN() to CAEngine

- - - - -
380919dc by Endi S. Dewata at 2020-08-26T09:57:38-05:00
Move CertificateAuthority.entryUSNPluginEnabled() to CAEngine

- - - - -
07ad39b2 by Endi S. Dewata at 2020-08-26T11:33:12-05:00
Move authority update tracker to CAEngine

- - - - -
d9e31985 by Endi S. Dewata at 2020-08-26T11:33:16-05:00
Move CertificateAuthority.getCommitConstraints() to CAEngine

- - - - -
a0651daa by Endi S. Dewata at 2020-08-26T11:33:16-05:00
Move CertificateAuthority.postCommit() to CAEngine

- - - - -
2c08462c by Endi S. Dewata at 2020-08-26T12:14:16-05:00
Move CertificateAuthority.forgetAuthority() to CAEngine

- - - - -
287376e5 by Endi S. Dewata at 2020-08-26T12:14:16-05:00
Move authority deletion tracker to CAEngine

- - - - -
019cb15e by Endi S. Dewata at 2020-08-26T12:16:55-05:00
Move CertificateAuthority.addAuthorityEntry() to CAEngine

- - - - -
65ff5975 by Endi S. Dewata at 2020-08-26T12:16:56-05:00
Move CertificateAuthority.modifyAuthorityEntry() to CAEngine

- - - - -
731cc8fc by Endi S. Dewata at 2020-08-26T12:18:06-05:00
Move CertificateAuthority.deleteAuthorityEntry() to CAEngine

- - - - -
11e88c9c by Endi S. Dewata at 2020-08-26T12:18:08-05:00
Remove redundant CertificateAuthority.stopped

- - - - -
fd269bae by Endi S. Dewata at 2020-08-26T15:06:14-05:00
Updated acmeIdentifier for ACME orders and authorizations

Previously the identifiers for ACME order and authorization
records were stored as "acmeIdentifier;<type>=<value>" in DS,
which doesn't seem to be supported in OpenLDAP. To support
both LDAP servers, the identifiers are now stored as
"acmeIdentifier=<type>:<value>".

- - - - -
f5ad995c by Endi S. Dewata at 2020-08-26T15:06:14-05:00
Updated userCertificate for ACME certificates

Previously the certificate data for ACME certificates was stored
as "userCertificate=<data>" in DS, which doesn't seem to work in
OpenLDAP. To support both LDAP servers, the certificate data is
now stored as "userCertificate;binary=<data>".

- - - - -
483229ce by Endi S. Dewata at 2020-08-26T15:06:14-05:00
Added OpenLDAP database for ACME

A new OpenLDAPDatabase class has been added to provide an ACME
database in OpenLDAP. The class is currently identical to the
existing LDAPDatabase class, but it's provided for implementing
OpenLDAP- specific code in the future.

A new schema file, a sample initialization file, and a sample
configuration file for OpenLDAP have been added.

The pki-server acme-database-* commands have also been
modified to support an "openldap" type.

The ACME database documentation has been updated as well.

- - - - -
ae5e4d5c by Endi S. Dewata at 2020-08-26T15:06:14-05:00
Added DS database for ACME

The LDAP database for ACME has been copied into new DS
database to distinguish it from OpenLDAP database. Once
IPA is updated to use the DS database, the LDAP database
will be dropped.

- - - - -
d30700d3 by Dinesh Prasanth M K at 2020-08-26T16:34:16-04:00
Run QE tests on upstream CI pipeline on Vagrant

Provision 2 Vagrant VMs inside Macintosh (only Mac is supported in
GH actions):

controller:
  VM used to run the ansible playbook. The playbook is provisioned
  using Vagrant's inbuilt provisioners
master:
  VM acts as the PKI master node. topology-02 (discrete instance) is
  used to configure this node.

Note1: Static inventory file is used. This is because the playbook
is being executed from the guest VM (controller) and autogenerated
hostfile is unreliable.

Note2: When creating vagrant VMs, provisioning is suspended. This is
to resolve dependency b/w master and controller (ie) the latest built
packages need to be installed in master first before controller tries
to execute playbooks.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
6e9d5f9e by Shalini Khandelwal at 2020-08-26T16:34:16-04:00
Added changes in installation test playbooks to wait for other instances to come up.

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

- - - - -
32c4a406 by Dinesh Prasanth M K at 2020-08-26T16:34:16-04:00
Fix memory for the Vagrant VMs

The vagrant VM memory config was incorrect. This patch fixes the
error. The controller now gets assigned with 930MB of RAM and the
master gets around 2750MB of RAM

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
0d97d015 by Dinesh Prasanth M K at 2020-08-26T16:34:16-04:00
Fix script file to grep from binary files

The tkstool outputs some binary characters. As a result, grep
thinks it is reading a binary file. This patch adds a grep
option to process the file containing binary characters as
Text file.

Ref: https://unix.stackexchange.com/q/335716/320815

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
807bf690 by Endi S. Dewata at 2020-08-26T16:57:03-05:00
Fixed acmeServerCert profile

The acmeServerCert profile has been modified to remove
hard-coded URLs since they point to non-existent services
which might cause certificate validation issue.

An upgrade script has been added to fix the profile
configuration file if the profile has not been customized
by the admin.

https://bugzilla.redhat.com/show_bug.cgi?id=1868233

- - - - -
62d5799b by Endi S. Dewata at 2020-08-26T17:42:24-05:00
Move CertificateAuthority.lwcaLoaded to CAEngine

- - - - -
8d0f12a9 by Endi S. Dewata at 2020-08-26T17:42:24-05:00
Move CertificateAuthority.foundHostAuthority to CAEngine

- - - - -
b7755753 by Endi S. Dewata at 2020-08-26T17:42:24-05:00
Move CertificateAuthority.haveLightweightCAsContainer() to CAEngine

- - - - -
f23e55cb by Endi S. Dewata at 2020-08-26T17:42:24-05:00
Move CertificateAuthority.readAuthority() to CAEngine

- - - - -
bed231d5 by 06shalini at 2020-08-27T21:26:19+05:30
Updated pytest-ansible to latest package and added utils from pki integration-test module. (#535)

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
7abe19e5 by Endi S. Dewata at 2020-08-27T14:49:25-05:00
Fixed missing sslserver and subsystem certs

When installing an additional subsystem into an instance,
the deployment scriptlet has been modified to copy the
cert and request data for sslserver and subsystem certs
from the existing subsystem.

https://bugzilla.redhat.com/show_bug.cgi?id=1869893

- - - - -
7a5ade61 by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Move CertificateAuthority.addHostAuthorityEntry() to CAEngine

- - - - -
15967493 by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Cleaned up CA SigningUnit.init()

- - - - -
929a3c9f by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Add CertificateAuthority.initOCSPSigningUnit()

- - - - -
204e6db1 by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Add CertificateAuthority.initCRLSigningUnit()

- - - - -
bef964f8 by Endi S. Dewata at 2020-08-27T16:33:41-05:00
Clean up CertificateAuthority.initSigUnit()

- - - - -
04b900f3 by Endi S. Dewata at 2020-08-31T11:39:57-05:00
Add JAVA_VERSION for CMake

The RPM spec and CMake files have been modified to detect the
actual Java version used to build PKI and add the appropriate
libraries for that version.

- - - - -
abcfb633 by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Clean up CAEngine.addKeyRetriever()

- - - - -
f553c6e0 by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Add CertificateAuthority.generateSigningCert()

- - - - -
ab0c00cf by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Move CertificateAuthority.createSubCA() to CAEngine

- - - - -
71b59059 by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Add CAEngine.updateAuthoritySerialNumber()

- - - - -
2fdd6657 by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Move CertificateAuthority.modifyAuthority() to CAEngine

- - - - -
331327dd by Endi S. Dewata at 2020-08-31T11:41:04-05:00
Move CertificateAuthority.addInstanceToAuthorityKeyHosts() to CAEngine

- - - - -
9ceb9f58 by Endi S. Dewata at 2020-08-31T11:44:45-05:00
Remove DBSubsystemDefaultStub

- - - - -
9e4833fc by Endi S. Dewata at 2020-08-31T11:44:45-05:00
Remove ICryptoSubsystem

- - - - -
ce768ec2 by Endi S. Dewata at 2020-08-31T12:26:52-05:00
Remove IDBSubsystem

- - - - -
641accda by Endi S. Dewata at 2020-08-31T12:26:52-05:00
Move ReasonToRevoke to pki-ca

- - - - -
ce2829c3 by Endi S. Dewata at 2020-08-31T12:26:52-05:00
Update log messages in CertificateAuthority

- - - - -
e117f897 by Endi S. Dewata at 2020-08-31T13:02:32-05:00
Added upgrade script to fix missing cert/request data

An upgrade script has been added to fix the missing sslserver
and subsystem cert/request data by copying it from another
subsystem.

https://bugzilla.redhat.com/show_bug.cgi?id=1869893

- - - - -
9bb247e6 by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Update CMSEngine.init()

- - - - -
2c67dcfc by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Update CMSEngine.autoShutdown()

- - - - -
a8bceb9d by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Rename CMSEngine.initPlugins()

- - - - -
06c2d448 by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Add CAEngine.initLogSubsystem()

- - - - -
19f4e692 by Endi S. Dewata at 2020-08-31T16:18:24-05:00
Add CAEngine.initJssSubsystem()

- - - - -
315b0264 by Endi S. Dewata at 2020-08-31T16:19:03-05:00
Add CAEngine.initDBSubsystem()

- - - - -
5916a9e8 by Endi S. Dewata at 2020-08-31T16:19:03-05:00
Add CAEngine.initUGSubsystem()

- - - - -
3b8037f9 by Endi S. Dewata at 2020-08-31T20:08:45-05:00
Add CMSEngine.initOIDLoaderSubsystem()

- - - - -
b1904853 by Endi S. Dewata at 2020-08-31T20:08:50-05:00
Add CMSEngine.initX500NameSubsystem()

- - - - -
d35abfff by Endi S. Dewata at 2020-08-31T21:07:46-05:00
Add CMSEngine.initRequestSubsystem()

- - - - -
ee57957f by Endi S. Dewata at 2020-08-31T21:41:07-05:00
Replaced IJobsScheduler with JobsScheduler

- - - - -
e0b24963 by Endi S. Dewata at 2020-08-31T21:54:07-05:00
Add CMSEngine.initJobsScheduler()

- - - - -
a21d480d by Endi S. Dewata at 2020-09-01T11:17:15-05:00
Replaced IAuthzSubsystem with AuthzSubsystem

- - - - -
bdea2888 by Endi S. Dewata at 2020-09-01T11:26:34-05:00
Add CMSEngine.initAuthzSubsystem()

- - - - -
0775bb60 by Endi S. Dewata at 2020-09-01T11:45:28-05:00
Replaced IAuthSubsystem with AuthSubsystem

- - - - -
ed142dd4 by Endi S. Dewata at 2020-09-01T11:52:49-05:00
Add CMSEngine.initAuthSubsystem()

- - - - -
d0922215 by Endi S. Dewata at 2020-09-01T12:32:52-05:00
Move CertificateAuthority.mCertRepot to CAEngine

- - - - -
33b7abec by Endi S. Dewata at 2020-09-01T12:32:52-05:00
Move CertificateAuthority.mCRLRepot to CAEngine

- - - - -
e65d55da by Endi S. Dewata at 2020-09-01T12:32:52-05:00
Move CertificateAuthority.mReplicaRepot to CAEngine

- - - - -
97038b51 by Endi S. Dewata at 2020-09-01T20:22:01-05:00
Update CMSEngine.loadSubsystems()

- - - - -
244557a4 by Endi S. Dewata at 2020-09-01T20:22:01-05:00
Update CMSEngine.initSubsystems()

- - - - -
6f634c5c by Endi S. Dewata at 2020-09-01T20:22:01-05:00
Update CMSEngine.startupSubsystems()

- - - - -
05e63a84 by Endi S. Dewata at 2020-09-01T20:22:02-05:00
Update CMSEngine.shutdownSubsystems()

- - - - -
e14fa10f by Endi S. Dewata at 2020-09-01T20:22:02-05:00
Remove unused SubsystemInfo constructor

- - - - -
d968173e by Endi S. Dewata at 2020-09-01T20:22:02-05:00
Remove unused subsystem lists in CMSEngine

- - - - -
a1c326d1 by Dinesh Prasanth M K at 2020-09-02T10:12:44-07:00
CI: Use NFS instead of virtualbox guest

VBGuest addition to a VM requires a rebuild of plugins, causing
a whole lot of packages to be installed. This patch removes the
dependency on VBGuest and uses NFS to sync the folders between
guest and host.

Note that since we plan to add more tests, we are cutting out
F31 from this patch (ie) we will be running our tests on latest
stable fedora release

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
cc6f657e by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mPolicy to CAEngine

- - - - -
6465213b by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mService to CAEngine

- - - - -
b077273c by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mNotify to CAEngine

- - - - -
44eb7eab by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mPNotify to CAEngine

- - - - -
59c5f50d by Endi S. Dewata at 2020-09-02T21:45:52-05:00
Move CertificateAuthority.mRequestQueue to CAEngine

- - - - -
8f4b229d by Endi S. Dewata at 2020-09-03T09:15:21-05:00
Move SystemConfigService.processKeyPair() to Configurator

- - - - -
816866b9 by Endi S. Dewata at 2020-09-03T18:02:07-05:00
Add Configurator.loadCert()

- - - - -
b799ba29 by Endi S. Dewata at 2020-09-03T18:02:50-05:00
Add Configurator.generateCert()

- - - - -
05dbb9f0 by Endi S. Dewata at 2020-09-03T18:03:20-05:00
Move SystemConfigService.processCert() to Configurator

- - - - -
ba5f1b2e by Endi S. Dewata at 2020-09-03T18:03:21-05:00
Add Configurator.setupCert()

- - - - -
c1f61a2e by Endi S. Dewata at 2020-09-04T09:11:59-05:00
Move CertificateAuthority.mDefaultCertVersion to CAEngine

- - - - -
4349c907 by Endi S. Dewata at 2020-09-04T09:11:59-05:00
Move CertificateAuthority.mDefaultValidity to CAEngine

- - - - -
7de9663e by Endi S. Dewata at 2020-09-04T09:12:51-05:00
Move CertificateAuthority.mEnablePastCATime to CAEngine

- - - - -
993f6345 by Endi S. Dewata at 2020-09-04T09:12:51-05:00
Move CertificateAuthority.mEnableOCSP to CAEngine

- - - - -
a43300fb by Endi S. Dewata at 2020-09-04T09:14:03-05:00
Move CertificateAuthority.mFastSigning to CAEngine

- - - - -
c9981d42 by Endi S. Dewata at 2020-09-04T12:52:12-05:00
Move CertificateAuthority.mUseNonces to CAEngine

- - - - -
3653533a by Endi S. Dewata at 2020-09-04T12:53:01-05:00
Move CertificateAuthority.mMaxNonces to CAEngine

- - - - -
d113c2f0 by Dinesh Prasanth M K at 2020-09-04T12:20:16-07:00
CI: Run healthcheck in CI pipeline

This patch executes both PKI healthcheck and IPA healthcheck
tools in corresponding CI jobs.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
c2f6b3b7 by Endi S. Dewata at 2020-09-04T14:32:43-05:00
Move CA services startup to CAEngine.initSubsystems()

- - - - -
f443dfa1 by Endi S. Dewata at 2020-09-04T14:32:43-05:00
Move CertificateAuthority.mListenerPlugins to CAEngine

- - - - -
308668fb by Endi S. Dewata at 2020-09-04T14:32:43-05:00
Move CertificateAuthority.mByName to CAEngine

- - - - -
67579184 by Endi S. Dewata at 2020-09-04T14:32:43-05:00
Move CertificateAuthority.mCRLPublisher to CAEngine

- - - - -
46ef5dc5 by Endi S. Dewata at 2020-09-04T14:34:36-05:00
Move KeyRetriever checks to CAEngine.startKeyRetriever()

- - - - -
e9e1ad28 by Endi S. Dewata at 2020-09-04T14:34:41-05:00
Move KeyRetriever creation to CAEngine.startKeyRetriever()

- - - - -
9410e743 by Endi S. Dewata at 2020-09-04T14:34:41-05:00
Move CertificateAuthority.mPublisherProcessor to CAEngine

- - - - -
9ba9d601 by jmagne at 2020-09-04T17:05:41-07:00
Address Bug 1787115 - [RFE] Need Method to copy SKI from CSR to Certificate signed. (#511)

This fix allows a way to configure a profile's SubjectKeyIdentifier process to optionally pick up
a SKI extension from the incoming CSR and use it instead of the one that is self calculated by the server.

Here is a proile snippet for the SKI as example:

policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
policyset.caCertSet.8.default.params.critical=false
policyset.caCertSet.8.default.params.messageDigest=SHA-1
policyset.caCertSet.8.default.params.useSKIFromCertRequest=true

Note the new param : useSKIFromCertRequest=true
This new param will default to false, thus not disturbing existing functionality.

When set to true, the CA will attempt to use the SKI extension within the CSR instead
of creating a new one unconditionally.

If the new param is fals or not present, the original functionality will execute.

If for some reason the ext can't be found in the CSR, the existing functionality will execute
as well.

Here is a simple CA Server CSR with a custom SKI to test with:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC7zCCAdcCAQAwZTElMCMGA1UECgwcdG9wb2xvZ3ktMDNfRm9vYmFybWFzdGVyLm9yZzEbMBkG
A1UECxMSdG9wb2xvZ3ktMDMtQ0Etc2tpMR8wHQYDVQQDExZDQSBTaWduaW5nIENlcnRpZmljYXRl
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8Z1MUxsZ0AzV51ohgklOOF99O9pu3Akv
OqJA2p6B5eDxRMq3s8Dfhgg9Gh7Jtje067oYQrqQ8Y7fs1N3gI5O2F3275InKw1j6YfSwAZtq7K1
zl86ZHyI9CdHsZb1Xpb/vgyAb48mMSW2lF2Gy/4QpIQVHxpkxbxKaskEJHFE9BgptcMFaMxYGQDq
xYWpLluGyGeHYnmE9Fx3aMaj7oo5hAW7TaYRmi+LXrvuKf1EROJntm828wWYeIG+pFfvw3it80bq
j3xYo/6Vv2G1k1qqd4eKksbqZXMYkNKzNDkZkNgO/qRu0rL+S2KyAQmSejVmmZcjsHi/hqZoULE4
lG1kAQIDAQABoEUwQwYJKoZIhvcNAQkOMTYwNDARBgNVHQ4ECgQIANBvANTQZ0YwDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJKoZIhvcNAQENBQADggEBAFPfkEGa0/m2MHOgZMUW
ZVh1hW4nmBRE9Q7ZNhG7xvZaOK7sUuavRhL4vQ1Qf7wjS0Br43LviOGyxL9S/E9ZUuAv4ckH7pfR
6iox/35mwF51MUm1+8RD7gCBeAQE97Bh/gBErmgWMMqlMVckf2jVwYuIbDy0DmSc41kLsMJlAmd7
rddGIxO8kFJm/CRnwomZTM9Y/FzIq1FK/Nz7nBBX7yWUd4TustAmiwmwofmZB+gf2B0kjI/p+2sH
uIBSWk6xdy57T3KKygtqgkDschyfTJAOHC67pCKPnPpslAOMEATxcgIV0PjP7XSvpivia1T/96Xq
cr8G9sE8VJ/hwno1l9k=
-----END NEW CERTIFICATE REQUEST-----

If the CSR doesn't have the extension while the param is set, the SKI will
be calculated as usual.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
e67dc554 by Endi S. Dewata at 2020-09-04T22:40:00-05:00
Move CertificateAuthority.mCRLIssuePoints to CAEngine

- - - - -
8ca544d8 by Endi S. Dewata at 2020-09-04T22:40:00-05:00
Move CertificateAuthority.mMasterCRLIssuePoint into CAEngine

- - - - -
bd196146 by Endi S. Dewata at 2020-09-04T22:40:00-05:00
Move CertificateAuthority.mIssuanceProtCert to CAEngine

- - - - -
405c1283 by Endi S. Dewata at 2020-09-04T22:40:00-05:00
Move CertificateAuthority.authorityMonitor to CAEngine

- - - - -
4a3ade75 by Endi S. Dewata at 2020-09-08T18:09:26-05:00
Move CertificateAuthority.mCertIssuedListener to CAEngine

- - - - -
be899c7b by Endi S. Dewata at 2020-09-08T18:09:28-05:00
Move CertificateAuthority.mCertRevokedListener to CAEngine

- - - - -
dcc83f7c by Endi S. Dewata at 2020-09-08T18:09:29-05:00
Move CertificateAuthority.mReqInQListener to CAEngine

- - - - -
296c4bff by Endi S. Dewata at 2020-09-08T18:09:30-05:00
Clean up CertificateAuthority.startup()

- - - - -
2222ba4b by Endi S. Dewata at 2020-09-08T18:09:31-05:00
Refactored CertificateAuthority constructor

- - - - -
95883203 by Endi S. Dewata at 2020-09-08T18:09:33-05:00
Refactored CertificateAuthority.hostCA

- - - - -
4cbb18d1 by Endi S. Dewata at 2020-09-08T18:09:34-05:00
Add CAEngine.getConnectionFactory()

- - - - -
6e553f66 by Endi S. Dewata at 2020-09-08T19:44:39-05:00
Clean up SelfTestSubsystem initialization

- - - - -
149630e0 by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up CertificateAuthority initialization

- - - - -
75a713d9 by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up CrossCertPairSubsystem initialization

- - - - -
37bb71ba by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up KeyRecoveryAuthority initialization

- - - - -
853b910d by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up OCSPAuthority initialization

- - - - -
eac41bd9 by Endi S. Dewata at 2020-09-08T19:49:31-05:00
Clean up TKSAuthority initialization

- - - - -
e6531d9b by Christina Fu at 2020-09-10T15:40:45-07:00
Bug1875563-Add KRA Transport and Storage Certificates profiles for IPA

This patch adds two profiles for IPA, namely
 caIPAKraTransportCert
 caIPAKraStorageCert

Both are consistent with with the existing profile caIPAserviceCert where
  visible=false
  auth.instance_id=raCertAuth
    raCertAuth is an instance of AgentCertAuth with
    agentGroup=Registration Manager Agents

Upgrade scripts are provided to handle upgrades as well.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1875563

- - - - -
421bf4c0 by Alexander Scheel at 2020-09-11T13:04:36-04:00
Update javax-activation paths for Debian

As reported by Timo on IRC.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
41c732a4 by Alexander Scheel at 2020-09-11T13:04:36-04:00
Migrate JAVA_HOME in instance configuration

When we upgrade from F32 to F33, we need to be able to upgrade JAVA_HOME
to set it to the new value. This value will also change on F32 (from a
JDK8-specific path to a generic path). This requires migration to happen
on subsystem start.

This means that the recommended way to configure JAVA_HOME to a value
OTHER then what's shipped in /usr/.../pki.conf becomes to set it in
/etc/.../pki.conf, and means that /etc/sysconfig/tomcat.conf gets
rewritten each time.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2a70b3f0 by Alexander Scheel at 2020-09-11T13:04:36-04:00
Enforce JDK 8 source and bytecode everywhere

This will ensure that, as F33 and later releases happen, we'll continue
developing code compatible with RHEL 8 and F32.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d367fd75 by Alexander Scheel at 2020-09-11T13:04:36-04:00
Keep JAVA_HOME in tomcat.conf

Despite the name tomcat.conf, this is also the main configuration file
loaded by instances. Instances (especially pkispawn) expect config to be
only the Tomcat configuration, despite loading configuration from the
environment as well. Eventually, we should migrate all of this to use
the global configuration rather than the per-instance configuration.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c200594f by Endi S. Dewata at 2020-09-11T12:16:30-05:00
Move Configurator.setupReplication() to SubsystemDBInitCLI

- - - - -
4abfdc77 by Endi S. Dewata at 2020-09-11T12:16:30-05:00
Clean up log messages in LDAPConfigurator

- - - - -
137815a5 by Endi S. Dewata at 2020-09-11T12:16:30-05:00
Remove unused SystemConfigResource.setupClone()

- - - - -
1da816ca by Endi S. Dewata at 2020-09-11T12:16:30-05:00
Remove unused CloneSetupRequest

- - - - -
206df0a6 by Dinesh Prasanth M K at 2020-09-11T17:35:52-07:00
Add CONTRIBUTING doc

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
7c2f595d by 06shalini at 2020-09-14T19:55:46+05:30
Merging tier1 functional tests jobs to master (#553)

* Updated pytest-ansible to latest package and added utils from pki integration-test module.

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

* Sync downstream test code with upstream for all tier1 jobs

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

* Test checkin to run pipeline

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

* Fixed external-ca and ldaps test jobs

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
3bccc93e by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Refactor LDAPConfigStore

The LDAPConfigStore has been modified to use an LDAPConnection
instead of an ILdapConnFactory.

- - - - -
83931e93 by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Move CAConfigurator.importProfiles() into CAProfileImportCLI

- - - - -
f1b8e6b8 by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Add pki-server ca-profile-import

- - - - -
c14511a8 by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Remove unused SystemConfigResource.setupDatabase()

- - - - -
fbccd2ad by Endi S. Dewata at 2020-09-14T11:15:13-05:00
Remove unused DatabaseSetupRequest

- - - - -
1623b441 by Endi S. Dewata at 2020-09-14T11:17:59-05:00
Clean up PKIDeployer.setup_cert()

- - - - -
3c23c840 by Endi S. Dewata at 2020-09-14T11:34:44-05:00
Refactor Configurator.createAdminCertificate() (part 1)

The code that imports the admin cert has been moved out of
Configurator.createAdminCertificate(). The code that uses
the CA to generate the admin certificate has been moved into
CAConfigurator.

- - - - -
26da2448 by Endi S. Dewata at 2020-09-14T11:50:51-05:00
Refactor Configurator.createAdminCertificate() (part 2)

The Configurator.createAdminCertificate() that uses the CA
to create the admin cert has been moved into CAConfigurator.

- - - - -
e87fa82a by Dinesh Prasanth M K at 2020-09-14T18:42:31-07:00
Fix syntax error in performance testing script

Missing paranthesis causes error while trying to execute performance
test.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
41ba09a5 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Move UpdateCRL to pki-ca

- - - - -
186adaf5 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Move Configurator.createPKCS7()

- - - - -
e7a997ec by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Refactor Configurator.loadCert()

The code that creates the cert and request records for
existing certs in Configurator.loadCert() has been moved
into CAConfigurator.

- - - - -
75c7a913 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Refactor Configurator.configCert()

The Configurator.configCert() has been renamed to generateCert()
and modified to store the cert data in the Cert object instead
of returning an X509CertImpl object.

- - - - -
c75022b4 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Remove unused Cert.mDN

- - - - -
a470a898 by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Refactor Configurator.configRemoteCert()

The Configurator.configRemoteCert() has been modified to
take a binary instead of Base64-encoded request data.

- - - - -
795008bd by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Move CertUtils.buildSANSSLserverURLExtension() to Configurator

- - - - -
99e20c8a by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Add Configurator.generateLocalCert()

- - - - -
d46659ba by Endi S. Dewata at 2020-09-14T21:24:10-05:00
Add Configurator.generateRemoteCert()

- - - - -
b2e62dc4 by Endi S. Dewata at 2020-09-14T21:33:44-05:00
Refactor Configurator.generateCertAndRequest()

The Configurator.generateCertAndRequest() has been replaced
with direct calls to generateCertRequest() and generateCert().

- - - - -
5f061a2d by Endi S. Dewata at 2020-09-14T21:33:44-05:00
Refactor Configurator.generateCert()

The code that generates the certs for CA and the
SSL server cert for CA clone has been moved into
CAConfigurator.generateCert().

- - - - -
83f4259e by Endi S. Dewata at 2020-09-14T21:33:44-05:00
Move Configurator.generateLocalCert()

- - - - -
43df3931 by Endi S. Dewata at 2020-09-14T21:33:44-05:00
Move Configurator.createRequest()

- - - - -
40bd8274 by Endi S. Dewata at 2020-09-14T21:34:21-05:00
Update log messages in CertificateAuthority

- - - - -
02c0a0c2 by Endi S. Dewata at 2020-09-14T21:34:24-05:00
Update log messages in CAEngine

- - - - -
127a233d by Dinesh Prasanth M K at 2020-09-15T16:15:42-07:00
Update README.md with instructions

Our README.md currently has very low-level technical info
which might not serve its use for a beginner. The README
should act as a good cover page for the project to attract
more contributors and users and, provide minimal yet useful
information for new-users.

This patch updates the existing README.md file with such
minimal, yet useful information

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
a85d998c by Endi S. Dewata at 2020-09-16T13:27:28-05:00
Updated ACME docs

- - - - -
f35d270b by Alexander Scheel at 2020-09-17T11:01:51-04:00
Add dependencies in Java11-specific libraries

This ensures lib/ gets created prior to any Java11-specific symlinks.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
54de035b by Alexander Scheel at 2020-09-17T11:01:51-04:00
Make PKI_JAVA_PATH respect PKI_JAVA_PATH

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8c6af8d9 by Alexander Scheel at 2020-09-17T11:01:51-04:00
Fix %{java_version} -> ${java_version}

Because java_version isn't a RPM spec file attribute (and is instead an
inline shell variable), we have to use $ instead of % to reference it.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6f0da7ca by Alexander Scheel at 2020-09-17T12:06:55-04:00
Add Fedora 33 image, switch to r.fp.o

registry.fedoraproject.org (r.fp.o) has more up-to-date Fedora images
than Dockerhub does. This is because Dockerhub is external infra with
a review process, whereas registry.fedoraproject.org is directly
controlled by the Fedora Project, so images can be pushed directly.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
782f9df4 by Alexander Scheel at 2020-09-17T12:06:55-04:00
Fix variable names for flake8 on python3.9

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
fca78037 by Alexander Scheel at 2020-09-17T12:06:55-04:00
Disable W0707 warning due to output

Consider explicitly re-raising using the 'from' keyword

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
91fb4a88 by Alexander Scheel at 2020-09-17T15:31:42-04:00
Migrate from commons-lang2 -> commons-lang3

Note that this is blocked on lang3 >= 3.10 landing in Fedora 31.

Credits: Fabio "decathorpe" Valentini

Related: https://pagure.io/dogtagpki/issue/3205

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
64c17e27 by Alexander Scheel at 2020-09-17T15:31:42-04:00
Work with older Apache Commons Lang3

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d9491b46 by Endi S. Dewata at 2020-09-17T18:15:49-05:00
Add package.json for NPM

The package.json has been added in order to import files
distributed via NPM (e.g. PatternFly, jQuery).

- - - - -
b9a832a2 by Endi S. Dewata at 2020-09-17T18:15:49-05:00
Add PatternFly 4.35.2 for ACME

Some PatternFly files have been imported for ACME.
A tool has been added to simplify updating the files
in the future.

- - - - -
960cf8a0 by Endi S. Dewata at 2020-09-17T18:15:49-05:00
Add jQuery 3.5.1 for ACME

A minimized jQuery file has been imported for ACME.
A tool has been provided to simplify updating the file
in the future.

- - - - -
88c7a1ab by Endi S. Dewata at 2020-09-17T18:15:49-05:00
Add ACME front page

A new index.jsp has been added for ACME webapp. The web.xml
has been modified to map only ACME URLs to ACME application.

- - - - -
a0bd61a2 by Endi S. Dewata at 2020-09-17T18:26:02-05:00
Fix NPE in TPSProcessor.mapCredFromMsgResponse()

The TPSAuthenticator has been modified to no longer store a
reference to the authentication manager during initialization.
Instead, it will get the authentication manager directly from
the AuthSubsystem when requested in getAuthManager().

The TPSProcessor.checkAndAuthenticateUser() has also been
modified to chain the original exception to provide the complete
stack trace.

- - - - -
4c3ddb0c by Endi S. Dewata at 2020-09-21T09:47:21-05:00
Remove unused Profile.mOwner

- - - - -
d3802641 by Endi S. Dewata at 2020-09-21T09:51:09-05:00
Rename IProfileAuthenticator to ProfileAuthenticator

- - - - -
2ed60233 by Endi S. Dewata at 2020-09-21T09:51:10-05:00
Rename IAuthManager to AuthManager

- - - - -
c7fa6617 by Endi S. Dewata at 2020-09-21T09:51:10-05:00
Rename ICertUserLocator to CertUserLocator

- - - - -
0bcca28a by Endi S. Dewata at 2020-09-21T09:51:11-05:00
Move CertUserLocator to pki-server

- - - - -
8ef461d0 by Endi S. Dewata at 2020-09-21T09:51:13-05:00
Move CMCSharedTokenSubjectNameConstraint to pki-ca

- - - - -
6db61a9b by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Merge ILdapConnInfo into LdapConnInfo

- - - - -
679c0990 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Merge ILdapAuthInfo into LdapAuthInfo

- - - - -
fe9fff13 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Clean up LdapConnInfo

- - - - -
c0309750 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Clean up LdapAuthInfo

- - - - -
5a5349c0 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Remove unused ISubsystem from Profile.init()

- - - - -
78671846 by Endi S. Dewata at 2020-09-21T10:46:01-05:00
Move BaseSubsystem into pki-server

- - - - -
1eba66ed by Dinesh Prasanth M K at 2020-09-21T10:46:48-07:00
Enable COPR_REPO to fix QE tests in CI

Note the use of delimiter ~ instead of / since the copr
name consists of / and @ characters.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
c8470c3d by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Add LDAPConnectionConfig getters

- - - - -
e1785072 by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Add PKISocketConfig

- - - - -
083c1814 by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Clean up NPM tools

- - - - -
495e768f by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Clean up Client.createProxy()

- - - - -
14caa1fe by Endi S. Dewata at 2020-09-21T14:13:28-05:00
Add Client.get() and post()

- - - - -
aefb34f8 by Endi S. Dewata at 2020-09-21T16:40:29-05:00
Replace PKIConnection.resteasyClient with client

- - - - -
f8747a8a by Endi S. Dewata at 2020-09-21T16:41:20-05:00
Add PKIConnection.target()

- - - - -
43d111d4 by Endi S. Dewata at 2020-09-21T16:41:27-05:00
Add PKIClient.setOutput()

- - - - -
1de3e235 by Endi S. Dewata at 2020-09-21T16:48:47-05:00
Merge PKIConnection.get() and post() to PKIClient

- - - - -
807f0568 by Endi S. Dewata at 2020-09-21T17:30:50-05:00
Merge PKIConnection.createProxy() into PKIClient

- - - - -
1354de3d by Endi S. Dewata at 2020-09-21T17:31:33-05:00
Rename AccountInfo to Account

- - - - -
9fd77d22 by Endi S. Dewata at 2020-09-21T18:53:20-05:00
Add JSON parser for Account class

- - - - -
cd878aba by Endi S. Dewata at 2020-09-21T19:20:38-05:00
Merge PKIConnection.getEntity() into PKIClient

- - - - -
00d2015f by Endi S. Dewata at 2020-09-21T21:36:47-05:00
Add response type to PKIClient.get() and post()

- - - - -
85a88309 by Endi S. Dewata at 2020-09-21T21:36:47-05:00
Add response type to Client.get() and post()

- - - - -
f7515402 by Endi S. Dewata at 2020-09-21T21:39:50-05:00
Update AccountClient

The AccountClient has been modified to use get() instead
of AccountResource.

- - - - -
f5864246 by Endi S. Dewata at 2020-09-21T21:40:08-05:00
Merge AccountResource into AccountService

- - - - -
e680746a by Endi S. Dewata at 2020-09-22T08:51:08-05:00
Clean up JSON mapping in ResourceMessage

- - - - -
8b5eb770 by Endi S. Dewata at 2020-09-22T08:51:09-05:00
Move ACME.randomAlphanumeric() into ACMEEngine

- - - - -
2797b6bf by Endi S. Dewata at 2020-09-22T09:11:46-05:00
Add ACMEEngine.setEnabled()

- - - - -
29b191e6 by Endi S. Dewata at 2020-09-22T18:24:32-05:00
Fix typos in ACME docs

- - - - -
e37ac813 by Alexander Scheel at 2020-09-23T05:46:19-04:00
Remove SSL configuration; rely on crypto-policies

When TLSv1.3 support landed in Fedora and RHEL, crypto-policies enabled
it everywhere including in FIPS mode. However, because we bounded the
range above by TLSv1.2, we wouldn't negotiate TLSv1.3 when communicating
with CA instances. crypto-policies should be the single source of truth
for these values, and we shouldn't limit ourselves artificially.
Instead, users should change crypto-policies to the correct policy for
their needs.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8400f54a by Alexander Scheel at 2020-09-23T05:46:19-04:00
Align server.xml with crypto-policies

We shouldn't set custom ciphers in server.xml as they'll override the
default NSS values. These values already align with crypto-policies, and
these legacy configuration options result in global values which apply
to all parts (client and server) of the PKI configuration. Instead,
server-specific values should be chosen by using standard Tomcat
parameters:

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

These are:

 protocols="<values>"
 ciphers="<values>"

See the tomcat documentation for more information.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b21ac386 by Alexander Scheel at 2020-09-23T05:46:19-04:00
Remove unused SSLVersionRange code

This code shouldn't be used as it affects global NSS configuration; we
should leave these at the default values and only change individual
SSL-backed PRFileDesc instances instead.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3dec5afa by Alexander Scheel at 2020-09-23T05:46:19-04:00
Enable PHA in legacy SSLSocket

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0615fb89 by Alexander Scheel at 2020-09-23T05:46:19-04:00
Add migration script to remove legacy config

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
71d70af8 by Alexander Scheel at 2020-09-23T05:46:19-04:00
Bump JSS to reflect PHA dependency

This commit never made it to v10.9 branch, but it has the same
dependency. SSLSocket.enablePostHandshakeAuthDefault was added in JSS
v4.7.3, hence the JSS version bump.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9bd1c6a0 by Endi S. Dewata at 2020-09-23T08:36:47-05:00
Fix PKI_JAVA_PATH

- - - - -
4a456082 by Endi S. Dewata at 2020-09-23T08:46:17-05:00
Remove duplicate ldapjdk.jar in ACME

- - - - -
96fd9e00 by Endi S. Dewata at 2020-09-23T08:57:18-05:00
Rename LDAPDatabase.basedn to baseDN

- - - - -
b578706d by Endi S. Dewata at 2020-09-23T18:27:02-05:00
Update links to project website

- - - - -
9fc36ca5 by Endi S. Dewata at 2020-09-24T12:52:32-05:00
Move ACME common classes to pki-certsrv

The ACME common classes have been moved into pki-certsrv
package since they will be needed by ACME clients.

- - - - -
9ec48ef9 by Endi S. Dewata at 2020-09-25T11:55:37-05:00
Update reqId in CertUtils.updateLocalRequest()

- - - - -
12bae613 by Endi S. Dewata at 2020-09-25T11:55:38-05:00
Clean up preop.cert.<tag>.reqId

- - - - -
fe9e75a8 by Endi S. Dewata at 2020-09-25T11:55:39-05:00
Move CertUtils.updateLocalRequest() to CAConfigurator

- - - - -
180bee97 by Endi S. Dewata at 2020-09-25T11:55:41-05:00
Merge Configurator.handleCert() into processCert()

- - - - -
4a5029e4 by Endi S. Dewata at 2020-09-25T11:55:42-05:00
Merge Configurator.importCert() into processCert()

- - - - -
a10ec92f by Endi S. Dewata at 2020-09-25T11:55:43-05:00
Move TKSKnownSessionKey to pki-tks

- - - - -
78faaf36 by Endi S. Dewata at 2020-09-25T11:55:44-05:00
Clean up log messages in PluginRegistry

- - - - -
c1ef9ce3 by Endi S. Dewata at 2020-09-25T14:04:23-05:00
Remove unused CertUtil.findCertificate()

- - - - -
06eecf76 by Endi S. Dewata at 2020-09-25T14:24:12-05:00
Replace CMSEngine with CAEngine in pki-ca

- - - - -
0ce630d0 by Endi S. Dewata at 2020-09-25T14:24:13-05:00
Replace CMSEngine with KRAEngine in pki-kra

- - - - -
7e380ea9 by Endi S. Dewata at 2020-09-25T14:24:14-05:00
Replace CMSEngine with OCSPEngine in pki-ocsp

- - - - -
a4d29a9b by Endi S. Dewata at 2020-09-25T14:24:15-05:00
Replace CMSEngine with TKSEngine in pki-tks

- - - - -
4a3b2729 by Endi S. Dewata at 2020-09-25T14:24:15-05:00
Replace CMSEngine with TPSEngine in pki-tps

- - - - -
a34ac929 by Endi S. Dewata at 2020-09-25T15:18:41-05:00
Replace EngineConfig with TKSEngineConfig in pki-tks

- - - - -
989cbe64 by Endi S. Dewata at 2020-09-25T15:18:42-05:00
Add setter/getter for tps.list

- - - - -
b8bb2e9d by Endi S. Dewata at 2020-09-25T15:18:43-05:00
Add TPSConnectorConfig

- - - - -
040b5657 by Endi S. Dewata at 2020-09-25T15:18:44-05:00
Add setters/getters for TPSConnectorConfig

- - - - -
06107852 by Endi S. Dewata at 2020-09-28T14:48:36-05:00
Update NPM package files

- - - - -
ddb37345 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Clean up SAN parameters handling

- - - - -
d6677b13 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove UGSubsystem.getCertUserLocator()

- - - - -
e51a3f40 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove unused User.mBase

- - - - -
ea6c1fc1 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove unused Group.mBase

- - - - -
10dc5005 by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove unused IUsrGrp

- - - - -
c0f09c5e by Endi S. Dewata at 2020-09-28T20:52:08-05:00
Remove unused IIdEvaluator

- - - - -
3176ae6c by Dinesh Prasanth M K at 2020-09-29T13:24:05-04:00
Fix brackets in revocation performance test

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
3bf42402 by Endi S. Dewata at 2020-09-29T14:29:15-05:00
Add AppService

The AppService has been added to provide a list of subsystems
deployed on the instance. The list is generated by checking each
subfolder under <instance>/conf to see if it has a corresponding
deployed web application. The /pki/ui page has been modified to
use the AppService to provide links to all subsystems on the
instance.

- - - - -
4e10ad78 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add ACMEManagedService

The ACMEManagedService annotation has been added to apply the
ACMERequestFilter to certain services only rather than the
entire ACME responder.

- - - - -
df7c5b23 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add ACMERealm

The ACMERealm has been added to define the users and groups
allowed to access certain services in the ACME responder.

- - - - -
1d46b9cd by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add LDAPRealm and DSRealm for ACME

The DSRealm (which extends LDAPRealm) has been added to
define the ACME realm using users and groups in DS.

- - - - -
8fea902e by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add pki-server acme-realm-show/mod commands

The pki-server acme-realm-show/mod commands have been
added to display and configure the ACME realm.

- - - - -
10e38701 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add ACMELoginService and ACMELogoutService

The ACMELoginService and ACMELogoutService have been added
to authenticate into the ACME responder.

- - - - -
361d1227 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add ACMEEnableService and ACMEDisableService

The ACMEEnableService and ACMEDisableService have been
added to enable/disable services in the ACME responder.

- - - - -
69eaf22b by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add pki acme-info command

The pki acme-info command has been added to show
some information about the ACME responder.

- - - - -
65a3ea23 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Add pki acme-enable/disable commands

The pki acme-enable/disable commands have been added to
enable/disable services in the ACME responder.

- - - - -
3b5a26e6 by Endi S. Dewata at 2020-09-29T15:39:34-05:00
Update ACME docs

- - - - -
c863e587 by Endi S. Dewata at 2020-09-29T17:21:31-05:00
Move base/common/src to base/common/src/main/java

- - - - -
64caba59 by Endi S. Dewata at 2020-09-29T18:18:34-05:00
Move base/common/functional/src to base/common/src/test/java

- - - - -
1caad924 by Endi S. Dewata at 2020-09-29T19:01:49-05:00
Add UGSubsystemConfig

- - - - -
0acf647c by Endi S. Dewata at 2020-09-29T19:01:50-05:00
Clean up UGSubsystem.init()

- - - - -
823c8405 by Endi S. Dewata at 2020-09-29T19:01:51-05:00
Remove unused UGSubsystem.mId

- - - - -
8fe1284e by Endi S. Dewata at 2020-09-29T19:01:52-05:00
Remove unused UGSubsystem.getDescription()

- - - - -
c69f970c by Endi S. Dewata at 2020-09-29T19:01:53-05:00
Clean up log messages in UGSubsystem

- - - - -
3d41b645 by Alexander Scheel at 2020-09-30T09:19:15-04:00
Remove net-tools as dependency

As far as I can tell, this package isn't required by the new
pkispawn installer. As people are asking for it to be removed from
Fedora ELN, we should drop our dependency on it.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4df4769e by Endi S. Dewata at 2020-09-30T10:56:27-05:00
Replace CMSEngine.getEEHost() with EngineConfig.getHostname()

- - - - -
b9567d0b by Endi S. Dewata at 2020-09-30T10:56:29-05:00
Replace CMSEngine.getEESSLHost() with EngineConfig.getHostname()

- - - - -
e2a49f66 by Endi S. Dewata at 2020-09-30T10:56:31-05:00
Replace CMSEngine.getEENonSSLHost() with EngineConfig.getHostname()

- - - - -
4e8443b8 by Endi S. Dewata at 2020-09-30T10:56:33-05:00
Replace CMSEngine.getAgentHost() with EngineConfig.getHostname()

- - - - -
ee755d9f by Endi S. Dewata at 2020-09-30T10:56:34-05:00
Remove unused CMSEngine.getAdminHost()

- - - - -
78ffb9c9 by Endi S. Dewata at 2020-09-30T10:56:35-05:00
Remove unused CMSEngine.hostname

- - - - -
a7ea9abf by jmagne at 2020-09-30T10:36:40-07:00
Resolve: Bug 1710978 - TPS - Add logging to tdbAddCertificatesForCUID if adding or searching for cert record fails (#560)

Submitted by RHCS-maint.

This fix provides better logging when the update to the token db sufferes a partial or complete failure.

Due to the unlikelyness of this happening in practice, this fix provides a simple config based way to simulate
the issue, such that the log activity can be easily observed just as if had happened during an actual failure.

Set the following in the TPS's CS.cfg:

op.enroll.testAddCertsToDBFailure=true.

The setting is false by default.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
49d9d4ad by jmagne at 2020-09-30T10:39:36-07:00
 Resolve: Bug 1858860 - TPS - Update Error Codes returned to client (CIW/ESC) to Match CS8. (#565)

This is simply the addition to one very simple patch to the pin reset procedure, that provides
    the proper error code back to the client in 2 very unlikely error scenarios.

RHCS-maint.
- - - - -
40d6412d by Endi S. Dewata at 2020-09-30T14:17:15-05:00
Move base/native-tools to base/tools

The base/native-tools folder has been renamed into base/tools.
The files in pki-tools package will be unchanged except that
the /usr/share/pki/native-tools/setpin.conf will now be in
/usr/share/pki/tools.

https://bugzilla.redhat.com/show_bug.cgi?id=1883996

- - - - -
782fc369 by Endi S. Dewata at 2020-09-30T15:43:46-05:00
Move base/acme/sbin to base/acme/bin

- - - - -
ddc2e6ba by Endi S. Dewata at 2020-09-30T15:43:46-05:00
Clean up pki.spec

- - - - -
97e415f0 by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Clean up Instance.wait_for_startup()

- - - - -
e8df0e76 by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add PasswordStoreConfig

- - - - -
e93543cd by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig

- - - - -
d0e8b1af by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig.isEnabled()

- - - - -
a8499e4a by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig.getNSSDatabaseDir()

- - - - -
87ba1bf7 by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig.getObscureMethod()

- - - - -
e702a174 by Endi S. Dewata at 2020-10-01T13:34:43-05:00
Add JssSubsystemConfig.getCloseNSSDatabase()

- - - - -
e78e357c by Endi S. Dewata at 2020-10-01T13:47:37-05:00
Add RandomConfig

- - - - -
5433cc92 by Endi S. Dewata at 2020-10-01T13:47:39-05:00
Add SSLConfig

- - - - -
e6076319 by Endi S. Dewata at 2020-10-01T13:47:40-05:00
Add SSLConfig.getCipherPreferences()

- - - - -
2cc2d232 by Endi S. Dewata at 2020-10-01T13:47:42-05:00
Add SSLConfig.getECType()

- - - - -
2d89b873 by Endi S. Dewata at 2020-10-01T13:47:44-05:00
Clean up CAConfigurator.createLocalAdminCert()

The CAConfigurator.createLocalAdminCert() has been modified
to return the newly created certificate object so it's not
necessary to retrieve the certificate from the repository.

- - - - -
df755783 by Endi S. Dewata at 2020-10-01T13:47:45-05:00
Remove unused preop.admincert properties

- - - - -
67625856 by Endi S. Dewata at 2020-10-01T15:07:40-05:00
Move base/tools/src to base/tools/src/main/native

The native tools sources have been moved from base/tools/src
to base/tools/src/main/native to separate it from Java tools
sources.

https://bugzilla.redhat.com/show_bug.cgi?id=1883996

- - - - -
e4f73cef by Endi S. Dewata at 2020-10-01T15:54:21-05:00
Fix Java source paths

- - - - -
5e80fc0f by Alexander Scheel at 2020-10-05T12:47:40-04:00
Update links to bug trackers to point to GitHub

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
389d34a5 by Endi S. Dewata at 2020-10-05T12:28:14-05:00
Merge base/java-tools into base/tools

The Java tools sources have been moved from base/java-tools
to base/tools.

https://bugzilla.redhat.com/show_bug.cgi?id=1883996

- - - - -
8b9242ca by Alexander Scheel at 2020-10-05T14:40:08-04:00
Limit requiredSecret character set

This adds new parameters `charset` and `length` to
`generate_password(...)`, letting us limit the character set when
required without modifying PUNCTUATION, while also extending the
length of the generated password when required.

Resolves: #3342

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
29f8189b by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IEnrollmentPolicy to pki-server

- - - - -
26d86e9e by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IKeyArchivalPolicy to pki-server

- - - - -
9b972734 by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IKeyRecoveryPolicy to pki-server

- - - - -
64581338 by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IRenewalPolicy to pki-server

- - - - -
6d9cdc62 by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IRevocationPolicy to pki-server

- - - - -
81e967d7 by Endi S. Dewata at 2020-10-05T15:02:43-05:00
Move IPolicySet to pki-server

- - - - -
faed9e6c by Endi S. Dewata at 2020-10-05T15:04:17-05:00
Merge ICertificateRepository to CertificateRepository

- - - - -
c74a8763 by Endi S. Dewata at 2020-10-05T16:39:08-05:00
Clean up Configurator.updateNextRanges()

- - - - -
0ac70565 by Endi S. Dewata at 2020-10-05T17:48:39-05:00
Clean up TPSInstaller.configureCAConnector()

The unused cainfo.select has been removed.

- - - - -
8a7dff2c by Endi S. Dewata at 2020-10-05T17:48:49-05:00
Clean up TPSInstaller.configureTKSConnector()

The unused tksinfo.select has been removed.

- - - - -
1780884e by Endi S. Dewata at 2020-10-05T17:49:09-05:00
Clean up TPSInstaller.configureKRAConnector()

The unused krainfo.select has been removed.

- - - - -
faf0f928 by Endi S. Dewata at 2020-10-05T18:29:39-05:00
Remove unused subsystem.count

- - - - -
c5edf12e by Endi S. Dewata at 2020-10-05T19:33:41-05:00
Clean up Configurator.loadKeyPair()

The Configurator.loadKeyPair() has been modified to take
an existing X509Certificate object.

- - - - -
ec049163 by Endi S. Dewata at 2020-10-05T19:36:00-05:00
Clean up Configurator.createECCKeyPair()

The Configurator.createECCKeyPair() has been modified to
use the default curve name if not provided.

- - - - -
b687119d by Endi S. Dewata at 2020-10-05T19:36:42-05:00
Clean up Configurator.createRSAKeyPair()

The Configurator.createRSAKeyPair() has been modified to
use the default key size if not provided.

- - - - -
e711488a by Endi S. Dewata at 2020-10-05T19:37:45-05:00
Replace Configurator.processKeyPair()

The Configurator.processKeyPair() has been replaced with a
direct call to loadKeyPair() or createKeyPair() depending
on the availability of the certificate.

- - - - -
c54f1113 by 06shalini at 2020-10-06T12:06:55+05:30
Fixed nighly pipeline run by fixing stable package versions (#3344)

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
bd2a7654 by Endi S. Dewata at 2020-10-06T08:48:51-05:00
Remove redundant Cert.mSubsystem

- - - - -
1147bc6e by Endi S. Dewata at 2020-10-06T08:48:52-05:00
Refactor Configurator.generateCertRequest()

The Configurator.generateCertRequest() has been converted
into createCertRequest() which returns the certificate request
data.

- - - - -
8b31aa71 by Endi S. Dewata at 2020-10-06T08:48:53-05:00
Refactor Configurator.configRemoteCert()

The Configurator.configRemoteCert() has been converted into
createRemoteCert() that takes a list of DNS names for SAN
extension.

- - - - -
a426b800 by Endi S. Dewata at 2020-10-06T08:48:54-05:00
Replace Configurator.generateRemoteCert()

The Configurator.generateRemoteCert() has been replaced with
a direct call to createRemoteCert().

- - - - -
2f00efb6 by Endi S. Dewata at 2020-10-06T08:48:55-05:00
Refactor CAConfigurator.generateLocalCert()

The CAConfigurator.generateLocalCert() has been converted
into createLocalCert() that returns an X509CertImpl object.

- - - - -
2ed9adb5 by Endi S. Dewata at 2020-10-06T08:48:56-05:00
Refactor Configurator.generateCert()

The Configurator.generateCert() has been converted into
createCert() that returns an X509CertImpl object.

- - - - -
74f4897e by Endi S. Dewata at 2020-10-06T08:48:58-05:00
Remove unused Cert.mType

- - - - -
78d8f115 by Endi S. Dewata at 2020-10-06T08:48:59-05:00
Refactor Configurator.loadCert()

The code that loads the cert and request data from CS.cfg
has been moved out of Configurator.loadCert().

- - - - -
2b165d8e by Endi S. Dewata at 2020-10-06T08:49:00-05:00
Refactor Configurator.processCert()

The Configurator.processCert() has been modified to take
an X509Certificate object.

- - - - -
838b1f5e by Endi S. Dewata at 2020-10-06T08:58:43-05:00
Refactor CAConfigurator.updateLocalRequest()

The CAConfigurator.updateLocalRequest() has been modified to
take an IRequest object instead of a RequestId object such
that it doesn't need to search for the request object in the
request queue.

- - - - -
5fb0b660 by Endi S. Dewata at 2020-10-06T08:58:43-05:00
Replace CertUtils.createLocalCert()

The CertUtils.createLocalCert() has been replaced with
a direct call to createCertRecord().

- - - - -
e22143e2 by Endi S. Dewata at 2020-10-06T08:58:44-05:00
Clean up CAConfigurator.updateLocalRequest()

- - - - -
090c2a66 by Endi S. Dewata at 2020-10-06T08:58:45-05:00
Refactored CertUtils.createLocalRequest()

The CertUtils.createLocalRequest() has been converted
into initLocalRequest() that takes an IRequest object.

- - - - -
2ec60d4a by Endi S. Dewata at 2020-10-06T08:58:46-05:00
Replace CAConfigurator.createRequest()

The CAConfigurator.createRequest() has been replaced
with direct calls to IRequestQueue.newRequest() and
CertUtils.initLocalRequest().

- - - - -
51a2d078 by Dinesh Prasanth M K at 2020-10-07T11:33:01-04:00
GH issues migration cleanup 1

This patch cleansup code, that refers to pagure tickets,
to point to the new GH issue.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
8e16088f by Dinesh Prasanth M K at 2020-10-07T13:24:52-04:00
Update pkispawn man page with instructions to dscreate

This patch updates pkispawn's man page with instructions
to install a DS instance using dscreate.

Partly resolves: bz#1656772

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
15e78c27 by Dinesh Prasanth M K at 2020-10-07T13:24:52-04:00
Fix angle brackets in pkispawn man page

This patch:
- Fixes issue with angle brackets in pkispawn man page
- Removes obsolete DS specific information from pkispawn man page

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
67ac57cd by Endi S. Dewata at 2020-10-07T14:10:42-05:00
Refactor Configurator.processCert()

The Configurator.processCert() has been modified to
take a Cert object that contains the cert info.

- - - - -
2a95560b by Endi S. Dewata at 2020-10-07T14:10:42-05:00
Add PKIDeployer.finalize_subsystem()

The code that finalizes the configuration parameters in
Configurator.finalizeConfiguration() has been moved into
PKIDeployer.finalize_subsystem().

- - - - -
b991a225 by Endi S. Dewata at 2020-10-07T14:10:42-05:00
Remove unused FinalizeConfigRequest.importSharedSecret

- - - - -
c279c652 by Endi S. Dewata at 2020-10-07T14:10:42-05:00
Remove TPSConfigurator.getSharedSecret()

The code that configures conn.tks1.tksSharedSymKeyName
in TPSConfigurator.getSharedSecret() has been moved into
PKIDeployer.import_shared_secret().

- - - - -
53e305c1 by Christina Fu at 2020-10-08T09:20:33-07:00
Bug1875563-add profile caAuditSigningCert

This patch will revert the previously added IPA specific KRA storage
and transport cert prorfiles, as it turned out that they just need
generic KRA storage and transport cert profiles, which could be
fulfilled by using the following two existing profiles
  caStorageCert.cfg
  caTransportCert.cfg
In addition, a caAuditSigningCert profile is added, although I find
a misleading profile named caSignedLogCert.cfg  that was intended for
the use.  I disabled caSignedLogCert.cfg instead.

I also removed the SHA1 algorithms from all the *storage* and *audit*
profiles while I'm at it.

The upgrade scripts only adds the new profile caAuditSigningCert.  It
does not modify existing profiles or remove those two IPA specific
ones.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1875563

- - - - -
ec176564 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Merge IPublisherProcessor into PublisherProcessor

- - - - -
3e923404 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Remove unused CMSEngine.upgradeConfig()

- - - - -
293c5e8a by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Remove unused Upgrade class

- - - - -
4fba2d34 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move GetCRL to pki-ca

- - - - -
9fdad1cb by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move DisplayCRL to pki-ca

- - - - -
9d5c4850 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move GetInfo to pki-ca

- - - - -
eb9b36e5 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move UpdateDir to pki-ca

- - - - -
23f7f9bd by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move CrlCachePrettyPrint to pki-ca

- - - - -
5fc92a21 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move CMSAuthorityKeyIdentifierExtension to pki-ca

- - - - -
7366502e by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move CMSCRLNumberExtension to pki-ca

- - - - -
a38d11e5 by Endi S. Dewata at 2020-10-08T11:42:30-05:00
Move CMSDeltaCRLIndicatorExtension to pki-ca

- - - - -
10bad6ab by Endi S. Dewata at 2020-10-08T11:44:32-05:00
Rename pki-server <subsystem>-range-update to <subsystem>-range-request

- - - - -
ac717455 by Endi S. Dewata at 2020-10-08T11:46:23-05:00
Add SubsystemRangeUpdateCLI

The code that updates ranges in Configurator.updateNextRanges()
has been copied into SubsystemRangeUpdateCLI.

- - - - -
a6da401c by Endi S. Dewata at 2020-10-08T11:47:10-05:00
Add pki-server <subsystem>-range-update

The pki-server <subsystem>-range-update has been added to
call SubsystemRangeUpdateCLI from command line.

- - - - -
2c24f572 by Endi S. Dewata at 2020-10-08T11:47:32-05:00
Add CACertRemoveCLI

The code that removes the CA signing cert record in
Configurator.deleteSigningRecord() has been copied
into CACertRemoveCLI.

- - - - -
e72efb3a by Endi S. Dewata at 2020-10-08T11:47:32-05:00
Add pki-server ca-cert-del

The pki-server ca-cert-del has been added to call
CACertRemoveCLI from command line.

- - - - -
f5e68806 by Endi S. Dewata at 2020-10-08T14:14:57-05:00
Add LDAPConfigMonitor

The LDAPConfigMonitor has been added for LDAPDatabase
to monitor ACME config properties stored in the database
using persistent search.

The ACMEEnableService and ACMEDisableService have been
modified to update the 'enabled' config property in the
database.

The ACMERequestFilter has been modified to use the `enabled`
config property from the database. However, if the property
is not set in the database, the filter will use the property
from the config file instead.

- - - - -
2ef15dc8 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 1)

The code that removes the CA signing cert record in
CAConfigurator.finalizeConfiguration() has been moved
into configuration.py.

- - - - -
d739fac2 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 2)

The code that enables the profile subsystem in
CAConfigurator.finalizeConfiguration() has been moved
into configuration.py.

- - - - -
ab091c5a by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 3)

The code that configures ca.crl.MasterCRL.startingCrlNumber
in CAConfigurator.finalizeConfiguration() has been moved into
configuration.py.

- - - - -
3faa3866 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 4)

The code that disables CRL caching and generation in
CAConfigurator.finalizeConfiguration() has been moved
into configuration.py.

- - - - -
49c12096 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 5)

The code that configures security domain master in
CAConfigurator.finalizeConfiguration() has been moved
into configuration.py.

- - - - -
26c347a8 by Endi S. Dewata at 2020-10-08T18:13:03-05:00
Clean up CAConfigurator.finalizeConfiguration() (part 6)

The code that updates the range numbers in CAConfigurator and
KRAConfigurator.finalizeConfiguration() has been moved into
configuration.py.

- - - - -
a175d385 by Christina Fu at 2020-10-09T09:20:45-07:00
Bug1874595-(add missing patch for) TPS Server-side keygen support for id only tokens

This patch relates to Bug 1494591, where the fix was missing a patch.

It makes it so that as long as one keyType has serverKeyGen enabled then
all key tyes under the same tps profile are consideered server-side
keygen.

Code submitted by RHCS-MAINT

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1874595

- - - - -
101c5b76 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move ListCerts to pki-ca

- - - - -
bf2b7b40 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move SrchCerts to pki-ca

- - - - -
32960d12 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move Monitor to pki-ca

- - - - -
a1095bef by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move CRLRepository to pki-ca

- - - - -
80d49141 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move UniqueSubjectName to pki-ca

- - - - -
74de65a9 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move UniqueSubjectNameConstraints to pki-ca

- - - - -
3c5df519 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move org.dogtagpki.legacy.server.policy.extensions to pki-ca

- - - - -
d7776c45 by Endi S. Dewata at 2020-10-09T11:34:39-05:00
Move org.dogtagpki.legacy.server.policy.constraints to pki-ca

- - - - -
f09342d5 by Endi S. Dewata at 2020-10-09T11:36:13-05:00
Remove ICertificateAuthority.getCRLRepository()

The ICertificateAuthority.getCRLRepository() has been replaced
with direct calls to CAEngine.getCRLRepository().

- - - - -
abeed422 by Endi S. Dewata at 2020-10-09T11:36:15-05:00
Merge ICRLRepository into CRLRepository

- - - - -
e6588ad4 by Endi S. Dewata at 2020-10-09T11:36:17-05:00
Remove ICertificateAuthority.getCRLIssuingPoints()

The ICertificateAuthority.getCRLIssuingPoints() has been
replaced with direct calls to CAEngine.getCRLIssuingPoints().

- - - - -
98d33c5b by Endi S. Dewata at 2020-10-09T11:36:18-05:00
Remove ICertificateAuthority.getCRLIssuingPoint()

The ICertificateAuthority.getCRLIssuingPoint() has been
replaced with direct calls to CAEngine.getCRLIssuingPoint().

- - - - -
cb3b51f1 by Endi S. Dewata at 2020-10-09T11:36:20-05:00
Replace ICertificateAuthority.getCertificateRepository()

Some of the ICertificateAuthority.getCertificateRepository()
invocations have been replaced with direct calls to
CAEngine.getCertificateRepository().

- - - - -
1ba298dc by Endi S. Dewata at 2020-10-09T12:34:14-05:00
Move AddCAServlet to pki-ocsp

- - - - -
47ab2a1e by Endi S. Dewata at 2020-10-09T12:34:16-05:00
Move AddCRLServlet to pki-ocsp

- - - - -
96a7c8a7 by Endi S. Dewata at 2020-10-09T12:34:17-05:00
Move CheckCertServlet to pki-ocsp

- - - - -
bdef9580 by Endi S. Dewata at 2020-10-09T12:34:18-05:00
Move ListCAServlet to pki-ocsp

- - - - -
329468b6 by Endi S. Dewata at 2020-10-09T12:34:19-05:00
Move RemoveCAServlet to pki-ocsp

- - - - -
c834e372 by Endi S. Dewata at 2020-10-09T12:34:20-05:00
Move com.netscape.certsrv.logging.event to pki-server

- - - - -
020ccefb by Endi S. Dewata at 2020-10-09T12:34:22-05:00
Move org.dogtagpki.legacy.policy to pki-server

- - - - -
9db1146a by Endi S. Dewata at 2020-10-09T12:34:23-05:00
Move IConnector to pki-server

- - - - -
f99b426d by Endi S. Dewata at 2020-10-09T12:34:25-05:00
Move IService to pki-server

- - - - -
410e1c60 by Endi S. Dewata at 2020-10-09T12:34:26-05:00
Move request interfaces to pki-server

- - - - -
50333404 by Endi S. Dewata at 2020-10-09T13:06:55-05:00
Move GeneralNamesAsConstraintsConfig to a new file

- - - - -
47a1d84b by Endi S. Dewata at 2020-10-09T13:06:57-05:00
Move GeneralNamesConfig to a new file

- - - - -
6f1ea9ef by Endi S. Dewata at 2020-10-09T13:06:58-05:00
Move GeneralNameConfig to a new file

- - - - -
872ab4f8 by Endi S. Dewata at 2020-10-09T13:07:00-05:00
Move GeneralNameAsConstraintsConfig to a new file

- - - - -
413d70cc by Endi S. Dewata at 2020-10-09T13:07:02-05:00
Move SubjAltNameGN to a new file

- - - - -
f9c4bb93 by Endi S. Dewata at 2020-10-09T13:07:03-05:00
Move PolicyInstance to a new file

- - - - -
752cf648 by Endi S. Dewata at 2020-10-09T13:07:05-05:00
Move RegisteredPolicy to a new file

- - - - -
7963fdfe by Endi S. Dewata at 2020-10-09T13:07:07-05:00
Move PredicateTokenizer to a new file

- - - - -
bd646873 by Endi S. Dewata at 2020-10-09T13:07:09-05:00
Move ExpressionComps to a new file

- - - - -
9332e4f6 by Endi S. Dewata at 2020-10-09T13:07:10-05:00
Rename ICRLPublisher to CRLPublisher

- - - - -
e6e2a1e4 by Endi S. Dewata at 2020-10-13T11:15:32-05:00
Remove CryptoUtil.sortCertificateChain()

The CryptoUtil.sortCertificateChain() has been replaced with
Cert.sortCertificateChain().

- - - - -
aa480286 by Endi S. Dewata at 2020-10-13T11:15:37-05:00
Merge ICertUserDBAuthentication into CertUserDBAuthentication

- - - - -
e0d5d37a by Endi S. Dewata at 2020-10-13T11:15:42-05:00
Merge IGroup to Group

- - - - -
2df76f48 by Endi S. Dewata at 2020-10-13T11:15:43-05:00
Merge IGroupConstants into Group

- - - - -
c4042744 by Endi S. Dewata at 2020-10-13T11:15:46-05:00
Merge IUser into User

- - - - -
ad8bd463 by Endi S. Dewata at 2020-10-13T11:18:39-05:00
Merge IUserConstants into User

- - - - -
7ebf8d78 by Endi S. Dewata at 2020-10-13T16:06:40-05:00
Clean up LDAPDatabase

- - - - -
0619f5a1 by Endi S. Dewata at 2020-10-13T16:06:41-05:00
Clean up LDAPRealm

- - - - -
f589afad by Endi S. Dewata at 2020-10-13T16:06:42-05:00
Clean up LDAPConfigMonitor

- - - - -
304040d5 by Endi S. Dewata at 2020-10-13T16:06:43-05:00
Clean up create.ldif for DS realm

- - - - -
4f4e5a29 by dpuniaredhat at 2020-10-14T17:37:41+05:30
acme mvp test (#3352)

Adding automation to Deploy acme container on podman and openshift

1. Update existing acme test cases and add test cases
2. Adding test to deploy acme using podman with Persistent Database and run test cases
3. Adding acme deployment with nss_issuer
4. Adding test to delopy acme on openshift with Persistent Database

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
d765cd87 by dpuniaredhat at 2020-10-15T19:00:15+05:30
Bugzilla 1874595 automation (#3355)

TPS - Server side key generation is not working for Identity only tokens

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
cb3f19b8 by Endi S. Dewata at 2020-10-15T09:53:40-05:00
Add patternfly.min.css.map into ACME UI

- - - - -
8d96b89f by Endi S. Dewata at 2020-10-15T09:54:12-05:00
Clean up ACME UI

- - - - -
eb501630 by Endi S. Dewata at 2020-10-15T09:54:13-05:00
Add JSON encoder/decoder for User

- - - - -
8883e23d by Endi S. Dewata at 2020-10-15T09:54:14-05:00
Update LDAPRealm to generate PKIPrincipal

The LDAPRealm has been updated generate a PKIPrincipal
instead of a GenericPrincipal such that it can store
the User object.

- - - - -
d9607c2b by Christina Fu at 2020-10-15T17:02:24-07:00
Bug1874600-TPS does not check token cuid on the user externalReg record during PIN reset

  RHCS-MAINT contribution
  This patch makes sure that if "tokenCUID" exists for the user reg record,
  pinReset operation would make sure that it mathes with the current
  tokne cuid;
  If the "tokenCUID" does not exisst in the user registration record
  then any token can be used for pinReset;

  fixes https://bugzilla.redhat.com/show_bug.cgi?id=1874600

- - - - -
b9edb38d by Endi S. Dewata at 2020-10-19T13:16:48-05:00
Remove unused UGSubsystem.startup()

- - - - -
26e16da1 by Endi S. Dewata at 2020-10-19T13:16:56-05:00
Add hashCode() and equals() for DataCollection

- - - - -
aa6d7b08 by Endi S. Dewata at 2020-10-19T13:19:15-05:00
Add pki-server <subsystem>-group-find

The pki-server <subsystem>-group-find has been added to
list all groups directly from the database.

- - - - -
14244b72 by Endi S. Dewata at 2020-10-19T14:43:47-05:00
Add pki-server <subsystem>-group-member-find

The pki-server <subsystem>-group-member-find has been added
to list all members of a group directly from the database.

- - - - -
2c114ff2 by Endi S. Dewata at 2020-10-19T14:43:50-05:00
Add pki-server <subsystem>-group-member-add

The pki-server <subsystem>-group-member-add has been added
to add a member into a group directly into the database.

- - - - -
033d3200 by Endi S. Dewata at 2020-10-19T14:43:50-05:00
Move pkidbuser group configuration

The code that configures pkidbuser groups have been moved
into configuration.py.

- - - - -
2defedfd by Endi S. Dewata at 2020-10-19T15:28:00-05:00
Fix cert validation in LDAPRealm

The LDAPRealm has been modified to validate the cert data
in addition to the cert ID.

- - - - -
5f4ed745 by Endi S. Dewata at 2020-10-19T15:28:00-05:00
Add PostgreSQLRealm

The PostgreSQLRealm has been added to define the ACME realm
using users and groups in PostgreSQL database.

- - - - -
fbf94d38 by Endi S. Dewata at 2020-10-19T15:28:00-05:00
Update pki-server acme-realm

- - - - -
7f43a712 by Endi S. Dewata at 2020-10-19T15:28:00-05:00
Add docs for PostgreSQLRealm

- - - - -
f1ce33fb by Endi S. Dewata at 2020-10-19T16:03:34-05:00
Clean up realm doc

- - - - -
4d8520c7 by Endi S. Dewata at 2020-10-19T16:04:31-05:00
Refactor UGSubsystem.addCertSubjectDN()

The UGSubsystem.addCertSubjectDN() has been converted into
addSeeAlso() which takes a user ID and the value of the
seeAlso attribute.

- - - - -
9badc0c0 by Endi S. Dewata at 2020-10-19T16:06:34-05:00
Refactor UGSubsystem.removeCertSubjectDN()

The UGSubsystem.removeCertSubjectDN() has been converted
into removeSeeAlso() that takes the user ID and the value
of the seeAlso attribute.

- - - - -
ea148d61 by Endi S. Dewata at 2020-10-19T16:14:10-05:00
Add UGSubsystem.findUsersByKeyword()

The code that generates an LDAP filter to search users by
keyword has been moved into UGSubsystem.findUsersByKeyword().

- - - - -
a6646131 by Endi S. Dewata at 2020-10-19T16:14:17-05:00
Add JSON converter for UserData

- - - - -
d23b45b3 by Endi S. Dewata at 2020-10-19T16:14:17-05:00
Add JSON converter for UserCollection

- - - - -
93b892a1 by Endi S. Dewata at 2020-10-19T19:35:18-05:00
Update PostgreSQLRealm to create PKIPrincipal

The PostgreSQLRealm has been modified to create a PKIPrincipal
which stores the User object instead of a GenericPrincipal which
stores only the username.

- - - - -
6c62d4b8 by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: add StartupNotifier interface

Add the StartupNotifier interface.  Update CMSEngine to invoke
.notifyReady() for each configured notifier when startup is
completed.

Loading of notifiers and a systemd notifier instance will be
implemented in subsequent commits.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
c452bdec by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: initialise from CS.cfg

Initialise StartupNotifier instances configured in CS.cfg.  The
configuration scheme is:

  startupNotifiers.list=systemd,foo
  startupNotifiers.systemd.class=package.and.ClassName
  startupNotifiers.foo.class=com.netscape.cmscore.apps.FooNotifier
  startupNotifiers.foo.paramA=valueA
  startupNotifiers.foo.paramB=valueB

`startupNotifiers.list' gives a list of substore names, one for each
StartupNotifier instance.  The 'class' parameter of each substore
specifies the Java class name.  The config substore is passed to the
StartupNotifier.init() method.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
5c0a0c9d by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: add pki-systemd jar

Implement SystemdStartupNotifier, which does not actually notify
systemd yet (this will be implemented in a subsequent commit).
Ship this class in its own jar.  The inclusion of this jar in the
pki-server package will be made conditional on an RPM macro in the
next commit.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
4f106e2b by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: make the systemd class optional

Add the `sdnotify` RPM bcond to make the SystemdStartupNotifier
class optional.  When enabled, it is supplied in a separate JAR
(part of the pki-server package), and the webapp symlink is added in
the pki-ca package.  It is enabled by default.

Note that on Fedora and presumably RHEL also, libsystemd.so is
always present.  sd_booted(3) can be used to determine whether pid 1
is systemd or not, so having a systemd notifier implementation
present doesn't imply that systemd must be used.

Nevertheless, it was requested to make this component optional.  So
here we are.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
1bc6a40c by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: complete systemd notifier

Complete the implementation of SystemdStartupNotifier.  We use JNA
to bind to libsystemd.  The dependency on 'jna' package only occurs
when %{with sdnotify}.

The systemd unit template file is left alone, retaining Type=simple.
In order to enable systemd startup notification, you can override
the Type in the "drop-in" directory. For example, if the instance
name is 'pki-tomcat', write to the file:

  /etc/systemd/system/pki-tomcatd at pki-tomcat.service.d/notify.conf

the content:

  [Service]
  Type=notify

See systemd.unit(5) for more details.

Fixes: https://pagure.io/dogtagpki/issue/1233

- - - - -
ef088977 by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: load libsystemd in init()

In the SystemdStartupNotifier, in order to better handle errors load
the library in init() rather than as static class configuration.
This gives better control over when Dogtag attempts to load the
library, and how it can handle errors.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
592f412e by Fraser Tweedale at 2020-10-20T11:09:28+10:00
startup notification: return result to caller

Update the StartupNotifier interface to return a NotifyResult to the
caller.  The NotifyResult contains a success/failure enum and a
string message.  Update CMSEngine to interpret the NotifyResult and
log a message if appropriate.

The SystemdStartupNotifier no longer writes to stderr/stdout.  As a
result, there is no longer any ambiguity about which CMS subsystem a
failure occurred in.

Part of: https://pagure.io/dogtagpki/issue/1233

- - - - -
6f573ee1 by jmagne at 2020-10-19T18:26:57-07:00
Enhancment to Bug 1858860 - TPS - Update Error Codes returned to client (CIW/ESC) to Match CS8. (#3361)

This enhancement allows config values to be used to test the unlikely error conditions addressed in the original bug:

To test one two scenarios, use these settings one at a time:

op.pinReset.testNoBeginMsg=false
op.pinReset.testUpdateDBFailure=false

The first one will test the error code returned when the beginOp message is missing when atempting
a pin Reset operation. The error returned should be error "4".

The second one will test if the update of the db for the token does not complete properly.

The error returned in this scenario should be "41".

The tpsclient utility can be used to test these two scenarios. Once again try them separately
because the first error will stop the pin reset procedure before the second scenario can even happen.
- - - - -
8529ebe2 by Endi S. Dewata at 2020-10-20T09:22:50-05:00
Add PostgreSQLConfigMonitor

The PostgreSQLConfigMonitor has been added to periodically
monitor ACME config properties stored in PostgreSQL database.

- - - - -
885136fb by Endi S. Dewata at 2020-10-20T09:22:50-05:00
Add docs for PostgreSQLConfigMonitor

- - - - -
c7be1f9b by Endi S. Dewata at 2020-10-20T09:26:55-05:00
Fix pki-server acme-realm-show

- - - - -
4f12d13e by Endi S. Dewata at 2020-10-20T11:26:48-05:00
Update version number to 10.10.0-beta1

- - - - -
3df7a23c by Endi S. Dewata at 2020-10-20T16:54:54-05:00
Update JSS dependency

- - - - -
9b6247dc by Fraser Tweedale at 2020-10-21T10:47:27+10:00
CommonNameToSANDefault: allow label starting with digit

https://tools.ietf.org/html/rfc1123#section-2 relaxes the grammar
specified in https://tools.ietf.org/html/rfc1034#section-3.5,
allowing a DNS label to start with a number.  RFC 5280 explicitly
adopts the modifications of RFC 1123, so the current check that
requires a label to start with a letter is too strict.  Update the
check to allow labels to start with number or letter.

Fixes: https://github.com/dogtagpki/pki/issues/3339

- - - - -
2e1a0cfd by Endi S. Dewata at 2020-10-21T08:38:27-05:00
Update TomcatJSS dependency

- - - - -
8449667d by Endi S. Dewata at 2020-10-21T16:55:20-05:00
Add pki-acme.js

The JavaScript code in ACME's index.jsp has been moved
into pki-acme.js.

- - - - -
defadf1a by Endi S. Dewata at 2020-10-21T19:18:10-05:00
Add pki-server <subsystem>-user-find

The pki-server <subsystem>-user-find has been added to
find users linked to a certificate.

- - - - -
6c322670 by Endi S. Dewata at 2020-10-21T19:27:02-05:00
Add pki-server <subsystem>-user-mod

The pki-server <subsystem>-user-mod has been added to
link/unlink a user to a certificate.

- - - - -
27e27237 by Endi S. Dewata at 2020-10-21T20:25:03-05:00
Remove Configurator.removeOldDBUsers()

The code that links/unlinks users to/from subsystem cert
has been moved into configuration.py.

- - - - -
fb0ed640 by Endi S. Dewata at 2020-10-22T15:06:36-05:00
Add InMemoryRealm

The InMemoryRealm has been added to provide a simple realm
that contains just the admin user.

- - - - -
0b73ae1b by Endi S. Dewata at 2020-10-22T15:06:36-05:00
Update ACME deployment for Podman

The Dockerfile and the pki-acme-run script have been modified
to use the InMemoryRealm by default and provide a mechanism
to change it.

- - - - -
6157d431 by Endi S. Dewata at 2020-10-22T15:06:36-05:00
Update ACME deployment for OpenShift

The OpenShift deployment files have been modified to use
the InMemoryRealm by default and provide a mechanism to
change it.

- - - - -
ad6d9fad by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Clean up exception handling in pki-server

The pki-server has been modified to show better error messages.

- - - - -
b0047db2 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Add log messages for Password.get_password()

- - - - -
84696756 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Refactor UGSubsystem.addUserCert()

The UGSubsystem.addUserCert() has been modified to take
a user ID and a certificate object.

- - - - -
f093ae97 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Add pki-server <subsystem>-user-cert-add

The pki-server <subsystem>-user-cert-add has been added to
add a cert to a user for client cert authentication.

- - - - -
d49310da by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Refactor pkidbuser cert configuration

The code that configures pkidbuser cert has been moved
into configuration.py.

- - - - -
6ad73713 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Clean up UGSubsystem.addUser()

The UGSubsystem.addUser() has been modified to allow
optional attributes according to the LDAP schema.

- - - - -
438eff69 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Add pki-server <subsystem>-user-show

The pki-server <subsystem>-user-show has been added to
retrieve a user directly from the database.

- - - - -
4f9e4d95 by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Add pki-server <subsystem>-user-add

The pki-server <subsystem>-user-add has been added to
add a user directly into the database.

- - - - -
4078259a by Endi S. Dewata at 2020-10-23T10:01:39-05:00
Refactor pkidbuser creation

The code that creates pkidbuser has been moved into
configuration.py.

- - - - -
89f178ad by Endi S. Dewata at 2020-10-23T11:09:59-05:00
Add PKIDeployer.setup_database_user()

The code that configures pkidbuser has been moved into
PKIDeployer.setup_database_user().

- - - - -
61744481 by Endi S. Dewata at 2020-10-23T13:44:06-05:00
Fix cloning issue

Due to recent changes pkispawn tried to add a duplicate
pkidbuser during cloning so it failed. The code has been
modified to no longer add pkidbuser during cloning.

- - - - -
42ab987a by Endi S. Dewata at 2020-10-23T14:43:08-05:00
Remove unused SystemConfigService.setupDatabaseUser()

- - - - -
ab918bf7 by Endi S. Dewata at 2020-10-26T15:13:53-05:00
Fix error handling in pki-server

- - - - -
355f2655 by Endi S. Dewata at 2020-10-26T15:14:00-05:00
Fix Password.get_password()

The Password.get_password() has been modified to use
pki.util.load_properties() to load the password file.

- - - - -
2648cc6e by Endi S. Dewata at 2020-10-26T15:29:52-05:00
Add pki securitydomain-join

The code that registers the new subsystem into the security
domain has been moved into pki securitydomain-join.

- - - - -
65781959 by Endi S. Dewata at 2020-10-26T21:48:32-05:00
Clean up PKISubsystem.join_security_domain()

- - - - -
25f6ecd4 by Endi S. Dewata at 2020-10-26T21:49:16-05:00
Add pki-server sd-host-add

The code that adds the security domain manager has been
moved into pki-server sd-host-add.

- - - - -
26450226 by Endi S. Dewata at 2020-10-26T23:01:00-05:00
Add pki-server sd-create

The code that creates the security domain has been moved into
pki-server sd-create.

- - - - -
b4a33e33 by Endi S. Dewata at 2020-10-26T23:01:06-05:00
Remove unused SystemConfigService.setupSecurityDomain()

- - - - -
b24f6b16 by Endi S. Dewata at 2020-10-26T23:01:06-05:00
Remove unused SecurityDomainSetupRequest

- - - - -
f74a6bd2 by Endi S. Dewata at 2020-10-27T13:10:41-05:00
Clean up group configuration for pkidbuser

- - - - -
73d0e6e4 by Endi S. Dewata at 2020-10-27T13:10:44-05:00
Add --output-format for pki-server <subsystem>-group-member-find

- - - - -
53706d43 by Endi S. Dewata at 2020-10-27T13:10:45-05:00
Add --tps-profiles for pki-server <subsystem>-add-user

- - - - -
f26500c1 by Endi S. Dewata at 2020-10-27T13:10:47-05:00
Refactor admin certificate configuration

The code that configures the admin certificate in
Configurator.updateAdminUserCert() has been moved into
PKIDeployer.setup_admin().

- - - - -
9e3db097 by Endi S. Dewata at 2020-10-27T13:10:49-05:00
Refactor admin group configuration

The code that configures the admin groups in
Configurator.createAdminUser() has been moved into
PKIDeployment.setup_admin().

- - - - -
63c7434b by Endi S. Dewata at 2020-10-27T13:10:50-05:00
Refactor admin user creation

The code that creates the admin user in
Configurator.createAdminUser() has been moved into
PKIDeployer.setup_admin().

- - - - -
d4ed7a86 by Endi S. Dewata at 2020-10-27T13:10:52-05:00
Remove ACME tech preview notifications

- - - - -
d7cd7104 by Fraser Tweedale at 2020-10-27T17:53:57-05:00
acme: refactor validation retry behaviour into ACMEChallengeProcessor

Challenge retry behaviour was duplicated across validators.
Refactor this behaviour into the ACMEChallengeProcessor class.

The validateChallenge method can now no longer raise (arbitrary)
exceptions.  Instead it returns a value of the ValidationResult
type.  As a consequence, more exceptions need to be handled, but the
upshot is that such failures are now captured and get represented
properly in the challenge object's error field.

- - - - -
cc566b63 by Fraser Tweedale at 2020-10-27T17:53:57-05:00
acme: add ACMEIdentifierValidator class

Add a class and methods for validating the syntax of an identifier.
This will allow the newOrder service to reject orders with malformed
identifiers (a subsquent commit will implement this behaviour).

- - - - -
2cfa3c63 by Fraser Tweedale at 2020-10-27T17:53:57-05:00
acme: validate identifier syntax

Update ACMENewOrderService to validate identifier syntax and respond
with an error object if it finds a malformed identifier.

Also add a service base class providing the "respond with ACMEError
object".  Other service classes should be updated over time to use
it, so that we (a) return proper error objects in conformance with
RFC 8555 and (b) avoid code duplication through use of the base
class.

- - - - -
e63ff629 by Endi S. Dewata at 2020-10-28T11:08:21-05:00
Clean up ACME docs

- - - - -
113a8634 by Endi S. Dewata at 2020-10-28T11:11:59-05:00
Clean up ACME docs (part 2)

- - - - -
927f6662 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Update ACME login and logout services

The ACME login service has been modified to allow anybody
to retrieve the login information from the current session.

The ACME logout service has been modified to allow anybody
to clear the current session.

- - - - -
373f5c5c by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add avatar and user's full name for ACME UI

The ACME UI has been modified to display an avatar and
user's full name.

- - - - -
9db5355f by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add profile menu for ACME UI

The ACME UI has been modified to provide a profile menu
which initially contains the login and logout menu items.

- - - - -
38616b5a by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add sidebar menu for ACME UI

A sidebar menu has been added into the ACME UI. The main page
has been split into home.jsp and help.jsp.

- - - - -
2cd562a5 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add sidebar toggle in ACME UI

A toggle has been added to show/hide the sidebar in the ACME UI.

- - - - -
15962317 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add configuration page in ACME UI

A configuration page has been added in ACME UI to show the
current service status and links to enable/disable the service.

- - - - -
181487b3 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Add login/logout sidebar menu

- - - - -
5e06d806 by Endi S. Dewata at 2020-10-28T14:09:48-05:00
Fix ACME UI logout

- - - - -
61297c6f by Endi S. Dewata at 2020-10-28T14:42:31-05:00
Update version number to 10.0.0

- - - - -
769d4866 by Endi S. Dewata at 2020-10-28T18:16:35-05:00
Fix JNA build dependency

- - - - -
8f288e20 by Endi S. Dewata at 2020-10-29T11:14:00-05:00
Add workaround for missing capture_output in Python 3.6

- - - - -
5d674aef by Endi S. Dewata at 2020-10-29T11:16:58-05:00
Fix JSS initialization in pki-server <subsystem>-user-cert-add

The pki-server <subsystem>-user-cert-add failed with
NoSuchProviderException when importing a certificate with
RSA/PSS algorithm. It turns out the JSS has to be initialized
before parsing the certificate using X509CertImpl.

- - - - -
263739df by Endi S. Dewata at 2020-10-29T21:45:45-05:00
Fix ACME doc

- - - - -
c073c85d by Endi S. Dewata at 2020-11-02T12:30:41-06:00
Clean up pki-server <subsystem>-user-show

- - - - -
5d0dae12 by Endi S. Dewata at 2020-11-02T19:54:46-06:00
Fix invalid attribute syntax during installation

Recently the pki.convert_x509_name_to_dn() was used to convert
the subsystem cert's subject name into a DN during installation.
However, the original code did not escape attributes in the DN
properly, so if the subject name contained a special character
(e.g. comma), the syntax of the DN could become invalid.

To fix the problem the pki.convert_x509_name_to_dn() has been
modified to escape attributes in the DN properly.

https://github.com/dogtagpki/pki/issues/3367

- - - - -
6989a2ff by Endi S. Dewata at 2020-11-03T21:21:04-06:00
Clean up log messages in CAService

- - - - -
0f74e07b by Endi S. Dewata at 2020-11-03T21:21:06-06:00
Clean up log messages in EnrollProfile

- - - - -
bb939bcd by Endi S. Dewata at 2020-11-04T09:08:34-06:00
Clean up log messages in AuditService

- - - - -
749c2d94 by Endi S. Dewata at 2020-11-04T09:08:35-06:00
Fix NPE in UGSubsystem.findUsersByKeyword()

- - - - -
c9eb3d5e by fdelehay at 2020-11-05T01:05:29+01:00
Update PKI_Health_Check_Tool.md

typos
- - - - -
602a53c6 by Endi S. Dewata at 2020-11-04T18:10:33-06:00
Update links in docs

- - - - -
9a2cf4f1 by Endi S. Dewata at 2020-11-04T19:01:42-06:00
Add FQDN configuration doc

- - - - -
4c322622 by cpinjani at 2020-11-05T12:55:52+05:30
Check 'man pkispawn' having reference of setup-ds.pl (#3371)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
9e450c26 by gswami90 at 2020-11-05T17:56:32+05:30
Test_automation_for_RFE_Need_Method_to_copy_SKI_from_CSR_to_Certifica… (#3351)

* Test_automation_for_RFE_Need_Method_to_copy_SKI_from_CSR_to_Certificate_signed

Signed-off-by: Gaurav Swami <gswami at redhat.com>

* Test_automation_for_RFE_Need_Method_to_copy_SKI_from_CSR_to_Certificate_signed

Signed-off-by: Gaurav Swami <gswami at redhat.com>
- - - - -
1b6b426a by Endi S. Dewata at 2020-11-06T15:16:38-06:00
Fix concurrency issue in ACME PKIIssuer

The PKIIssuer has been modified to create a new PKIClient
instance for each request to avoid concurrency issue when
handling multiple clients.

The PKIIssuer.issueCertificate() has been modified to no
longer call CAClient.login() since the login operation will
actually be performed automatically by the PKIConnection
if required by the server. The CAClient.login() is mainly
used to get the account info (e.g. user roles) which is not
needed in this case.

https://bugzilla.redhat.com/show_bug.cgi?id=1889691

- - - - -
09ca2e4e by Endi S. Dewata at 2020-11-06T16:33:17-06:00
Fix pki <subsystem>-audit-mod

The AuditService.updateAuditConfig() has been modified to
no longer throw an exception when it encounters a disabled
event. Instead, it will ignore the disabled event and not
add it into the list of enabled events.

https://bugzilla.redhat.com/show_bug.cgi?id=1843416

- - - - -
fa861277 by Endi S. Dewata at 2020-11-06T20:19:48-06:00
Add upgrade docs

- - - - -
5dcdd5ef by dpuniaredhat at 2020-11-11T13:24:24+05:30
Bugzilla automation 1843416 kra-audit-mod fail (#3375)

Bug 1843416 - kra-audit-mod fail with Invalid event configuration if we have disabled entry in input file

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
8e9c247c by Endi S. Dewata at 2020-11-11T08:55:23-06:00
Update DS instance name in CI tests

The CI tests have been updated to use a more generic
DS instance name.

- - - - -
357d7363 by Endi S. Dewata at 2020-11-11T12:00:59-06:00
Update PKI instance name in CI tests

The CI tests have been updated to use the default
PKI instance name.

- - - - -
ae8dba6d by Endi S. Dewata at 2020-11-11T13:51:05-06:00
Update LDAP suffixes in CI tests

The CI tests have been updated to use example LDAP suffixes.

- - - - -
c436eb9e by Endi S. Dewata at 2020-11-11T13:51:05-06:00
Update security domain name in CI tests

The CI tests have been updated to use example security
domain name.

- - - - -
4c74ba7a by Endi S. Dewata at 2020-11-11T13:51:05-06:00
Update network domain name in CI tests

The CI tests have been updated to use example network
domain name.

- - - - -
90f7e320 by Endi S. Dewata at 2020-11-11T13:51:05-06:00
Update container names in CI tests

The CI tests have been updated to use more descriptive
container names.

- - - - -
292d20d8 by Endi S. Dewata at 2020-11-11T16:44:56-06:00
Update pki pkcs12-cert-mod

The pki pkcs12-cert-mod has been modified to search
for the cert to modify in a PKCS #12 file by its ID
in addition to its nickname. If a cert ID is provided,
there will be at most one cert matching the ID. If a
nickname is provided, there could be multiple certs
matching the nickname, but only the first one will
be processed.

- - - - -
481632eb by Endi S. Dewata at 2020-11-11T16:44:56-06:00
Add --friendly-name option for pki pkcs12-cert-mod

The pki pkcs12-cert-mod has been modified to provide
a --friendly-name option to change the nickname of a
cert in PKCS #12 file.

The --trust-flags option has been changed to become
optional.

- - - - -
36c209e1 by Endi S. Dewata at 2020-11-11T16:47:28-06:00
Move IPA tests into separate workflow

- - - - -
68d6cb36 by Endi S. Dewata at 2020-11-11T16:47:28-06:00
Simplified build task in IPA tests

- - - - -
382e18f2 by Endi S. Dewata at 2020-11-11T16:47:28-06:00
Rename Required Tests to Installation Tests

- - - - -
9396a54a by Alexander Scheel at 2020-11-12T11:16:32-05:00
Document how to debug QE pipeline failures

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b45f7a8e by Alexander Scheel at 2020-11-12T11:16:32-05:00
Update Debugging_Pipeline.md
- - - - -
5689e792 by Alexander Scheel at 2020-11-12T11:16:32-05:00
Fix spelling of Ansible
- - - - -
e11e7014 by Endi S. Dewata at 2020-11-12T11:23:49-06:00
Use hostnames as container names in CI tests

- - - - -
ef41bc53 by Endi S. Dewata at 2020-11-12T12:23:59-06:00
Refactor CAConfigurator.createLocalCert()

The CAConfigurator.createLocalCert() has been modified
to take a list of DNS names for SAN extension.

- - - - -
056e8cf0 by Endi S. Dewata at 2020-11-12T12:34:44-06:00
Refactor Configurator.createCert()

The Configurator.createCert() has been modified to take
a profile ID and a list of DNS names for SAN extension.

- - - - -
bdfbc3ea by Endi S. Dewata at 2020-11-12T12:44:01-06:00
Refactor Configurator.loadCert()

The Configurator.loadCert() has been modified to take
a profile ID and a list of DNS names for SAN extension.

- - - - -
e2d28ec5 by Endi S. Dewata at 2020-11-13T11:24:31-06:00
Update log messages in LDAPConfigurator.importLDIFRecord()

- - - - -
2338cc58 by Endi S. Dewata at 2020-11-13T11:24:31-06:00
Update log messages in LDAPConfigurator.createSystemContainer()

- - - - -
e10d7829 by Endi S. Dewata at 2020-11-13T11:24:31-06:00
Update log messages in PKIInstance.load()

- - - - -
26d89ac9 by Endi S. Dewata at 2020-11-13T11:24:31-06:00
Update log messages in PluginRegistry

- - - - -
aeec176e by Endi S. Dewata at 2020-11-13T11:34:40-06:00
Update log messages in UGSubsystem.addUser()

- - - - -
026e1c17 by Endi S. Dewata at 2020-11-13T12:33:35-06:00
Convert deployment configs in CI tests into examples

The pki.cfg in CI tests has been split into separate
deployment configs for each subsystem and moved into a
new examples folder. The installation docs have been
updated to point to these examples.

The create and remove scripts have been removed since
they contain only a single command. The CI tests have
been modified to call pkispawn and pkidestroy directly.

- - - - -
e3a9e57b by Endi S. Dewata at 2020-11-13T12:35:08-06:00
Update log messages in Configurator.createRemoteCert()

- - - - -
3f58ee57 by Endi S. Dewata at 2020-11-13T15:25:01-06:00
Fix ACME Dockerfile

- - - - -
9c10e652 by Endi S. Dewata at 2020-11-13T20:24:53-06:00
Clean up installation tests

- - - - -
bae0609f by Endi S. Dewata at 2020-11-13T20:24:53-06:00
Fix LDAPConfigurator.importLDIFRecord()

The LDAPConfigurator.importLDIFRecord() has been updated
to ignore modification error due to missing entry.

- - - - -
525968e1 by Endi S. Dewata at 2020-11-16T10:15:27-06:00
Fix cloning issue on F33

Since Fedora 33 the DS changelog has moved and will be
created automatically when the replication is enabled. Also,
the operation to add the old changelog will fail with LDAP
error 53. However, in older DS versions the old changelog
still needs to be added manually. To support all DS versions
the code will now ignore LDAP error 53.

https://github.com/dogtagpki/pki/issues/3379

- - - - -
51db62f9 by Endi S. Dewata at 2020-11-16T10:15:27-06:00
Updated CA cloning doc

- - - - -
e12a078b by Endi S. Dewata at 2020-11-16T11:03:32-06:00
Fix NPE during subordinate CA installation

Due to recent changes, the CAConfigurator.createCert()
incorrectly tried to issue the subordinate CA cert locally,
which failed since there was no local CA signing cert yet
on the new subordinate CA being installed.

To fix the problem, the CAConfigurator.createCert() has
been modified to call the Configurator.createCert() to
obtain the subordinate CA cert from the remote root CA.

https://bugzilla.redhat.com/show_bug.cgi?id=1891577

- - - - -
64cf25ea by Endi S. Dewata at 2020-11-16T11:03:32-06:00
Add pki_cert_chain_path validation

The PKIDeployer.sd_connect() has been modified to validate
that the cert chain file exists if it's specified in the
pki_cert_chain_path parameter.

- - - - -
9e5138d9 by Endi S. Dewata at 2020-11-16T11:03:32-06:00
Add subordinate CA installation doc

- - - - -
4c705de8 by Endi S. Dewata at 2020-11-16T15:57:30-06:00
Update status badges

- - - - -
1906afbe by Alexander Scheel at 2020-11-17T13:25:14-05:00
Introduce IPv4 and IPv6-specific AJP adapters

In order to facilitate IPv4-only and IPv6-onyly stacks, begin binding
separately to IPv4 and IPv6. If a Connector fails to bind, Tomcat will
continue running, but won't listen on that address. This allows both
127.0.0.1 and ::1 to function on new Dogtag installs.

Note that the limitation here comes not from Tomcat but from JDK: it
only allows binding to a single (IPv4 or IPv6) stack with a given
address.

Resolves: rh-bz#1780082

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f685919e by Alexander Scheel at 2020-11-17T13:25:14-05:00
Add new AJP adapter upgrade script

This lets us migrate "localhost"-only adapters to localhost4/localhost6
split adapters.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
e544a3c7 by Alexander Scheel at 2020-11-17T13:25:14-05:00
Mark pki_ajp_host as deprecated

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
51cdc1f6 by Endi S. Dewata at 2020-11-17T14:34:29-06:00
Replace TomcatJSS.loadTomcatConfig() with loadConfig()

The TomcatJSS.loadTomcatConfig() invocations have been
replaced with loadConfig() such that the config file
doesn't need to be specified explicitly.

- - - - -
c5f961cd by Endi S. Dewata at 2020-11-17T14:35:32-06:00
Update version number to 10.10.1

- - - - -
40a2af93 by Endi S. Dewata at 2020-11-17T19:17:54-06:00
Replace cryptography.x509.name._escape_dn_value()

The cryptography.x509.name._escape_dn_value() has been
replaced with a more standard ldap.dn.escape_dn_chars().

https://github.com/dogtagpki/pki/issues/3367

- - - - -
996a1bca by dpuniaredhat at 2020-11-18T11:33:23+05:30
acme performance test script (#3368)

How to Run:
1> Install httpd on client.
2> Install acme module eg. pip3 install acme
3> Run acme script with thread.
eg. python3 test_acme_cert_enrollment.py --directory-url http://pki1.example.com:8080/acme/directory --acme-dir /var/www/html/.well-known/acme-challenge --domain client.example.com --number-of-threads 1 --number-of-tests-per-thread 100

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
b0852c83 by Endi S. Dewata at 2020-11-19T13:34:56-06:00
Add CA test

- - - - -
553f4b46 by Endi S. Dewata at 2020-11-19T13:35:25-06:00
Add KRA test

- - - - -
437f5fda by Endi S. Dewata at 2020-11-19T14:00:45-06:00
Add OCSP test

- - - - -
f0a9aac5 by Endi S. Dewata at 2020-11-19T14:00:45-06:00
Add TKS test

- - - - -
a8a76e3a by Endi S. Dewata at 2020-11-19T14:00:45-06:00
Add TPS test

- - - - -
128f508a by Endi S. Dewata at 2020-11-19T14:04:36-06:00
Add Python test

- - - - -
acc7e369 by Endi S. Dewata at 2020-11-19T14:04:37-06:00
Update test badges in README.md

- - - - -
5f21c69f by Endi S. Dewata at 2020-11-19T14:04:50-06:00
Add subordinate CA test

- - - - -
5d8988bb by Endi S. Dewata at 2020-11-19T14:04:50-06:00
Add external CA test

- - - - -
91b5ff0f by Endi S. Dewata at 2020-11-19T14:04:50-06:00
Add CA clone test

- - - - -
43483e56 by Endi S. Dewata at 2020-11-19T16:19:25-06:00
Revert incorrect check-ins

- - - - -
1f1e37f7 by Endi S. Dewata at 2020-11-19T16:19:52-06:00
Add WITH_TPS option for CMake

- - - - -
b69ca648 by Endi S. Dewata at 2020-11-19T16:19:52-06:00
Add WITH_TKS option for CMake

- - - - -
62546988 by Endi S. Dewata at 2020-11-19T16:19:52-06:00
Add WITH_OCSP option for CMake

- - - - -
cb36af69 by Endi S. Dewata at 2020-11-19T16:19:52-06:00
Add WITH_KRA option for CMake

- - - - -
235b58e4 by Endi S. Dewata at 2020-11-19T16:19:52-06:00
Add WITH_CA option for CMake

- - - - -
ac2c5c9f by Endi S. Dewata at 2020-11-19T16:19:52-06:00
Add WITH_ACME option for CMake

- - - - -
21c3f7d5 by Endi S. Dewata at 2020-11-20T12:16:33-06:00
Replace SimpleDateFormat with FastDateFormat

The SimpleDateFormat has been replaced with FastDateFormat
which is thread-safe.

https://bugzilla.redhat.com/show_bug.cgi?id=1889691

- - - - -
bce94aea by Endi S. Dewata at 2020-11-20T17:32:30-06:00
Update version number to 10.11.0-alpha1

- - - - -
a6a8599e by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add CA test

- - - - -
1a976060 by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add KRA test

- - - - -
91afea61 by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add OCSP test

- - - - -
9c6b1cd1 by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add TKS test

- - - - -
58701617 by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add TPS test

- - - - -
a6fe0e3e by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Add Python test

- - - - -
c8e8ca6b by Endi S. Dewata at 2020-11-30T09:22:10-06:00
Update status badges in README.md

- - - - -
9dfc1f25 by Endi S. Dewata at 2020-11-30T19:23:42-06:00
Fix pki-server cert-fix

In commit e680746ac4926367aef5c3ae3404dbb23c07eb19 the
ResourceMessage was modified to no longer include empty
attributes. Because of this in certain cases the server
might return a CertEnrollmentRequest object (which extends
ResourceMessage) without the Input or Output attributes,
which broke the pki-server cert-fix command.

To fix the problem, the CertEnrollmentRequest.from_json()
has been modified to check whether the response contains
Input and Output before parsing the attributes.

https://bugzilla.redhat.com/show_bug.cgi?id=1897120

- - - - -
62a26c84 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Update default base dir in PKISubsystem

The PKISubsystem has been modified to use <instance>/<subsystem>
as the base directory by default.

- - - - -
d07e710d by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Refactor LDAPConfigurator.importFile()

The LDAPConfigurator.importFile() has been converted into
importLDIF() which returns the imported LDIF records.

- - - - -
53fb4ff5 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Rename LDAPConfigurator.createVLVIndexes()

- - - - -
1909fae8 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Refactor LDAPConfigurator.rebuildVLVIndexes()

The LDAPConfigurator.rebuildVLVIndexes() has been converted
into reindexVLVs() which utilizes the importLDIF().

- - - - -
cef8ce79 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Move CertUtils.createCertInfo()

The CertUtils.createCertInfo() has been moved into
CertificateAuthority.

- - - - -
bbcd0d43 by Endi S. Dewata at 2020-11-30T19:53:34-06:00
Clean up CertificateAuthority.init()

- - - - -
a8a9f61a by Endi S. Dewata at 2020-11-30T20:09:21-06:00
Rename CA's SigningUnit to CASigningUnit

- - - - -
dcf6fbfa by Endi S. Dewata at 2020-11-30T20:09:22-06:00
Rename OCSP's SigningUnit to OCSPSigningUnit

- - - - -
a62efcaa by Endi S. Dewata at 2020-11-30T20:09:23-06:00
Move ISigningUnit to pki-server

- - - - -
3cea0627 by Endi S. Dewata at 2020-11-30T20:12:28-06:00
Rename ISigningUnit to SigningUnit

- - - - -
47751a92 by Endi S. Dewata at 2020-11-30T21:46:19-06:00
Convert SigningUnit into base class

The SigningUnit has been converted into a base class which
provides the common code for CASigningUnit and OCSPSigningUnit.

- - - - -
1167082c by Endi S. Dewata at 2020-11-30T21:46:33-06:00
Merge ConsoleLog into ConsoleError

- - - - -
60bd08ba by Endi S. Dewata at 2020-12-01T18:13:26-06:00
Clean up log messages in KRAPolicy

- - - - -
7d0940c2 by Endi S. Dewata at 2020-12-01T18:14:12-06:00
Replace SystemEvent with System.err.println()

- - - - -
7f429199 by Endi S. Dewata at 2020-12-01T18:14:25-06:00
Remove unused SystemEventFactory

- - - - -
ffde646e by Endi S. Dewata at 2020-12-01T18:14:46-06:00
Remove unused SystemEvent

- - - - -
bd633512 by Endi S. Dewata at 2020-12-01T18:18:07-06:00
Replace ConsoleError with System.err.println()

- - - - -
ae673db0 by Endi S. Dewata at 2020-12-01T18:43:57-06:00
Refactor CertInfoProfile constructor

The CertInfoProfile constructor has been modified to take
an IConfigStore object.

- - - - -
49599c44 by Endi S. Dewata at 2020-12-01T18:45:49-06:00
Move CertUtils.createCertRecord() to CertificateAuthority

- - - - -
cd99a648 by Endi S. Dewata at 2020-12-01T19:29:54-06:00
Move CertUtils.initLocalRequest() to CertificateAuthority

- - - - -
24480717 by Endi S. Dewata at 2020-12-01T19:29:54-06:00
Move CertInfoProfile to pki-ca

- - - - -
3d954027 by Endi S. Dewata at 2020-12-02T13:49:22-06:00
Add subordinate CA test

A new CI test has been added to verify subordinate CA
installation.

- - - - -
2de91738 by Endi S. Dewata at 2020-12-02T16:22:39-06:00
Update default metadata.conf

- - - - -
b7bd0322 by Endi S. Dewata at 2020-12-02T17:49:34-06:00
Add CA clone test

- - - - -
257b4200 by Endi S. Dewata at 2020-12-02T17:57:46-06:00
Refactor ServerXml.load()

The ServerXml.load() has been modified to determine the
connector type based on the "scheme" attribute instead of
"name" which is not guaranteed to be available.

- - - - -
8791f5d7 by Endi S. Dewata at 2020-12-02T17:57:51-06:00
Replace PKIInstance constructor

The PKIInstance constructor invocations have been replaced
with PKIServerFactory.create() so they will return either
a PKIServer or a PKIInstance object depending on the actual
instance.

- - - - -
19f066d0 by Endi S. Dewata at 2020-12-04T10:34:27-06:00
Add admin verification

- - - - -
a00bd235 by Endi S. Dewata at 2020-12-07T13:04:45-06:00
Fix KRA/OCSP installation with external certs on HSM

The NSSDatabase.export_cert_from_db() has been modified
to use the fullname when exporting a cert from HSM.

The MigrateCLI.migrate_nssdb() has also been modified
to split the token name from the nickname properly.

https://bugzilla.redhat.com/show_bug.cgi?id=1890639

- - - - -
1cf7f72b by Endi S. Dewata at 2020-12-07T15:15:07-06:00
Merge usn.ldif into database.ldif

The code that enables the USN plugin has been merged into
LDAPConfigurator.initDatabase().

- - - - -
6afc2202 by Endi S. Dewata at 2020-12-07T15:15:07-06:00
Move ou=csusers,cn=config creation

The code that creates ou=csusers,cn=config has been moved into
LDAPConfigurator.initDatabase().

- - - - -
edd3bcf6 by Endi S. Dewata at 2020-12-07T15:43:30-06:00
Add cert extension config for CA signing cert

- - - - -
6ff7e303 by Endi S. Dewata at 2020-12-07T15:43:30-06:00
Add test for installing CA with external signing cert

- - - - -
b0c30fdd by Endi S. Dewata at 2020-12-07T16:00:28-06:00
Add LDAPConfigurator.params

The code that generates the customization parameters in
LDAPConfigurator.customizeFile() have been moved into the
constructor.

- - - - -
3c87a159 by Endi S. Dewata at 2020-12-07T16:00:28-06:00
Remove unused Configurator.importLDIFS()

- - - - -
af71ed1a by Christina Fu at 2020-12-07T18:11:20-08:00
Bug 1392616 - KRA key recovery cli kra-key-retrieve generates an invalid p12 file

This patch is to add back the try/catch block that was in place back in
DOGTAG_10_5_BRANCH. Initially I was going to just remove the two lines:
            queue.processRequest(request);
            queue.markAsServiced(request);
however, it's unclear to me if there is any scenario where they will be needed.
I'm leaving them the same as before.

Also, the reported issue might be misunderstanding due to unclear documentation.
>From the code, it seems the only way to download p12 is through the use
of a template file, which I will give example in the bug.

Man page has been updated as well in the area of PKCS12 key recovery.

fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1392616

- - - - -
e966b3da by Endi S. Dewata at 2020-12-07T22:21:03-06:00
Add SubsystemDBVLVFindCLI

The code that lists the VLV indexes in KRADBVLVFindCLI and
TPSDBVLVFindCLI has been converted into SubsystemDBVLVFindCLI.

- - - - -
7a3ec565 by Endi S. Dewata at 2020-12-07T22:21:03-06:00
Add pki-server <subsystem>-db-vlv-find

The pki-server <subsystem>-db-vlv-find has been added
to wrap SubsystemDBVLVFindCLI.

- - - - -
6b792079 by Endi S. Dewata at 2020-12-07T22:21:03-06:00
Replace pki-server kra-db-vlv-find

The pki-server kra-db-vlv-find has been replaced with
pki-server <subsystem>-db-vlv-find.

- - - - -
43290391 by Endi S. Dewata at 2020-12-07T22:21:03-06:00
Replace pki-server tps-db-vlv-find

The pki-server tps-db-vlv-find has been replaced with
pki-server <subsystem>-db-vlv-find.

- - - - -
c294327f by Christina Fu at 2020-12-08T10:33:21-06:00
Bug1875563-part2-auditProfileUpgrade

    This patch addresses the issue where when caSignedLogCert.cfg was renamed
    caAuditSigningCert where
      * The profileIDMapping and profileSetIDMapping params in the following
        profile still contains the old names:
          base/ca/shared/conf/caAuditSigningCert.profile
      * at renewal time, the profile will no longer be available

    The solution provided is to
      * correct the two mapping param names in caAuditSigningCert.profile
      * re-enable caSignedLogCert.cfg (but kept invisible)

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1875563

- - - - -
b95f9262 by Endi S. Dewata at 2020-12-08T11:41:57-06:00
Add SubsystemDBVLVAddCLI

The code that adds the VLV indexes in KRADBVLVAddCLI and
TPSDBVLVAddCLI has been converted into SubsystemDBVLVAddCLI.

- - - - -
1c403e95 by Endi S. Dewata at 2020-12-08T11:42:14-06:00
Add pki-server <subsystem>-db-vlv-add

The pki-server <subsystem>-db-vlv-add has been added
to wrap SubsystemDBVLVAddCLI.

- - - - -
c7051d8c by Endi S. Dewata at 2020-12-08T11:42:30-06:00
Replace pki-server kra-db-vlv-add

The pki-server kra-db-vlv-add has been replaced with
pki-server <subsystem>-db-vlv-add.

- - - - -
d3761d1b by Endi S. Dewata at 2020-12-08T11:42:50-06:00
Replace pki-server tps-db-vlv-add

The pki-server tps-db-vlv-add has been replaced with
pki-server <subsystem>-db-vlv-add.

- - - - -
1dcd21aa by Endi S. Dewata at 2020-12-08T12:11:00-06:00
Move AddProfileCaAuditSigningCert.py

The upgrade script for adding a new audit signing cert and
deprecating the old audit signing cert has been moved from
10.10.0 to 10.10.2 to ensure that the changes will be
applied properly.

https://bugzilla.redhat.com/show_bug.cgi?id=1875563

- - - - -
71487da1 by Endi S. Dewata at 2020-12-08T14:41:59-06:00
Add tools tests workflow

The PKICertImport test has been moved into a new tools
tests workflow to shorten the build time without reducing
test coverage.

- - - - -
3df33f3e by Endi S. Dewata at 2020-12-08T15:15:46-06:00
Fix pylint issue in AddProfileCaAuditSigningCert.py

https://bugzilla.redhat.com/show_bug.cgi?id=1875563

- - - - -
95e69484 by Endi S. Dewata at 2020-12-08T15:16:02-06:00
Add SubsystemDBVLVDeleteCLI

The code that deletes the VLV indexes in KRADBVLVDeleteCLI
and TPSDBVLVDeleteCLI has been converted into
SubsystemDBVLVDeleteCLI.

- - - - -
ceecc6dd by Endi S. Dewata at 2020-12-08T15:16:02-06:00
Add pki-server <subsystem>-db-vlv-del

The pki-server <subsystem>-db-vlv-del has been added to
wrap SubsystemDBVLVDeleteCLI.

- - - - -
8598316f by Endi S. Dewata at 2020-12-08T15:16:02-06:00
Replace pki-server kra-db-vlv-del

The pki-server kra-db-vlv-del has been replaced with
pki-server <subsystem>-db-vlv-del.

- - - - -
ad76abbc by Endi S. Dewata at 2020-12-08T15:16:02-06:00
Replace pki-server tps-db-vlv-del

The pki-server tps-db-vlv-del has been replaced with
pki-server <subsystem>-db-vlv-del.

- - - - -
d7f3b757 by Endi S. Dewata at 2020-12-08T20:20:22-06:00
Add SubsystemDBVLVReindexCLI

The code that rebuilds the VLV indexes in KRADBVLVReindexCLI
and TPSDBVLVReindexCLI has been converted into
SubsystemDBVLVReindexCLI.

- - - - -
f4161488 by Endi S. Dewata at 2020-12-08T20:20:29-06:00
Add pki-server <subsystem>-db-vlv-reindex

The pki-server <subsystem>-db-vlv-reindex has been added
to wrap SubsystemDBVLVReindexCLI.

- - - - -
94db8437 by Endi S. Dewata at 2020-12-08T20:20:30-06:00
Replace pki-server kra-db-vlv-reindex

The pki-server kra-db-vlv-reindex has been replaced with
pki-server <subsystem>-db-vlv-reindex.

- - - - -
52db8677 by Endi S. Dewata at 2020-12-08T20:20:31-06:00
Replace pki-server tps-db-vlv-reindex

The pki-server tps-db-vlv-reindex has been replaced with
pki-server <subsystem>-db-vlv-reindex.

- - - - -
57c1c13b by Endi S. Dewata at 2020-12-09T14:37:39-06:00
Replace KRADBCLI with SubsystemDBCLI

- - - - -
0852834b by Endi S. Dewata at 2020-12-09T14:37:40-06:00
Replace TPSDBCLI with SubsystemDBCLI

- - - - -
a341e97f by Endi S. Dewata at 2020-12-09T16:20:31-06:00
Fix CA install doc

- - - - -
a2836b4c by Endi S. Dewata at 2020-12-09T20:39:57-06:00
Refactor PKISubsystem.init_database() (part 1)

The options to set up database manager and VLV indexes in
PKISubsystem.init_database() have been removed since those
operations will be executed regardless of the options.

- - - - -
24f4f0a2 by Endi S. Dewata at 2020-12-09T20:40:33-06:00
Refactor PKISubsystem.init_database() (part 2)

The code that sets up database manager and VLV indexes
have been moved out of PKISubsystem.init_database().

- - - - -
6dbd65fa by dpuniaredhat at 2020-12-11T18:31:08+05:30
Bugzilla automation 1392616 kra key recovery cli generates .p12 file (#3409)

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
9eee5382 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Refactor NSSDatabase.addExtensions()

The NSSDatabase.addExtensions() has been modified to take
a temporary directory to store files containing the data
for the new extension being added.

- - - - -
e7a50c98 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add support for OCSPNoCheckExtension in pki nss-cert

The NSSDatabase and NSSExtensionGenerator have been modified
to support OCSPNoCheckExtension such that pki nss-cert commands
can generate requests and certificates with this extension.

- - - - -
e00863f8 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add support for ocspResponder extended key usage in pki nss-cert

- - - - -
e1bcc99f by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add --serial parameter for pki nss-cert-issue

The pki nss-cert-issue has been modified to provide an
optional parameter to specify a serial number for the
new certificate.

- - - - -
50a37f08 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add cert extension configs for CA certs

- - - - -
4da75450 by Endi S. Dewata at 2020-12-14T12:04:55-06:00
Add test for installing CA with existing certs

- - - - -
94c82751 by Endi S. Dewata at 2020-12-14T13:29:43-06:00
Add PKISubsystem.configure_security_domain()

The code that configures the security domain parameters has
been moved into PKISubsystem.configure_security_domain().

- - - - -
c25b4380 by Endi S. Dewata at 2020-12-14T20:29:01-06:00
Fix SystemCertClient creation

The calls to SystemCertClient constructor have been modified
to provide the subsystem name. This is required to run the
healthcheck tool on a KRA installed separately from the CA.

- - - - -
592ad26b by Endi S. Dewata at 2020-12-14T20:29:01-06:00
Add test for installing KRA on separate instance

- - - - -
1d064b25 by Endi S. Dewata at 2020-12-16T08:54:13-06:00
Clean up CI tests

- - - - -
e1d79587 by Endi S. Dewata at 2020-12-16T08:55:41-06:00
Revert SystemCertClient changes

The commit c25b438024e4a0f3b6e91e359bd0aa34c25ea4e9 broke
IPA vault, so it has been reverted. The test for installing
KRA on a separate instance has been modified to disable the
healthcheck test.

- - - - -
0a7cb8d0 by Endi S. Dewata at 2020-12-17T09:46:39-06:00
Fix python3-pki dependency

The python3-pki package has been modified to depend on
python3-ldap since it is needed by pki Python module.

- - - - -
a82988e6 by Endi S. Dewata at 2020-12-17T10:16:43-06:00
Add log messages in MainCLI.loadPasswordConfig()

- - - - -
ac8f64a5 by Endi S. Dewata at 2020-12-17T10:53:04-06:00
Add log messages in PlainPasswordFile.init()

- - - - -
f6674677 by Christina Fu at 2020-12-21T15:40:02-05:00
Bug1664435-SCEP ChallengePassword Class not found

This patch, together with the fix for "Bug1908541 jss broke SCEP - missing PasswordChallenge class", addresses the issue where  the class PasswordChallenge cannot be loaded due to Class Loader differences.
  jss is installed in the common CL (/usr/share/pki/server/common/lib/jss4.jar)
  the servlet classes are in webapp CL (/usr/share/pki/server/webapps/pki/WEB-INF/lib/pki-cms.jar)

In addition, this patch adds the upgrade sscript for the new path of ChallengePassword class which has been moved from pki into JSS.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1664435

- - - - -
27ddb1db by Endi S. Dewata at 2021-01-04T09:31:11-06:00
Fix log messages in MainCLI.loadPasswordConfig()

- - - - -
fd926efc by Endi S. Dewata at 2021-01-04T09:35:01-06:00
Replace sslserver variable in configuration.py

The variable that stores the SSL server cert info in configuration.py
has been replaced with a map that stores all system certs info.

- - - - -
f3070f31 by Endi S. Dewata at 2021-01-04T09:37:26-06:00
Refactor OCSPConfigurator.configureCloneRefresh()

The code that configures ocsp.store.defStore.refreshInSec param
in OCSPConfigurator.configureCloneRefresh() has been moved into
subsystem_layout.py.

- - - - -
14926872 by Endi S. Dewata at 2021-01-04T09:37:37-06:00
Refactor Configurator.getSubsystemCert()

The Configurator.getSubsystemCert() has been converted into
CASystemCertClient.getSubsystemCert().

- - - - -
fbe8be02 by Pritam Singh at 2021-01-04T13:13:45-05:00
Added_boolean_fix_for_fips_check

Signed-off-by: Pritam Singh <prisingh at redhat.com>

- - - - -
a400653b by Endi S. Dewata at 2021-01-04T13:04:43-06:00
Add pki nss-cert-show

The pki nss-cert-show has been added to display a cert in
NSS database.

- - - - -
35308631 by Endi S. Dewata at 2021-01-04T13:05:15-06:00
Add pki ca-cert-subsystem-show

The pki ca-cert-subsystem-show has been added to display the
subsystem cert in CA.

- - - - -
29bd3da1 by Endi S. Dewata at 2021-01-04T13:05:17-06:00
Add pki ca-cert-subsystem-export

The pki ca-cert-subsystem-show has been added to export the
subsystem cert in CA.

- - - - -
09a046a3 by Endi S. Dewata at 2021-01-04T13:24:21-06:00
Disable ipa-healtcheck test

The ipa-healthcheck has been failing due to this issue:
https://github.com/freeipa/freeipa-healthcheck/issues/163

The ipa-healthcheck test has temporarily been disabled to
allow other IPA tests to pass.

- - - - -
da0abd3d by Endi S. Dewata at 2021-01-04T13:24:53-06:00
Refactor Configurator.setupUser() (part 1)

The code that configures the groups for subsystem user in
Configurator.setupUser() has been moved into configuration.py.

- - - - -
3dbd56d4 by Endi S. Dewata at 2021-01-04T13:24:53-06:00
Refactor Configurator.setupUser() (part 2)

The code that configures the cert for subsystem user in
Configurator.setupUser() has been moved to configuration.py.

- - - - -
e0cd36af by Endi S. Dewata at 2021-01-04T13:24:53-06:00
Refactor Configurator.setupUser() (part 3)

The code that creates the subsystem user in
Configurator.setupUser() has been moved into configuration.py.

- - - - -
699b0bb7 by Endi S. Dewata at 2021-01-04T16:18:35-06:00
Clean up ipa-tests.yml

- - - - -
6f448d9a by Endi S. Dewata at 2021-01-05T11:29:00-06:00
Fix issuing CA configuration during installation

The configuration.py has been modified to store the issuing CA
parameters in all cases except when installing CA with external
certs and standalone KRA/OCSP. This is necessary to fix KRA
installation with external certs.

- - - - -
29d3423d by Endi S. Dewata at 2021-01-05T11:29:00-06:00
Add support for emailProtection extended key usage in pki nss-cert

- - - - -
cad7d4d5 by Endi S. Dewata at 2021-01-05T11:29:00-06:00
Add cert extension configs for KRA certs

- - - - -
5ccfa106 by Endi S. Dewata at 2021-01-05T11:29:00-06:00
Add test for installing KRA with external certs

- - - - -
7b461e5c by Endi S. Dewata at 2021-01-05T17:24:07-06:00
Add test for installing IPA clone

- - - - -
cebf2a70 by Endi S. Dewata at 2021-01-05T19:01:51-06:00
Fix preop.ca.pkcs7 for external and standalone installations

- - - - -
d1b91cc6 by Endi S. Dewata at 2021-01-06T19:38:08-05:00
Disable GPG check in CI

The GPG check has been disabled due to the following issue
during build dependency installation on F32:

Package libuv-1.40.0-1.fc32.x86_64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

- - - - -
c3c1ea11 by Endi S. Dewata at 2021-01-06T21:01:37-06:00
Fix KRA/OCSP installation with external certs on HSM

Previously pkispawn did not update serverCertNick.conf during
KRA or OCSP installation with external certs or standalone
installation. If the SSL server cert was stored in HSM the file
would not have the token name so the installation would fail.

To fix the problem the deployment scriptlet has been modified
to store the SSL server cert nickname and token name in
serverCertNick.conf in all installation cases.

https://bugzilla.redhat.com/show_bug.cgi?id=1890639

- - - - -
41f5d031 by Alexander Scheel at 2021-01-07T15:35:10-05:00
Remove dependency on jakarta-commons-httpclient

This package has been deprecated in Fedora and isn't actually required
by our build system. Note that, while apache-commons-httpclient actually
provides the exception removed from PKIConnection. Note however, that
ConnectTimeoutException inherits from IOException and thus is redundant.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c45a9407 by Endi S. Dewata at 2021-01-07T20:35:57-06:00
Clean up CA clone test

- - - - -
d9025c13 by Alexander Scheel at 2021-01-11T11:36:14-05:00
Update usage for CRMFPopClient -y option

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
28a262c6 by Alexander Scheel at 2021-01-11T11:36:23-05:00
Fix usage for CMCResponse -d

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a2a5ec19 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move KRAAdminServlet to pki-kra

- - - - -
27d9fc82 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move OCSPAdminServlet to pki-ocsp

- - - - -
f5afb573 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move get_cert_chain() into PKIDeployer

- - - - -
91f2aad1 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move get_cert_id() into PKIDeployer

- - - - -
b4b6a17f by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_system_cert_request() into PKIDeployer

- - - - -
0949ae9f by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Merge import_ca_signing_csr()

The import_ca_signing_csr() has been merged into
PKIDeployer.import_system_cert_request().

- - - - -
1ae81a84 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_system_cert_requests() into PKIDeployer

- - - - -
f1bfe6b8 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_ca_signing_cert() into PKIDeployer

- - - - -
93f20950 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_system_cert() into PKIDeployer

- - - - -
fb2f0598 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_admin_cert() into PKIDeployer

- - - - -
ce511ad8 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_certs_and_keys() into PKIDeployer

- - - - -
3894a262 by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_cert_chain() into PKIDeployer

- - - - -
d8af0f2b by Endi S. Dewata at 2021-01-11T11:32:19-06:00
Move import_system_certs() into PKIDeployer

- - - - -
5149e9b5 by Endi S. Dewata at 2021-01-11T11:53:06-06:00
Move configure_system_cert() into PKIDeployer

- - - - -
6feb9b51 by Endi S. Dewata at 2021-01-11T15:22:13-06:00
Move configure_system_certs() into PKIDeployer

- - - - -
96134d74 by Endi S. Dewata at 2021-01-11T15:22:55-06:00
Move update_system_cert() into PKIDeployer

- - - - -
86651f2d by Endi S. Dewata at 2021-01-11T15:26:59-06:00
Move update_admin_cert() into PKIDeployer

- - - - -
4e4a4b01 by Endi S. Dewata at 2021-01-11T15:27:01-06:00
Move update_system_certs() into PKIDeployer

- - - - -
733eedc0 by Endi S. Dewata at 2021-01-11T15:30:22-06:00
Move validate_system_cert() into PKIDeployer

- - - - -
d25ef1e7 by Endi S. Dewata at 2021-01-11T15:50:59-06:00
Move validate_system_certs() into PKIDeployer

- - - - -
85652776 by dpuniaredhat at 2021-01-13T16:03:51+05:30
upstream qe pipeline fixes (#3429)

Pipeline fixed in this MR
1. topo-03-kra-bugzilla
2. installation_podman_acme-dp

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
b4f617c8 by Endi S. Dewata at 2021-01-13T10:20:40-06:00
Add HSM support for pki nss-cert-request

- - - - -
29e2f729 by Endi S. Dewata at 2021-01-13T10:20:40-06:00
Add HSM support for pki nss-cert-issue

- - - - -
fed017dd by Endi S. Dewata at 2021-01-13T10:20:40-06:00
Add HSM support for pki nss-cert-import

- - - - -
e4be93e1 by Endi S. Dewata at 2021-01-13T10:20:40-06:00
Add test for PKI NSS CLI with and without HSM

- - - - -
7a2de9b7 by Endi S. Dewata at 2021-01-13T12:53:49-06:00
Add test for installing OCSP with external certs

- - - - -
cd35b81c by Endi S. Dewata at 2021-01-13T12:54:29-06:00
Add test for installing ACME

- - - - -
ed1bbbde by Endi S. Dewata at 2021-01-13T12:55:02-06:00
Add test for installing KRA clone

- - - - -
130b5af4 by Endi S. Dewata at 2021-01-13T14:05:43-06:00
Remove unused SystemConfigClient

- - - - -
41784233 by Endi S. Dewata at 2021-01-13T14:05:43-06:00
Remove unused CertificateInfo.updateConfig()

- - - - -
75d89311 by Endi S. Dewata at 2021-01-13T14:05:43-06:00
Remove unused param in OCSPSigningUnit.init()

- - - - -
44b59dab by Endi S. Dewata at 2021-01-13T14:05:43-06:00
Remove unused SystemConfigResource

- - - - -
db3fca20 by Endi S. Dewata at 2021-01-13T16:46:05-06:00
Clean up CA clone test

- - - - -
5febfb6d by Endi S. Dewata at 2021-01-13T16:46:05-06:00
Clean up KRA clone test

- - - - -
f33259ae by Endi S. Dewata at 2021-01-13T16:48:40-06:00
Clean up IPA clone test

- - - - -
05057f7c by root at 2021-01-14T10:18:59-05:00
Modify PKI to use RSA-OAEP wrapping alg for RSA keys.

This first cut is a simple reworking any instances of
RSA wrapping in the code to use RSA-OAEP.

Code tested to work in software. Using an hsm, several
issues occur with respect to wrapping using AES sym keys
to wrap and unwrap RSA private keys.

This first attempt is to get the basic code out for review.
Subsequently, we can refine some of this code to allow things
to work better with the hardware hsm.

Make oeap configurable.

- - - - -
950bf76d by Alexander Scheel at 2021-01-14T10:40:36-05:00
Remove additional lines from CRMFPopClient usage

Resolves: rh-bz#1584550

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
03981b0c by Chandan Pinjani at 2021-01-18T14:10:29+05:30
Added BZ Automation for 1590942 & 1584550 (#3431)

[skip-ci]

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
7985861c by Endi S. Dewata at 2021-01-19T11:23:35-06:00
Fix indentations in qe-tests.yml

- - - - -
c2c8f9bd by Endi S. Dewata at 2021-01-19T11:23:37-06:00
Update upload/download actions in qe-tests.yml

- - - - -
b1985fbe by Endi S. Dewata at 2021-01-20T09:38:48+10:00
Add persistent option for ACME nonces

Previously ACME nonces were stored in ACME database, which
could generate a lot of database traffic and might not work
well in clustered environment due to replication latency.

To address the performance issue, the ACME engine has been
modified to store the nonces in memory by default, and provide
an option to store the nonces in the database if necessary.

The replication latency issue should be addressed using other
mechanisms (e.g. using static base URL in ACME directory).

- - - - -
8fcc847f by Endi S. Dewata at 2021-01-19T18:12:01-06:00
Consolidate CI runner container build

The GitHub workflows have been modified to build the CI runner
container in the build job instead of test jobs.

- - - - -
dd3b5399 by gswami90 at 2021-01-20T13:18:47+05:30
Added test automation for BZ 1664435 (#3428)

Signed-off-by: Gaurav Swami <gswami at redhat.com>
- - - - -
ab8561c6 by Pritam Singh at 2021-01-20T17:44:23+05:30
Added_bz_1912493_automation (#3437)

[skip ci]

Signed-off-by: Pritam Singh <prisingh at redhat.com>

Co-authored-by: Pritam Singh <prisingh at redhat.com>
- - - - -
15b6771c by Endi S. Dewata at 2021-01-21T13:29:24-06:00
Add pki-server acme-deploy/undeploy --wait option

A new option has been added to pki-server acme-deploy/undeploy
commands to wait until ACME web application is actually
deployed/undeployed on the server. This option can be used to
prevent the subsequent command from executing before the ACME
deployment/undeployment is complete. The CI test has been updated
to use this option to improve its reliability.

- - - - -
35c19805 by =?UTF-8?q?Matou=C5=A1=20Bor=C3=A1k?= at 2021-01-21T15:49:58-08:00
SCEP: Add support for dynammically chosen profileId

Community contribution (two patches combined):

From: =?UTF-8?q?Matou=C5=A1=20Bor=C3=A1k?= <matous.borak at platanus.cz>
Date: Wed, 12 Aug 2020 15:57:31 +0200
Subject: [PATCH 1&2] Add support for dynamically chosen ProfileId in SCEP

This is implemented via a new URL, /ca/scep/PROFILE_ID/pkiclient.exe, that allows to dynamically choose the profile via the SCEP request URL.

This URL is mapped to the same CRSEnrollment servlet class as the "static" profile URL (/ca/cgi-bin/pkiclient.exe). The implementation tries not to collide with the original "static" version in any way but to only extend it.

In addition:
A SCEP client will be able to request a SCEP operation only for the allowed list of profiles, see the `ca.scep.allowedDynamicProfileIds` config item in CS.cfg.

Usage: http://dogtag.example.com:8080/ca/scep/<PROFILE_ID>/pkiclient.exe

ladycfu: original two patches from borama must be accompanied by supplemental
post-review patch (from cfu at redhat.com) that follows to address various issues.

Signed-off-by: Christina Fu <cfu at redhat.com>

- - - - -
a8472653 by Christina Fu at 2021-01-21T15:49:58-08:00
SCEP: suplemental patch for Add support of Dynamic profileId

This patch addresses issues revealed by review of previous community patches
in "SCEP: Add support for dynammically chosen profileId".
This patch must accompany the original patches, and as such it will be checked
in along with them.

Changes include:
 - mainly, profiles intended for manual approval by agents will now function as
   expected.
 - caServerCert is removed from default setting for allowedDynamicProfileIds
 - misc code style update

- - - - -
0afd0b5f by Endi S. Dewata at 2021-01-22T10:08:47-06:00
Add ACME test using certbot

The ACME test has been modified to perform certificate enrollment,
certificate revocation, and account management using certbot.

- - - - -
b1ec8540 by Endi S. Dewata at 2021-01-25T08:58:55-06:00
Move Instance.wait_for_startup() to PKISubsystem

- - - - -
4dc01883 by Endi S. Dewata at 2021-01-25T10:24:22-06:00
Refactor PKIDeployer.finalize_subsystem()

Some of the code that finalizes subsystem configuration has been
moved from configuration.py to PKIDeployer.finalize_subsystem().

- - - - -
788aca27 by Endi S. Dewata at 2021-01-25T10:24:22-06:00
Remove unused ConfigClient.security_domain_type

- - - - -
0429747f by Endi S. Dewata at 2021-01-25T10:24:22-06:00
Add KRAConnectorInfo.hashCode() and equals()

- - - - -
9aab73f1 by Endi S. Dewata at 2021-01-25T10:24:22-06:00
Add XML converters for KRAConnectorInfo

- - - - -
48531a59 by Endi S. Dewata at 2021-01-25T11:14:08-06:00
Clean up IPA test

The code that installs and uninstalls IPA server has been
moved from ipa-test.sh to ipa-tests.yml.

- - - - -
610135eb by Endi S. Dewata at 2021-01-25T13:28:19-06:00
Fix security domain tools

The pki-server sd-* commands have been moved into
pki-server <ca/kra/ocsp>-* such that it can be used to
create the security domain properly in CA, KRA, and OCSP.

- - - - -
d6676bf7 by Endi S. Dewata at 2021-01-25T13:28:19-06:00
Fix PKIDeployer.setup_admin()

The PKIDeployer.setup_admin() has been modified to use
the proper admin groups for CA, KRA, and OCSP.

- - - - -
325eea1f by Endi S. Dewata at 2021-01-25T13:28:19-06:00
Add test for standalone KRA

- - - - -
82705993 by Endi S. Dewata at 2021-01-25T13:28:19-06:00
Add test for standalone OCSP

- - - - -
45c5e1f4 by Endi S. Dewata at 2021-01-25T16:40:25-06:00
Add CAClient.addKRAConnector()

The code that creates the KRA connector in CA has been
moved from KRAConfigurator.configureKRAConnector() to
CAClient.addKRAConnector().

- - - - -
621137ab by Endi S. Dewata at 2021-01-25T16:56:05-06:00
Update pki ca-kraconnector-add

The pki ca-kraconnector-add has been modified to provide
a mechanism to call CAClient.addKRAConnector().

- - - - -
c24c5484 by Endi S. Dewata at 2021-01-25T16:56:05-06:00
Add PKIDeployer.add_kra_connector()

The remaining code that creates the KRA in CA has been
converted from KRAConfigurator.configureKRAConnector()
into PKIDeployer.add_kra_connector().

- - - - -
28db4983 by Endi S. Dewata at 2021-01-25T19:49:26-06:00
Add CAClient.addOCSPPublisher()

Some of the code that creates the OCSP publisher in CA has
been moved from OCSPConfigurator.updateOCSPConfiguration()
to CAClient.addOCSPPublisher().

- - - - -
684d643f by Endi S. Dewata at 2021-01-25T20:18:59-06:00
Add pki ca-publisher-ocsp-add

The pki ca-publisher-ocsp-add has been added to provide
a CLI for CAClient.addOCSPPublisher().

- - - - -
3b8a63aa by Endi S. Dewata at 2021-01-25T20:18:59-06:00
Add PKIDeployer.add_ocsp_publisher()

The remaining code that creates the OCSP publisher in CA has
been converted from OCSPConfigurator.updateOCSPConfiguration()
into PKIDeployer.add_ocsp_publisher().

- - - - -
11c28798 by Endi S. Dewata at 2021-01-26T09:38:26-06:00
Move key backup operation

The PKIDeployer.backup_keys() invocation has been moved
from configuration.py to finalization.py.

- - - - -
8a444da0 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Refactor IOCSPStore.validate()

The IOCSPStore.validate() has been modified to take an
IOCSPAuthority parameter.

- - - - -
8be9037f by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Refactor IOCSPStore.init()

The IOCSPStore.init() has been modified to drop the
IOCSPAuthrotity parameter.

- - - - -
162aef5c by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move IOCSPAuthority.getOCSPStore() to OCSPAuthority

- - - - -
67f470e8 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move IOCSPAuthority.getDefStore() to OCSPAuthority

- - - - -
9a2faebe by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move LDAPStore to pki-ocsp

- - - - -
e8c03476 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move DefStore to pki-ocsp

- - - - -
4d7aad46 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move IDefStore to pki-ocsp

- - - - -
5dd68016 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move IOCSPStore to pki-ocsp

- - - - -
9547a392 by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move OCSPPresence to pki-ocsp

- - - - -
1c6f9cda by Endi S. Dewata at 2021-01-26T11:10:13-06:00
Move OCSPValidity to pki-ocsp

- - - - -
3bf3fccf by Endi S. Dewata at 2021-01-26T14:57:01-06:00
Fix profile auth in PKIIssuer.issueCertificate()

In commit 1b6b426ad4724e2f9595340027482a0a36fc3655 the
PKIClient.login() was removed from PKIIssuer.issueCertificate()
and that caused enrollments with a profile that requires
authentication to fail.

To fix the problem the PKIClient.login() has been restored.

https://bugzilla.redhat.com/show_bug.cgi?id=1919282

- - - - -
882e81f2 by Endi S. Dewata at 2021-01-26T14:57:01-06:00
Add ACME tests for IPA

The IPA test has been modified to perform ACME tests
using certbot.

- - - - -
3ce1d7e3 by Endi S. Dewata at 2021-01-26T14:59:42-06:00
Fix exception handling in EnrollProfile.createEnrollmentRequest()

- - - - -
b03a460c by Endi S. Dewata at 2021-01-26T14:59:42-06:00
Replace CMSEngine.reinit()

The CMSEngine.reinit() has been replaced with a direct call
to ISubsystem.init().

- - - - -
1f23b0f7 by Endi S. Dewata at 2021-01-28T18:40:21-06:00
Add test for installing TKS clone

- - - - -
537fb8ed by Endi S. Dewata at 2021-01-29T17:46:16-06:00
Fix clone of clone installation

In commit e0b249636e2ea24d3d0633e65bf1d6e0a3dbd35f the
CMSEngine.configurePorts() invocation was moved later
during server startup process. It's not clear how, but
apparently the cert number range assignment depends on
this code so it failed when installing a clone of an
existing clone.

To fix the problem the invocation has been moved back
into its original position.

Resolves: https://github.com/dogtagpki/pki/issues/3330

- - - - -
4498b6b7 by Endi S. Dewata at 2021-01-29T17:46:16-06:00
Add test for installing CA clone of clone

- - - - -
26508cba by Endi S. Dewata at 2021-01-29T17:46:16-06:00
Add test for installing KRA clone of clone

- - - - -
b05ce69b by Endi S. Dewata at 2021-01-29T19:36:21-06:00
Clean up CA test

- - - - -
c1639c9c by Endi S. Dewata at 2021-01-29T19:36:21-06:00
Clean up KRA test

- - - - -
e29cf869 by Endi S. Dewata at 2021-02-01T11:46:02-06:00
Add ACME base URL parameter

By default the ACME directory will return ACME service URLs
with the same hostname that the client uses to access the
directory. If the hostname is load-balanced, the client might
get redirected to different servers, which could trigger other
issues.

A new parameter has been added into engine.conf to override
the base URL of ACME services. This mechanism can be used to
pin the client to the current server.

- - - - -
cf686780 by Endi S. Dewata at 2021-02-01T11:46:02-06:00
Add ACME server switchover test

- - - - -
889169c3 by Endi S. Dewata at 2021-02-01T16:16:26-06:00
Fixed error handling during replica setup

Originally the LDAPConfigurator.createReplicaObject() would
return true if it managed to add a new replica object. If the
object already existed, it would only add the new replica bind
DN and return false. If an error happened it would get ignored
and the method would return false as well.

In 4abfdc77508545fb90ef127fbbf373ae1609d705 the behavior of
accidentally got changed return true if the replica object
already exists and this caused OCSP and TKS clone of clone
installation to fail.

To fix the problem the behavior has been reverted except that
now any error will be reported as an exception.

https://bugzilla.redhat.com/show_bug.cgi?id=1912418

- - - - -
505fbd92 by Endi S. Dewata at 2021-02-01T16:16:26-06:00
Add test for installing OCSP clone

- - - - -
8bfb53f3 by Endi S. Dewata at 2021-02-01T16:16:26-06:00
Add test for installing OCSP clone of clone

- - - - -
15dff4e9 by Endi S. Dewata at 2021-02-01T16:16:26-06:00
Add test for installing TKS clone of clone

- - - - -
05b79de3 by Endi S. Dewata at 2021-02-01T17:37:53-06:00
Add PKIDeployer.setup_system_certs()

The code that sets up the system certificates has been
moved into PKIDeployer.setup_system_certs().

- - - - -
37e738dd by Endi S. Dewata at 2021-02-01T17:37:57-06:00
Add PKIDeployer.setup_subsystem_user()

The code that sets up the subsystem user has been moved
into PKIDeployer.setup_subsystem_user().

- - - - -
3f6264d7 by Endi S. Dewata at 2021-02-01T17:37:57-06:00
Refactor PKIDeployer.sd_connect()

The PKIDeployer.sd_connect() has been modified to use
the security domain URL parameter from the deployment
configuration.

- - - - -
661a055d by Endi S. Dewata at 2021-02-01T17:37:57-06:00
Refactor PKIDeployer.join_domain()

The PKIDeployer.join_domain() has been renamed to
join_security_domain() and modified to use the security
domain URL parameter from the deployment configuration.

- - - - -
aedf9384 by Endi S. Dewata at 2021-02-01T17:37:57-06:00
Refactor PKISubsystem.join_security_domain()

The PKISubsystem.join_security_domain() has been modified
to take a security domain URL parameter.

- - - - -
6b56f40a by Endi S. Dewata at 2021-02-01T17:40:49-06:00
Update CA clone doc

- - - - -
c294425a by Endi S. Dewata at 2021-02-01T17:40:49-06:00
Update KRA clone doc

- - - - -
5abeb0ef by Endi S. Dewata at 2021-02-02T10:20:12-06:00
Rename pki ca-kraconnector-add --session-file option

- - - - -
7faa7347 by Endi S. Dewata at 2021-02-02T10:20:21-06:00
Rename pki ca-publisher-ocsp-add --session-file option

- - - - -
0d3b8855 by Endi S. Dewata at 2021-02-02T10:20:30-06:00
Add pki <subsystem>-range-request --install-token option

- - - - -
f216c59c by Endi S. Dewata at 2021-02-02T10:20:37-06:00
Add pki <subsystem>-config-export --install-token option

- - - - -
b16f7efd by Endi S. Dewata at 2021-02-02T10:20:43-06:00
Add pki securitydomain-join --install-token option

- - - - -
c744c5f5 by Rob Crittenden at 2021-02-04T09:07:42-05:00
Fix missing options in PKI healthcheck

As reported by Pritam Singh in rh-bz#1922257, several options in
pki-healthcheck were missing. This was due to a recent change in
freeipa-healthcheck's core, making these arguments optional. Fix
provided by Rob Crittenden via mail.

See also: https://github.com/freeipa/freeipa-healthcheck/issues/144
Resolves: rh-bz#1922257

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
33b06e95 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Fix calculation in test_cert_enrollment.py

The test_cert_enrollment.py has been modified to use float
instead of int when calculating the elapsed time for better
accuracy.

- - - - -
544859b5 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add default values for test_cert_enrollment.py parameters

Some parameters for test_cert_enrollment.py have been modified
to provide a default value to make it easier to use.

- - - - -
6f778fb9 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Update log messages in test_cert_enrollment.py

The test_cert_enrollment.py has been modified to provide
a --verbose and a --debug options to show the test progress
and some debugging information.

- - - - -
ea910e89 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Fix calculation in test_acme_cert_enrollment.py

The test_acme_cert_enrollment.py has been modified to use
float instead of int when calculating the elapsed time for
better accuracy.

- - - - -
c6a34a9e by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add default values for test_acme_cert_enrollment.py parameters

The parameters for test_acme_cert_enrollment.py have been
modified to provide a default value to make it easier to use.

- - - - -
76ac8fdf by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Update log messages in test_acme_cert_enrollment.py

The test_acme_cert_enrollment.py has been modified to provide
a --verbose and a --debug options to show the test progress and
some debugging information.

- - - - -
eedf3b01 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add performance tests scripts into pki-tests

- - - - -
a3f8963b by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add doc for CA performance test

- - - - -
f26ac448 by Endi S. Dewata at 2021-02-04T11:33:52-06:00
Add doc for ACME performance test

- - - - -
356fbc54 by Endi S. Dewata at 2021-02-04T12:18:34-06:00
Add CLI.deprecated field

The CLI.deprecated field has been added for deprecating
CLI commands.

- - - - -
1c8bb363 by Endi S. Dewata at 2021-02-04T12:18:36-06:00
Refactor Configurator.registerUser()

Some of the code in Configurator.registerUser() has been moved
to the caller.

- - - - -
fa9ff7e8 by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Move Configurator.registerUser() to SubsystemClient

- - - - -
500f913f by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Refactor TPSConfigurator.configureCAConnector()

The TPSConfigurator.configureCAConnector() has been converted
into Python in configuration.py.

- - - - -
dafa0f08 by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Refactor TPSConfigurator.configureTKSConnector()

The TPSConfigurator.configureTKSConnector() has been converted
into Python in configuration.py.

- - - - -
54e9610f by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Refactor TPSConfigurator.configureKRAConnector()

The TPSConfigurator.configureKRAConnector() has been converted
into Python in configuration.py.

- - - - -
13f9757a by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Remove unused TPSInstaller

- - - - -
94332c72 by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Refactor TPSConfigurator.exportTransportCert()

Some of the code in TPSConfigurator.exportTransportCert()
has been moved to the caller.

- - - - -
33ee01a3 by Endi S. Dewata at 2021-02-04T15:37:10-06:00
Move TPSConfigurator.exportTransportCert() to TKSClient

- - - - -
f699f704 by Endi S. Dewata at 2021-02-04T17:24:48-06:00
Fix TPS clone installation

The TPS clone installation has been fixed by adding
the GetConfigEntries servlet into TPS's web.xml.

Resolves: https://github.com/dogtagpki/pki/issues/1841

- - - - -
23c3d215 by Endi S. Dewata at 2021-02-04T17:24:48-06:00
Add test for installing TPS clone

- - - - -
4b7eacd3 by Endi S. Dewata at 2021-02-08T12:48:55-06:00
Fix PKIClient usage in PKIIssuer

The PKIIssuer has been modified to close PKIClient objects
explicitly using try-with-resources to avoid excessive open
connections.

https://bugzilla.redhat.com/show_bug.cgi?id=1916686

- - - - -
4778bc80 by Endi S. Dewata at 2021-02-08T12:48:55-06:00
Add SessionAuthentication for acmeServerCert

The acmeServerCert profile has been modified to use
SessionAuthentication instead of manual agent approval
to improve ACME cert enrollment performance.

https://bugzilla.redhat.com/show_bug.cgi?id=1916686

- - - - -
e6f04b3c by Endi S. Dewata at 2021-02-08T12:48:55-06:00
Add ACME indexes for DS

Currently ACME indexes are defined in the CA's index.ldif so
when the CA is created the ACME indexes will be created as
well in the same DS backend. However, if later the ACME is
installed on a different DS backend, the ACME indexes need to
be created in that backend instead.

To simplify the installation process a new index.ldif has been
added to define the ACME indexes for DS. A new indextask.ldif
has been added as well to reindex an existing database.

In the future the ACME indexes may be removed from the CA's
index.ldif.

https://bugzilla.redhat.com/show_bug.cgi?id=1916686

- - - - -
a3234cdd by Alexander Scheel at 2021-02-08T14:23:54-05:00
Add RSA-OAEP support to SecurityDataProcessor

org.mozilla.jss.netscape.security.util.WrappingParams in JSS has an
shortcoming that it believes all RSA is RSA-PKCS1v1.5 and additionally,
that anything that isn't a EC key is RSA. :-)

Read the value of keyWrap.useOAEP to determine whether to override the
secret key wrapping algorithm with OAEP, prior to using and storing the
wrapping parameters.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f63a88b4 by Alexander Scheel at 2021-02-08T14:23:54-05:00
Make CryptoUtil respect FIPS Status

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4ee16689 by Alexander Scheel at 2021-02-08T14:23:54-05:00
Add OAEP support to pki client-cert-request

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d3db4209 by Endi S. Dewata at 2021-02-08T17:54:49-06:00
Remove TPSConfigurator.getTransportCert()

The TPSConfigurator.getTransportCert() has been replaced
with KRASystemCertClient.getTransportCert().

- - - - -
7d02b510 by Endi S. Dewata at 2021-02-08T18:11:26-06:00
Add pki tks-cert-transport-import

The pki tks-cert-transport-import has been added to wrap
TKSClient.importTransportCert().

- - - - -
8fffc1b1 by Endi S. Dewata at 2021-02-08T18:11:26-06:00
Add PKIDeployer.get_kra_transport_cert()

The PKIDeployer.get_kra_transport_cert() has been added
to wrap pki kra-cert-transport-export.

- - - - -
8047e3b4 by Endi S. Dewata at 2021-02-08T18:14:56-06:00
Add PKIDeployer.set_tks_transport_cert()

The PKIDeployer.set_tks_transport_cert() has been added to
wrap pki tks-cert-transport-import.

- - - - -
e3b33ba4 by Endi S. Dewata at 2021-02-08T18:14:56-06:00
Refactor TKS transport cert configuration

The code that configures the TKS transport cert has been
moved into PKIDeployer.finalize_subsystem().

- - - - -
c3edb455 by Endi S. Dewata at 2021-02-08T18:19:03-06:00
Refactor pki <subsystem>-user-add

The pki <subsystem>-user-add has been modified to support
calling SubsystemClient.addUser() during installation.

- - - - -
7c95db42 by Endi S. Dewata at 2021-02-08T18:20:26-06:00
Add PKIDeployer.add_subsystem_user()

The PKIDeployer.add_subsystem_user() has been added to
wrap pki <subsystem>-user-add.

- - - - -
f8bb2a1d by Endi S. Dewata at 2021-02-08T18:20:26-06:00
Refactor TPS registration

The code that creates the CA, KRA, and TKS connectors during
TPS installation has been moved into PKIDeployer.

- - - - -
5c33b083 by Endi S. Dewata at 2021-02-08T18:20:26-06:00
Remove unused Configurator.getSubsystemCert()

- - - - -
6dd8a49e by Endi S. Dewata at 2021-02-09T09:50:33-06:00
Refactor PKIDeployer.setup_admin()

The PKIDeployer.setup_admin() has been split into
get_admin_cert() and setup_admin_user().

- - - - -
9899e298 by Endi S. Dewata at 2021-02-09T09:50:38-06:00
Refactor pki_import_admin_cert setup

- - - - -
23eff335 by Endi S. Dewata at 2021-02-09T11:17:30-06:00
Add PKIDeployer.load_admin_cert()

The code in ConfigClient.set_admin_parameters() that loads the
admin cert has been moved to PKIDeployer.load_admin_cert().

- - - - -
731e3b37 by Endi S. Dewata at 2021-02-09T11:17:30-06:00
Add PKIDeployer.create_admin_cert()

The code in ConfigClient.set_admin_parameters() that creates
the admin cert has been moved to PKIDeployer.create_admin_cert().

- - - - -
64184418 by Endi S. Dewata at 2021-02-09T11:17:30-06:00
Remove redundant AdminSetupRequest.importAdminCert

The AdminSetupRequest.importAdminCert will no longer have
a value 'true' anymore, so the code that depends on it has
been removed.

- - - - -
25798ad7 by Endi S. Dewata at 2021-02-09T11:17:30-06:00
Remove unused fields in AdminSetupRequest

- - - - -
88d1837a by Endi S. Dewata at 2021-02-09T14:08:56-06:00
Refactor Configurator.createRemoteAdminCert()

Some of the code in Configurator.createRemoteAdminCert()
has been moved to the caller.

- - - - -
2d52e542 by Endi S. Dewata at 2021-02-09T14:08:56-06:00
Move Configurator.createRemoteAdminCert() to CACertClient

- - - - -
1a47986d by Endi S. Dewata at 2021-02-09T14:08:56-06:00
Update pki ca-cert-request-submit

The pki ca-cert-request-submit has been added to wrap
CACertClient.submitRequest().

- - - - -
7030bea1 by Endi S. Dewata at 2021-02-09T14:08:56-06:00
Add PKIDeployer.create_admin_csr()

The code that generates the admin CSR has been moved
to PKIDeployer.create_admin_csr().

- - - - -
e9842803 by Endi S. Dewata at 2021-02-09T15:33:43-06:00
Add PKIDeployer.request_admin_cert()

The code that requests the admin cert from the CA has been
moved to PKIDeployer.request_admin_cert().

- - - - -
7499f968 by Endi S. Dewata at 2021-02-10T16:09:57-06:00
Remove unused IDBSSession.getDBSubsystem()

- - - - -
df58faeb by Endi S. Dewata at 2021-02-10T17:49:21-06:00
Refactor DBSubsystem.init()

The DBSubsystem.init() has been modified to take a
DatabaseConfig, a PKISocketConfig, and an IPasswordStore.

- - - - -
f7bbbb8c by Endi S. Dewata at 2021-02-10T17:50:36-06:00
Refactor IOCSPStore.init()

The IOCSPStore.init() has been modified to take a DBSubsystem
parameter.

- - - - -
8feaa991 by Endi S. Dewata at 2021-02-10T17:56:02-06:00
Move IOCSPStore.validate() to OCSPAuthority

- - - - -
918987c7 by Endi S. Dewata at 2021-02-10T17:56:02-06:00
Refactor CAConfigurator.createLocalCert()

Some of the code in CAConfigurator.createLocalCert() has
been moved to the caller.

- - - - -
82b0f76d by Endi S. Dewata at 2021-02-10T18:02:45-06:00
Replace CAConfigurator.createLocalAdminCert()

The CAConfigurator.createLocalAdminCert() has been replaced
with CAConfigurator.createLocalCert().

- - - - -
e730e179 by Endi S. Dewata at 2021-02-10T18:02:48-06:00
Refactor Configurator.loadCert()

Some of the code in Configurator.loadCert() has been moved
to the caller.

- - - - -
024eeeba by Endi S. Dewata at 2021-02-10T18:02:48-06:00
Replace CertUtils.createRemoteCert()

The CertUtils.createRemoteCert() has been replaced with
CACertClient.submitRequest().

- - - - -
57651ca3 by Endi S. Dewata at 2021-02-11T09:26:22-06:00
Add CLIModule

The CLIModule has been added to store the CLI class name
such that the CLI object can be created only when needed.

- - - - -
df4734d7 by Endi S. Dewata at 2021-02-11T09:26:24-06:00
Move pki-server ca classes to pki-ca

- - - - -
9ebcf321 by Endi S. Dewata at 2021-02-11T09:26:26-06:00
Move pki-server kra classes to pki-kra

- - - - -
092760ef by Endi S. Dewata at 2021-02-11T09:26:29-06:00
Move pki-server ocsp classes to pki-ocsp

- - - - -
1e2f0605 by Endi S. Dewata at 2021-02-11T09:26:30-06:00
Move pki-server tks classes to pki-tks

- - - - -
4cc7b9f6 by Endi S. Dewata at 2021-02-11T09:26:47-06:00
Move pki-server tps classes to pki-tps

- - - - -
e4311673 by Alexander Scheel at 2021-02-11T12:43:03-05:00
Only depend on pki-servlet-engine in real RHEL

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6450d3de by Endi S. Dewata at 2021-02-11T17:28:44-06:00
Exclude node_modules from Eclipse project

- - - - -
d92efa39 by Endi S. Dewata at 2021-02-11T19:29:47-06:00
Add OCSPCRLIssuingPointFindCLI

The OCSPCRLIssuingPointFindCLI has been added to list
the CRL issuing points in OCSP.

- - - - -
0c3f7e05 by Endi S. Dewata at 2021-02-11T19:29:47-06:00
Add pki-server ocsp-crl-issuingpoint-find

The pki-server ocsp-crl-issuingpoint-find has been added
to wrap OCSPCRLIssuingPointFindCLI.

- - - - -
eb166fee by Endi S. Dewata at 2021-02-11T19:29:47-06:00
Clean up tools tests

- - - - -
1add419d by Endi S. Dewata at 2021-02-16T09:25:42-06:00
Fix exception message in PKIServer.webapp_undeploy()

- - - - -
6ac853db by Endi S. Dewata at 2021-02-16T10:56:57-06:00
Add pki <subsystem>-deploy/undeploy

The ACMEDeployCLI and ACMEUndeployCLI have been converted
into generic SubsystemDeployCLI and SubsystemUndeployCLI
that can be used by all subsystems.

- - - - -
79280447 by Endi S. Dewata at 2021-02-16T10:56:57-06:00
Add --wait option for pki-server webapp-deploy/undeploy

The pki-server webapp-deploy/undeploy commands have been
modified to provide an option to wait until the process
is fully completed.

- - - - -
a2e57fd9 by Endi S. Dewata at 2021-02-16T10:56:57-06:00
Add --wait option for pki-server start/stop/restart

The pki-server start/stop/restart commands have been
modified to provide an option to wait until the process
is fully completed.

- - - - -
753ae78f by Endi S. Dewata at 2021-02-17T08:50:41-06:00
Add OCSPCRLIssuingPointAddCLI

The code that creates a CRL issuing point in
OCSPConfigurator.finalizeConfiguration() has been
converted into OCSPCRLIssuingPointAddCLI.

- - - - -
360dc97b by Endi S. Dewata at 2021-02-17T08:50:41-06:00
Add pki-server ocsp-crl-issuingpoint-add

The pki-server ocsp-crl-issuingpoint-add has been added
to call OCSPSubsystem.add_crl_issuing_point() which wraps
OCSPCRLIssuingPointAddCLI.

- - - - -
6e868102 by Endi S. Dewata at 2021-02-17T08:50:41-06:00
Refactor OCSP CRL issuing point creation

The code that creates the CRL issuing point in
OCSPConfigurator.finalizeConfiguration() has been
replaced with OCSPSubsystem.add_crl_issuing_point().

- - - - -
d88c48fe by Matouš Borák at 2021-02-17T10:12:14-08:00
Add the GetCACaps operation handling to the SCEP servlet

- - - - -
16e4cad4 by Christina Fu at 2021-02-17T10:12:14-08:00
SCEP - supplemental patch for Add the GetCACaps operation handling to the SCEP servlet

This is a supplemental patch for the previous community-contributed patch from borama:
  Add the GetCACaps operation handling to the SCEP servlet

It can be used like the following:
curl http://<host>/ca/cgi-bin/pkiclient.exe?operation=GetCACaps

It removes the claim for support of "POST" request until the patch for
that is approved for check in.

- - - - -
6abb56f3 by Endi S. Dewata at 2021-02-17T12:58:13-06:00
Add test for tpsclient

The TPS test has been modified to verify token format and
token enrollment operations using tpsclient.

- - - - -
8a78fa07 by Endi S. Dewata at 2021-02-17T13:57:23-06:00
Add --no-ntp in IPA tests

NTP is not necessary for testing IPA in containers
so it has been disabled.

- - - - -
137d7728 by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/setup

- - - - -
4013f6f7 by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/etc

- - - - -
23f507ab by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/apache

- - - - -
eb5479a5 by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/ui

- - - - -
d72b17dd by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/stubs

- - - - -
de17f693 by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/applets

- - - - -
4a71173d by Endi S. Dewata at 2021-02-17T18:04:45-06:00
Remove unused base/tps-client/doc

- - - - -
3f9fc7b9 by Endi S. Dewata at 2021-02-17T18:22:37-06:00
Remove unused SystemConfigService.finalizeConfiguration()

- - - - -
e20ae778 by Endi S. Dewata at 2021-02-17T18:22:37-06:00
Remove unused FinalizeConfigRequest

- - - - -
b0831d2e by Endi S. Dewata at 2021-02-17T18:26:10-06:00
Remove unused ConfigClient.set_tps_parameters()

- - - - -
1e3f2cd1 by dependabot[bot] at 2021-02-22T11:28:04-06:00
Bump jackson-databind from 2.10.1 to 2.10.5.1

Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.10.1 to 2.10.5.1.
- [Release notes](https://github.com/FasterXML/jackson/releases)
- [Commits](https://github.com/FasterXML/jackson/commits)

Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
c35bb9b5 by Endi S. Dewata at 2021-02-22T11:44:01-06:00
Update doc for installing PostgreSQL JDBC driver

- - - - -
95cfaa8d by Christina Fu at 2021-02-22T10:50:49-08:00
userOAEP erronously enabled in ServerKeygenUserKeyDefault.java

This patch fixes an error in ServerKeygenUserKeyDefault.java where
userOAEP is erronously enabled regardless of the CS.cfg config setting
for keyWrap.useOAEP

- - - - -
48778b2f by jmagne at 2021-02-22T13:44:20-08:00
pkispawn fails against 389-ds 1.4.3.19 #3458 (#3465)

Add suggested patch from stanislavlevin to solve this issue.
Also add f34 to the ipa tests,this time really add the tests.
Upon further review, back out of f34 tests until the infractructure
supports it.

Also hardcode tomcat app setting in spec file for the moment to
avoid possible glitches on certain platform.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
dd0f7171 by Endi S. Dewata at 2021-02-24T09:18:48-06:00
Refactor Configurator.createRemoteCert()

The Configurator.createRemoteCert() has been modified to take
an install token instead of session ID.

- - - - -
14219af5 by Endi S. Dewata at 2021-02-24T09:18:54-06:00
Refactor Configurator.createCert()

The Configurator.createCert() has been modified to take a clone
flag, a master URL, and an install token instead of the request
object.

- - - - -
b91e6547 by Endi S. Dewata at 2021-02-24T09:18:54-06:00
Refactor Configurator.processCert()

The Configurator.processCert() has been modified to take a
subsystem type, a cert tag, a profile ID, and DNS names.

- - - - -
71e9fbb9 by Endi S. Dewata at 2021-02-24T10:39:11-06:00
Add Configurator.trustCert()

The code that configures the system cert trust flags has been
moved into Configurator.trustCert().

- - - - -
16c766cf by Endi S. Dewata at 2021-02-24T10:39:18-06:00
Add Configurator.setupNewCert()

The code that creates a new system cert has been moved into
Configurator.setupNewCert().

- - - - -
6a63aca3 by Endi S. Dewata at 2021-02-24T10:39:39-06:00
Add Configurator.setupExistingCert()

The code that imports an existing system cert has been moved
into Configurator.setupExistingCert().

- - - - -
f8065af2 by Endi S. Dewata at 2021-02-25T10:40:34-06:00
Refactor Configurator.createECCKeyPair()

The Configurator.createECCKeyPair() has been modified to take
an EC type parameter.

- - - - -
c154da5d by Endi S. Dewata at 2021-02-25T11:30:30-06:00
Refactor Configurator.createKeyPair()

The Configurator.createKeyPair() has been merged into setupCert().

- - - - -
e5cb1427 by Endi S. Dewata at 2021-02-25T11:30:33-06:00
Refactor Configurator.createCertRequest()

The Configurator.createCertRequest() has been modified to take
DN, algorithm, extension OID, extension data, and extension
critical parameters.

- - - - -
5476881a by Endi S. Dewata at 2021-02-25T11:30:33-06:00
Refactor Configurator.setupNewCert()

The Configurator.setupNewCert() has been modified to take
DN, algorithm, extension OID, extension data, and extension
critical parameters.

- - - - -
e414962c by Endi S. Dewata at 2021-02-25T11:30:33-06:00
Remove unused constants in SystemCertData

- - - - -
21dee807 by Endi S. Dewata at 2021-02-25T17:17:24-06:00
Convert QE test to Docker

Previously the QE test was running on Vagrant which can only
run on macOS runners on GitHub:
https://stackoverflow.com/questions/66261101/using-vagrant-on-github-actions-ideally-incl-virtualbox

However, there is a performance issue with the macOS runners
which is causing the test to fail occasionally:
https://github.com/actions/virtual-environments/issues/1336

To improve the reliability, the QE test has been converted
to run on Docker instead. Some steps for configuring the
machine hostname in configure_common.yml have been removed
since it's no longer necessary.

- - - - -
f7aefd19 by Endi S. Dewata at 2021-03-01T09:26:49-06:00
Move server classes to pki-server

- - - - -
83cf370f by Endi S. Dewata at 2021-03-01T09:26:53-06:00
Move enrollment constraints to pki-ca

- - - - -
7871b7ae by Endi S. Dewata at 2021-03-01T09:26:58-06:00
Move enrollment extension defaults to pki-ca

- - - - -
9c1e2d21 by Endi S. Dewata at 2021-03-01T09:27:03-06:00
Move enrollment defaults to pki-ca

- - - - -
803ebabe by Endi S. Dewata at 2021-03-01T09:27:09-06:00
Move profile factories to pki-ca

- - - - -
107bb049 by Endi S. Dewata at 2021-03-01T09:27:14-06:00
Move CA classes to pki-ca

- - - - -
37432d64 by Endi S. Dewata at 2021-03-01T09:27:20-06:00
Move KRA classes to pki-kra

- - - - -
a1275b41 by Endi S. Dewata at 2021-03-01T09:27:29-06:00
Move TKS classes to pki-tks

- - - - -
8e885fba by Endi S. Dewata at 2021-03-01T10:57:08-06:00
Replace CMS.getCMSEngine() in pki-ca

- - - - -
aa443318 by Endi S. Dewata at 2021-03-01T10:57:11-06:00
Replace CMS.getCMSEngine() in pki-kra

- - - - -
c4b56d74 by Endi S. Dewata at 2021-03-01T10:57:15-06:00
Replace CMS.getCMSEngine() in pki-ocsp

- - - - -
62c76777 by Endi S. Dewata at 2021-03-01T10:57:17-06:00
Replace CMS.getCMSEngine() in pki-tks

- - - - -
7fe37ee2 by Endi S. Dewata at 2021-03-01T14:49:27-06:00
Refactor CASigningUnit.sign()

The CASigningUnit.sign() has been modified to throw all
exceptions and let them be handled by the caller.

- - - - -
99d0c09c by Endi S. Dewata at 2021-03-01T14:49:28-06:00
Refactor OCSPSigningUnit.sign()

The OCSPSigningUnit.sign() has been modified to throw all
exceptions and let them be handled by the caller.

- - - - -
e5b61a19 by Endi S. Dewata at 2021-03-01T14:49:29-06:00
Refactor CASigningUnit.verify()

The CASigningUnit.verify() has been modified to throw all
exceptions and let them be handled by the caller.

- - - - -
3ccd775a by Endi S. Dewata at 2021-03-01T14:49:31-06:00
Refactor OCSPSigningUnit.verify()

The OCSPSigningUnit.verify() has been modified to throw all
exceptions and let them be handled by the caller.

- - - - -
2f6f1df8 by Endi S. Dewata at 2021-03-01T17:16:57-06:00
Refactor CertificateAuthority.getCertChain()

The CertificateAuthority.getCertChain() has been moved into
SigningUnit class.

- - - - -
0f4044e7 by Endi S. Dewata at 2021-03-01T17:22:39-06:00
Clean up OCSP fields in CertificateAuthority

The CertificateAuthority has been modified to get OCSP
info directly from OCSP signing unit instead of storing
them into fields.

- - - - -
7432d4ca by Endi S. Dewata at 2021-03-01T17:24:51-06:00
Clean up CRL fields in CertificateAuthority

The CertificateAuthority has been modified to get CRL
info directly from CRL signing unit instead of storing
them into fields.

- - - - -
4904b366 by Endi S. Dewata at 2021-03-01T17:25:01-06:00
Clean up CA fields in CertificateAuthority

The CertificateAuthority has been modified to get CA
info directly from CA signing unit instead of storing
them into fields.

- - - - -
59b7a954 by Endi S. Dewata at 2021-03-01T17:25:12-06:00
Clean up OCSP fields in OCSPAuthority

The OCSPAuthority has been modified to get OCSP info directly
from OCSP signing unit instead of storing them into fields.

- - - - -
78c3e04e by Endi S. Dewata at 2021-03-01T18:35:50-06:00
Refactor DBRegistry

The DBRegistry has been modified to no longer implement
ISubsystem.

- - - - -
d58fe66e by Endi S. Dewata at 2021-03-01T18:38:25-06:00
Convert ICMSExtension into CMSExtension

The ICMSExtension interface has been converted into
CMSExtension abstract class. The init() method has been
modified to no longer take an owner parameter.

- - - - -
6fe9c812 by Endi S. Dewata at 2021-03-01T18:41:47-06:00
Refactor CMSExtensionsMap

The CMSExtensionsMap has been modified to no longer
implements ISubsystem.

- - - - -
28c03981 by Endi S. Dewata at 2021-03-01T18:48:15-06:00
Refactor RequestSubsystem.init()

The RequestSubsystem has been modified to no longer implement
ISubsystem. The RequestSubsystem.init() has been modified to
take a DBSubsystem parameter.

- - - - -
0c4f95fe by Endi S. Dewata at 2021-03-01T18:50:43-06:00
Remove RequestSubsystem.getRequestQueue()

The RequestSubsystem.getRequestQueue() has been replaced with
direct calls to RequestQueue constructor.

- - - - -
f7b82ae6 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Add pki pkcs7-export

The pki pkcs7-export has been added to export certs from
NSS database into a PKCS #7 file.

- - - - -
8f50ed3f by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Add pki pkcs7-cert-import

The pki pkcs7-cert-import has been added to import certs
into a PKCS #7 file.

- - - - -
72bba1c1 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Update pki pkcs7-import

The pki pkcs7-import has been updated to deprecate the
--input-file and --trust-flags params.

- - - - -
79f147c7 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Update pki pkcs7-cert-find

The pki pkcs7-cert-find has been updated to replace the
--pkcs7-file param with --pkcs7.

- - - - -
5bb47100 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Update pki pkcs7-cert-export

The pki pkcs7-cert-export has been updated to replace
--pkcs7-file param with --pkcs7, and add --output-file.

- - - - -
3cfc09c4 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Add doc for pki pkcs7 CLI

- - - - -
75ed2b96 by Endi S. Dewata at 2021-03-02T11:24:37-06:00
Add test for pki pkcs7 CLI

- - - - -
13f4c7fe by Alexander Scheel at 2021-03-02T16:57:16-05:00
Resolve XSS in ca queryCert pagination

Several values in ListCerts were reflected back to the caller, making a
reflected XSS attack possible. These values were sanitized and the
front-end template fixed to prevent this type of attack in general.

Resolves: CVE-2020-25715

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
147fbdc5 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RecoverThread into a separate file

- - - - -
d1499526 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RequestList into a separate file

- - - - -
6f24b967 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RequestListByStatus into a separate file

- - - - -
82b37d94 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move EnrollmentRequest into a separate file

- - - - -
1d35199e by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RequestIAttrSetWrapper into a separate file

- - - - -
0d6c9951 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move Request into a separate file

- - - - -
9a7e2311 by Endi S. Dewata at 2021-03-02T18:48:56-06:00
Move RunListeners into a separate file

- - - - -
4c47bd44 by Endi S. Dewata at 2021-03-02T18:56:02-06:00
Merge RequestRepository constructors

- - - - -
e062dc83 by Endi S. Dewata at 2021-03-02T18:56:27-06:00
Move RequestRepository.getBaseDN() to Repository

- - - - -
942119a5 by Endi S. Dewata at 2021-03-02T18:57:23-06:00
Refactor RequestQueueTest.cmsTestSetUp()

The RequestQueueTest.cmsTestSetUp() has been modified to
throw all exceptions.

- - - - -
9306d50e by Endi S. Dewata at 2021-03-02T20:49:08-06:00
Refactor RequestQueue constructor

The RequestQueue constructor has been modified to take
a RequestRepository parameter.

- - - - -
1160c27f by Endi S. Dewata at 2021-03-03T10:45:29-06:00
Update dependency to JSS 4.8.2

The dependency has been updated due to the use of new APIs
in JSS 4.8.2.

- - - - -
fa0c12a7 by Endi S. Dewata at 2021-03-03T14:02:07-06:00
Add test for installing CA with ECC

- - - - -
479244d2 by Endi S. Dewata at 2021-03-03T14:05:29-06:00
Update CI Dockerfile

The CI Dockerfile has been modified to install PKI packages
in the container image.

- - - - -
fac85511 by Endi S. Dewata at 2021-03-03T14:06:34-06:00
Remove redundant PKI package installations

The CI tests have been modified to no longer install PKI
packages since they are already installed in the container
image.

- - - - -
ea7060f1 by Endi S. Dewata at 2021-03-03T14:07:14-06:00
Clean up redundant CI dependencies

- - - - -
5cefaa99 by Endi S. Dewata at 2021-03-03T14:07:14-06:00
Add COPR_REPO argument in CI Dockerfile

The CI Dockerfile has been modified to provide an argument
to override the COPR repository used for building the
container image.

- - - - -
928c06c2 by Endi S. Dewata at 2021-03-03T14:07:14-06:00
Update CI to use multi-stage builds

The CI has been modified to build PKI packages and the
container image using multi-stage builds.

- - - - -
eee2fb90 by Endi S. Dewata at 2021-03-03T15:04:51-06:00
Rename ARequestNotifier to RequestNotifier

- - - - -
77271aa8 by Endi S. Dewata at 2021-03-03T16:07:46-06:00
Remove unused KRANotify.mKRA field

- - - - -
848f0cae by Endi S. Dewata at 2021-03-03T16:07:55-06:00
Add CANotify

The code in RequestNotifier that depends on CA object
has been moved into a new CANotify class.

- - - - -
214b2282 by Endi S. Dewata at 2021-03-03T16:07:55-06:00
Move CertificateAuthority.initCertRequest() into CAConfigurator

- - - - -
0b857676 by Endi S. Dewata at 2021-03-03T16:07:55-06:00
Move CertificateAuthority.createCertRecord() into CAConfigurator

- - - - -
d0e53c57 by Endi S. Dewata at 2021-03-03T16:12:22-06:00
Rename Configurator.loadCert() to importCert()

- - - - -
a89a612b by Endi S. Dewata at 2021-03-03T16:12:24-06:00
Rename PKISubsystem.update_subsystem_cert() to update_system_cert()

- - - - -
714c710a by Endi S. Dewata at 2021-03-03T16:12:25-06:00
Fix indentation in Configuration.setupCert()

- - - - -
f230dcb9 by Endi S. Dewata at 2021-03-03T18:37:48-06:00
Refactor PKIDeployer.setup_system_certs()

The code that handles the server response in
PKIDeployer.setup_system_certs() has been moved
into setup_cert().

- - - - -
ac1da830 by Endi S. Dewata at 2021-03-03T19:43:13-06:00
Refactor Configurator.setupCert() (part 1)

The Configurator.setupCert() has been modified to get the
token name, profile ID, and cert type through SystemCertData
instead of directly from preop properties.

- - - - -
cfeb3d99 by Endi S. Dewata at 2021-03-03T19:43:21-06:00
Refactor Configurator.setupCert() (part 2)

The Configurator.setupCert() has been modified to get the
DNS names for SAN extension through SystemCertData instead
of directly from service.sslserver.san property.

- - - - -
cad787dc by Endi S. Dewata at 2021-03-03T19:52:27-06:00
Update dependency to JSS 4.9.0

- - - - -
714ef899 by Fraser Tweedale at 2021-03-05T22:34:47+10:00
cert-fix: avoid crash on missing CS.cfg param

`pki-server cert-fix` reads (and writes) the CS.cfg parameter
`selftests.container.order.startup`.  If this parameter is missing,
the resulting `KeyError` crashes the program.  We have seen several
cases where this parameter is missing, and its absense is otherwise
benign.

Update the relevant subroutine to avoid a crash in the case where
the `selftests.container.order.startup` parameter is missing.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1930586

- - - - -
269a38ba by Fraser Tweedale at 2021-03-05T22:34:47+10:00
cert-fix: emit warning if subsystem has selftests configured

A subsystem having no startup selftests configured might have been
deliberately configured that way.  But it is not a desirable
configuration for the long term.  Update `pki-server cert-fix` to
emit a warning when a subsystem has no startup selftests configured
in CS.cfg.

- - - - -
2ecfd0d5 by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Move CI Dockerfile

The CI Dockerfile has been moved to the top-level folder.

- - - - -
79064f40 by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Move list of IPA CI tests

The list of IPA CI tests has been moved into ipa-test.sh.

- - - - -
19bd8ae7 by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Clean up CI build options

The CI BUILD_OPTS have been modified to no longer use timestamps
and commit IDs in PKI package names. The build-push-action has
also been modified to use the default Git context.

- - - - -
dfdb253c by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Rename CI runner container image

- - - - -
4da7bb9e by Endi S. Dewata at 2021-03-08T10:36:21-06:00
Remove unused CI LOGS variable

- - - - -
1e080448 by Endi S. Dewata at 2021-03-08T19:16:16-06:00
Update exception for unsupported cert revocation

The ACMEIssuer.revokeCeritifcate() has been modified to generate
a urn:ietf:params:acme:error:unsupported error message instead of
NotImplementedException.

- - - - -
712f2015 by Endi S. Dewata at 2021-03-08T19:16:16-06:00
Update ACMEEngine.parseCSRExtensions()

The ACMEEngine.parseCSRExtensions() has been modified to
downcast CSR extensions into Extension class.

- - - - -
95308c6b by Endi S. Dewata at 2021-03-08T19:16:16-06:00
Update ACMEEngine.validateRevocation()

The ACMEEngine.validateRevocation() has been modified to use
X509CertImpl to parse cert data.

- - - - -
f309fa26 by Endi S. Dewata at 2021-03-08T19:16:16-06:00
Clean up ACME CI tests

- - - - -
6a1623a8 by Endi S. Dewata at 2021-03-08T20:41:11-06:00
Update ACME Dockerfile

The ACME Dockerfile has been updated to work with Quay and
Docker Hub.

- - - - -
745dbf0d by Endi S. Dewata at 2021-03-09T15:05:36-06:00
Add SystemConfigService.loadCert()

The SystemConfigService.loadCert() has been added to load
existing system certs.

The CAConfigurator.loadCert() has been added to initialize
the CA with existing signing certificate.

- - - - -
9ff8bd5e by Endi S. Dewata at 2021-03-09T15:05:39-06:00
Refactor Configurator.setupCert()

The code that loads existing certs in Configurator.setupCert()
has been moved into PKIDeployer.setup_cert().

- - - - -
431e99d5 by Endi S. Dewata at 2021-03-09T15:05:41-06:00
Clean up Configurator.loadCert()

The unused code that stores the request and cert data into
the Cert object in Configurator.loadCert() has been removed.

- - - - -
fbabcb62 by Endi S. Dewata at 2021-03-09T15:05:43-06:00
Removed unused fields in CertificateSetupRequest

The external and standAlone fields in CertificateSetupRequest
are no longer used so they have been removed.

- - - - -
a1d5fe72 by Endi S. Dewata at 2021-03-09T16:35:53-06:00
Merge Configurator.setupNewCert() into setupCert()

- - - - -
10feff62 by Endi S. Dewata at 2021-03-09T16:35:55-06:00
Refactor Configurator.setupCert()

The code that stores the request and cert data into
CS.cfg in Configurator.setupCert() has been moved
into PKIDeployer.setup_system_certs().

- - - - -
89e05244 by Endi S. Dewata at 2021-03-09T16:43:30-06:00
Refactor Configurator.createCert()

The code that calls Configurator.createLocalCert() in
createCert() has been moved into setupCert().

- - - - -
481d3253 by Endi S. Dewata at 2021-03-09T19:36:50-06:00
Copy ACME Dockerfile into main Dockerfile

The ACME Dockerfile has been copied from base/acme/Dockerfile
which uses a single build stage into the main Dockerfile which
uses multiple build stages.

- - - - -
dd0dd0ef by Endi S. Dewata at 2021-03-09T19:38:39-06:00
Add test for ACME container

- - - - -
cc9b8778 by Endi S. Dewata at 2021-03-10T12:00:43-06:00
Restored timestamp and commit ID in CI build options

Commit 19bd8ae703d0c4c9e2f56380b93c3452a112ce33 has been
reverted to avoid conflicts with COPR builds.

- - - - -
0e9fa98a by Endi S. Dewata at 2021-03-10T15:22:31-06:00
Fix PKIServer.restart()

The PKIServer.restart() has been modified to always wait
until the server is stopped before starting it again.

- - - - -
b9e80c95 by Endi S. Dewata at 2021-03-10T15:36:29-06:00
Move startup_timeout and request_timeout into PKIDeployer

- - - - -
c95163a6 by Endi S. Dewata at 2021-03-10T15:36:29-06:00
Update PKIServer.start(), stop(), and restart()

The PKIServer.start(), stop(), and restart() invocations in
pkispawn and pkidestroy has been modified to wait until the
operation is complete.

- - - - -
5b2ef508 by Endi S. Dewata at 2021-03-10T16:18:13-06:00
Add PKISubsystem.restart()

A new PKISubsystem.restart() has been added to disable
a subsystem then reenable it again.

- - - - -
69e147c9 by Alexander Bokovoy at 2021-03-10T20:25:55-06:00
Update pki.spec to not depend on esc for s390(x) architectures

- - - - -
537d923f by Endi S. Dewata at 2021-03-10T21:02:32-06:00
Clean up spec file

- - - - -
cd1f8d0a by Alexander Scheel at 2021-03-15T09:39:07-05:00
Remove i686 builds in the future

For Fedora and RHEL-9, we probably should drop i686 builds. This is
partially due to the lack md2man (for converting our man pages) but also
due to the lack of multilib compatible Java packages. Best to ship
64-bit only packages then.

Discussed with Alexander Bokovoy in #freeipa.

Signed-off-by: Alexander Scheel <alexander.m.scheel at gmail.com>

- - - - -
9cfd14b0 by Fraser Tweedale at 2021-03-15T11:37:44-05:00
Fix renewal profile approval process

Due to a recent change in PKI CLI, the CLI now passes along user
authentication with submissions to the renewal endpoint. Unlike the EE
pages, the REST API has passed along this authentication for a while.
Due to a bug in the RenewalProcessor, requests with credentials against
profiles with no authentication method and no ACLs result in the
certificiate automatically being approved. This occurs because, when
an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified
the code to allow Light-Weight SubCAs to issue certificates, validation
wasn't done on the passed principal, to see if it was a trusted agent..
Because profiles requring Agent approval have an empty ACL list (as, no
user should be able to submit a certificate request and have it
automatically signed without agent approval), authorize allows any user
to approve this request and thus accepts the AuthToken.

Critical analysis: the RenewalProcessor code interprets (authToken
!= null) as evidence that the authenticated user is /authorized/ to
immediately issue the certificate.  This mismatch of concerns (authn
vs authz) resulted in a misunderstanding of system behaviour.  The
"latent" AuthToken (from the HTTP request) was assigned to authToken
without realising that authorization needed to be performed.

We fix this by splitting the logic on whether the profile defines an
authenticator.  If so, we (re)authenticate and authorize the user
according to the profile configuration.

If the profile does not define an authenticator but there is a
principal in the HTTP request, if (and only if) the user has
permission to approve certificate requests *and* the requested
renewal profile is caManualRenewal (which is hardcoded to be used
for LWCA renewal), then we issue the certificate immediately.  This
special case ensures that LWCA renewal keeps working.

Otherwise, if there is no principal in the HTTP request or the
principal does not have permission to approve certificate requests,
we leave the authToken unset.  The resulting renewal request will be
created with status PENDING, i.e. enqueued for agent review.

Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>
Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7e450d62 by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Fix QE tests reliability

- - - - -
f436e39b by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Update pki.spec for ELN/RHEL

- - - - -
a88d0efe by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Clean up CryptoUtil.signCert()

The CryptoUtil.signCert() has been modified to throw a generic
Exception.

- - - - -
a60ccb8e by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Replace SigningUnit.mapAlgorithmToJss()

The SigningUnit.mapAlgorithmToJss() has been replaced with
direct calls to Cert.mapAlgorithmToJss().

- - - - -
a3537f34 by Endi S. Dewata at 2021-03-15T21:18:21-05:00
Refactor PKIInstance.get_sslserver_cert_nickname()

The code that loads the SSL server cert nickname from server.xml
has been moved to PKIServer.get_sslserver_cert_nickname().

- - - - -
00e6351b by Endi S. Dewata at 2021-03-15T21:51:20-05:00
Refactor PKIInstance.set_sslserver_cert_nickname()

The code that stores the SSL server cert nickname into server.xml
has been moved into PKIServer.set_sslserver_cert_nickname().

- - - - -
1b2109a6 by Endi S. Dewata at 2021-03-15T21:51:20-05:00
Remove unused CertUtils.createCertInfo()

- - - - -
4cef6ee1 by Endi S. Dewata at 2021-03-16T16:53:59-05:00
Replace CertificateExtensions with Extensions

- - - - -
51936fde by Endi S. Dewata at 2021-03-16T20:39:59-05:00
Clean up CryptoUtil.createCertificationRequest()

- - - - -
bfa34094 by Endi S. Dewata at 2021-03-16T20:39:59-05:00
Refactor CryptoUtil.createCertificationRequest()

The CryptoUtil.createCertificationRequest() has been modified
to take a KeyPair parameter.

- - - - -
2a3e776c by Endi S. Dewata at 2021-03-17T10:24:43-05:00
Fix files listed twice in pki.spec

https://github.com/dogtagpki/pki/issues/3321

- - - - -
fc993db1 by Endi S. Dewata at 2021-03-17T10:24:45-05:00
Remove unused imports

- - - - -
d65daa05 by Endi S. Dewata at 2021-03-17T10:24:47-05:00
Move com.netscape.cms.shares to pki-kra

- - - - -
a4ec02e4 by Endi S. Dewata at 2021-03-17T10:44:09-05:00
Drop Tomcat 7.0 from pki-server migrate

The pki-server migrate CLI has been modified to remove the code
for migrating into Tomcat 7.0 since it's no longer supported.

- - - - -
4111b795 by Endi S. Dewata at 2021-03-17T10:44:25-05:00
Remove unused Tomcat 7.0 files

- - - - -
2c9616ae by Endi S. Dewata at 2021-03-17T12:14:24-05:00
Drop Tomcat 8.0 from pki-server migrate

The pki-server migrate CLI has been modified to remove the code
for migrating into Tomcat 8.0 since it's no longer supported.

- - - - -
d16a0129 by Endi S. Dewata at 2021-03-17T12:14:26-05:00
Remove unused Tomcat 8.0 files

- - - - -
96d9cd5d by Endi S. Dewata at 2021-03-17T13:35:06-05:00
Drop Tomcat 8.5 from pki-server migrate

The pki-server migrate CLI has been modified to remove the code
for migrating into Tomcat 8.5 since it's no longer supported.

- - - - -
be6f5653 by Endi S. Dewata at 2021-03-17T15:47:10-05:00
Convert Tomcat 8.5 files into Tomcat 9.0

- - - - -
83b8feaf by Endi S. Dewata at 2021-03-17T17:02:20-05:00
Convert MigrateCLI.migrate_nssdb() into upgrade script

- - - - -
e70373ab by Endi S. Dewata at 2021-03-17T17:02:20-05:00
Convert MigrateCLI.migrate_server_xml() into upgrade script

- - - - -
4f2af1c5 by Endi S. Dewata at 2021-03-17T17:02:20-05:00
Convert MigrateCLI.migrate_context_xml() into upgrade script

- - - - -
1bae09ce by Endi S. Dewata at 2021-03-17T17:24:02-05:00
Convert MigrateCLI.migrate_service() into upgrade script

- - - - -
2bac2ea7 by Endi S. Dewata at 2021-03-18T12:31:22-05:00
Move MigrateCLI.export_ca_cert() into PKIServer

The code that exports the CA certificate during startup
has been moved into PKIServer.export_ca_cert().

- - - - -
0246930f by Endi S. Dewata at 2021-03-18T12:31:24-05:00
Add PKIServer.enable_subsystems()

The code that enables all subsystems during startup
has been moved into PKIServer.enable_subsystems().

- - - - -
db8c0d3a by Endi S. Dewata at 2021-03-18T12:31:26-05:00
Add PKIInstance.validate_banner()

The code that validates banner during startup has been
moved into PKIInstance.validate_banner().

- - - - -
69d39dd3 by Endi S. Dewata at 2021-03-18T12:31:28-05:00
Add PKIServer.create_catalina_policy()

The code that creates catalina.policy during startup has
been moved into PKIServer.create_catalina_policy().

- - - - -
cf497f10 by Endi S. Dewata at 2021-03-18T12:31:31-05:00
Remove restart_server_after_configuration file

The code that creates and removes the
restart_server_after_configuration file has been removed
since the server is restarted automatically by pkispawn.

- - - - -
f3d93530 by Endi S. Dewata at 2021-03-18T19:30:06-05:00
Clean up log messages during installation

- - - - -
ac51d75c by Endi S. Dewata at 2021-03-18T19:30:13-05:00
Update subsystem deployment

pkispawn has been modified to deploy/redeploy a subsystem
without restarting the server.

- - - - -
7a536cab by Endi S. Dewata at 2021-03-23T09:08:17-05:00
Add test for installing CA with secure DS

- - - - -
199a1b58 by Endi S. Dewata at 2021-03-23T16:29:31-05:00
Clean up CA test with secure DS

The CA test with secure DS has been modified to validate
the SSL connection without modifying the ldap.conf.

- - - - -
65d3d83c by Endi S. Dewata at 2021-03-23T16:29:31-05:00
Clean up CA test artifacts

The CA tests have been modified to store PKI and DS config files
and log files into a single file.

- - - - -
4bbcc190 by Endi S. Dewata at 2021-03-23T18:27:24-05:00
Add log messages in CryptoUtil.signCert()

- - - - -
3a9994f8 by Endi S. Dewata at 2021-03-23T18:27:24-05:00
Refactor CryptoUtil.generateECCKeyPair()

The CryptoUtil.generateECCKeyPair() has been modified to
throw a generic Exception.

- - - - -
944f7fc8 by Endi S. Dewata at 2021-03-23T18:27:24-05:00
Clean up log messages during cloning

- - - - -
38b8e698 by Endi S. Dewata at 2021-03-24T11:26:37-05:00
Remove redundant type casts

- - - - -
1166ae3a by Endi S. Dewata at 2021-03-24T17:58:08-05:00
Add CACMSAdminServlet

The CACMSAdminServlet has been added to store CA-specific
code from CMSAdminServlet.

- - - - -
120703a8 by Endi S. Dewata at 2021-03-24T17:58:13-05:00
Refactor CMSAdminServlet.isSubsystemInstalled()

The CA-specific code in CMSAdminServlet.isSubsystemInstalled()
has been moved into CACMSAdminServlet.

- - - - -
b52f2cec by Endi S. Dewata at 2021-03-24T17:58:13-05:00
Refactor CMSAdminServlet.readEncryption()

The CA-specific code in CMSAdminServlet.readEncryption() has
been moved into CACMSAdminServlet.

- - - - -
bd10f87c by Endi S. Dewata at 2021-03-24T17:58:13-05:00
Refactor CMSAdminServlet.modifyEncryption()

The CA-specific code in CMSAdminServlet.modifyEncryption() has
been moved into CACMSAdminServlet.

- - - - -
05fcfcb3 by Endi S. Dewata at 2021-03-24T18:21:21-05:00
Refactor CMSAdminServlet.issueImportCert()

The CA-specific code in CMSAdminServlet.issueImportCert() has
been moved into CACMSAdminServlet.

- - - - -
75effdc6 by Endi S. Dewata at 2021-03-24T18:30:17-05:00
Refactor CMSAdminServlet.installCert()

The CA-specific code in CMSAdminServlet.installCert() has been
moved into CACMSAdminServlet.

- - - - -
38c955e5 by Endi S. Dewata at 2021-03-24T18:30:17-05:00
Refactor CMSEngine.isRevoked()

The CA-specific code in CMSEngine.isRevoked() has been moved
into CAEngine.

- - - - -
1b61ce01 by Endi S. Dewata at 2021-03-25T09:22:34-05:00
Add test for installing CA clone with secure DS

- - - - -
04f9040b by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move RenewableCertificateCollection to pki-server

- - - - -
3f93003c by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move CertRecordMapper to pki-ca

- - - - -
7f01deea by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move RenewalServlet to pki-ca

- - - - -
476ce4ab by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move IPublishRuleSet to pki-ca

- - - - -
d0c3e267 by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Move KeyRepository to pki-kra

- - - - -
5e711b1c by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Replace IKeyRecoveryAuthority with KeyRecoveryAuthority

- - - - -
9b5c65cf by Endi S. Dewata at 2021-03-25T09:26:38-05:00
Replace IKeyRepository with KeyRepository

- - - - -
abf1b56a by Endi S. Dewata at 2021-03-25T11:12:24-05:00
Replace ILdapRule with LdapRule

- - - - -
743c8760 by Endi S. Dewata at 2021-03-25T11:12:26-05:00
Replace ICertRecordList with CertRecordList

- - - - -
93ce0115 by Endi S. Dewata at 2021-03-25T11:12:28-05:00
Replace ICertRecord with CertRecord

- - - - -
c0690048 by Endi S. Dewata at 2021-03-25T11:12:30-05:00
Remove unused IRegistrationAuthority.getPublisherProcessor()

- - - - -
be38f7c2 by Endi S. Dewata at 2021-03-25T11:13:38-05:00
Replace CertificateAuthority.getPublisherProcessor()

The CertificateAuthority.getPublisherProcessor() has been
replaced with direct calls to CAEngine.getPublisherProcessor().

- - - - -
86a17456 by Endi S. Dewata at 2021-03-25T15:29:02-05:00
Rename DBSSession into LDAPSession

- - - - -
9b192416 by Endi S. Dewata at 2021-03-25T15:29:04-05:00
Rename DBSSessionDefaultStub into DBSSession

- - - - -
b09818b0 by Endi S. Dewata at 2021-03-25T16:12:43-05:00
Merge IDBSSession into DBSSession

- - - - -
89d73c3a by Endi S. Dewata at 2021-03-25T16:12:48-05:00
Rename DBRegistry into LDAPRegistry

- - - - -
08ba391b by Endi S. Dewata at 2021-03-25T16:12:48-05:00
Rename DBRegistryDefaultStub into DBRegistry

- - - - -
cde2a125 by Endi S. Dewata at 2021-03-25T16:12:54-05:00
Merge IDBRegistry into DBRegistry

- - - - -
b83697db by Pritam Singh at 2021-03-26T20:18:56+05:30
Added_doc_for_installing_CA_clone_with_secure_DS (#3486)

Signed-off-by: Pritam Singh <prisingh at redhat.com>
- - - - -
48013da6 by Endi S. Dewata at 2021-03-26T10:36:27-05:00
Consolidate ECC key pair usages masks

Previously the ECC key pair usages masks were defined
multiple times in various locations. They now have been
consolidated into CryptoUtil.

- - - - -
6ce4026d by Endi S. Dewata at 2021-03-26T13:01:29-05:00
Clean up KRA test artifacts

The KRA tests have been modified to store PKI and DS config
files and log files into a single file.

- - - - -
e0a734a2 by Endi S. Dewata at 2021-03-26T14:08:06-05:00
Rename DBDynAttrMapperDefaultStub into DBDynAttrMapper

- - - - -
8205b85e by Endi S. Dewata at 2021-03-26T14:08:06-05:00
Merge IDBDynAttrMapper into DBDynAttrMapper

- - - - -
3bba14dd by Endi S. Dewata at 2021-03-26T14:08:06-05:00
Convert IDBAttrMapper into DBAttrMapper

- - - - -
ed8423a3 by Endi S. Dewata at 2021-03-26T14:08:06-05:00
Refactor CMSEngine.initAuthSubsystem()

The CMSEngine.initAuthSubsystem() has been modified to create
a new AuthSubsystem object instead of using a singleton.

- - - - -
c384e55a by Endi S. Dewata at 2021-03-26T15:04:55-05:00
Add AuthSubsystem.loadAuthManagerPlugins()

The code that loads the auth manager plugins has been moved
into AuthSubsystem.loadAuthManagerPlugins().

- - - - -
e55c61ad by Endi S. Dewata at 2021-03-26T15:06:46-05:00
Add AuthSubsystem.loadAuthManagerInstances()

The code that loads the auth manager instances have been
moved into AuthSubsystem.loadAuthManagerInstances().

- - - - -
fa29c2a5 by Endi S. Dewata at 2021-03-26T19:58:31-05:00
Move RetrieveModificationsTask into separate file

- - - - -
181a068a by Endi S. Dewata at 2021-03-26T19:58:39-05:00
Move SerialNumberUpdateTask into separate file

- - - - -
745c262c by Endi S. Dewata at 2021-03-26T19:58:40-05:00
Move CertStatusUpdateTask into separate file

- - - - -
06685701 by Endi S. Dewata at 2021-03-26T19:58:46-05:00
Move KeyStatusUpdateTask into separate file

- - - - -
fc737b19 by Endi S. Dewata at 2021-03-26T19:58:55-05:00
Move CertificateRepository.setSerialNumberUpdateInterval() into CAEngine

- - - - -
505909d8 by Endi S. Dewata at 2021-03-26T19:58:55-05:00
Move CertificateRepository.setCertStatusUpdateInterval() into CAEngine

- - - - -
0a21a71d by Endi S. Dewata at 2021-03-29T09:44:31-05:00
Move CertRecProcessor into a separate file

- - - - -
81081a34 by Endi S. Dewata at 2021-03-29T10:09:58-05:00
Move RevocationRequestListener into a separate file

- - - - -
90b218a7 by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Add CRLIssuingPoint.handleUnexpectedFailure()

The code that handles unexpected failures has been moved from
CRLIssuingPoint.run() to handleUnexpectedFailure().

- - - - -
f6c087cb by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in CRLRepository.updateRevokedCerts()

- - - - -
5f371f21 by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in CRLRepository.updateCRLIssuingPointRecord()

- - - - -
11d7047f by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in DBAttrMapper.mapObjectToLDAPAttributeSet()

- - - - -
d9063df0 by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in LDAPRegistry.createLDAPAttributeSet()

- - - - -
026093c0 by Endi S. Dewata at 2021-03-29T11:08:31-05:00
Update log messages in LDAPSession.add()

- - - - -
9fdfebc3 by Endi S. Dewata at 2021-03-29T11:08:32-05:00
Update log messages in LDAPSession.modify()

- - - - -
c1f2d41e by Endi S. Dewata at 2021-03-29T12:04:30-05:00
Move KeyRepository.updateKeyStatus() into KeyStatusUpdateTask

- - - - -
7870ddfd by Endi S. Dewata at 2021-03-29T12:05:27-05:00
Move KeyRepository.setKeyStatusUpdateInterval() into KeyRecoveryAuthority

- - - - -
e01ff7f2 by Endi S. Dewata at 2021-03-29T12:05:30-05:00
Move CA tasks to pki-ca

- - - - -
e731cfaa by Endi S. Dewata at 2021-03-29T12:05:30-05:00
Move CertificateRepository.getModifications() into RetrieveModificationsTask

- - - - -
5f6bfa73 by Endi S. Dewata at 2021-03-29T12:05:30-05:00
Move CertificateRepository.updateCertStatus() into CertStatusUpdateTask

- - - - -
0362dc56 by Endi S. Dewata at 2021-03-29T14:30:34-05:00
Remove unused CertificateRepository.mSkipIfInconsistent

- - - - -
e641e2ac by Endi S. Dewata at 2021-03-29T15:26:24-05:00
Clean up CertificateRepository.transitCertList()

Previously the CertificateRepository.transitCertList() was
taking either a list of cert records or the serial numbers
depending on the value of mConsistencyCheck. Since the cert
records are guaranteed to be non-null, the code has been
simplified to take list of serial numbers in all cases.

- - - - -
ad6f1ac4 by Endi S. Dewata at 2021-03-29T15:26:36-05:00
Update log messages in CertificateRepository.updateStatus()

- - - - -
8a3c2a97 by Endi S. Dewata at 2021-03-29T15:26:36-05:00
Move CertificateRepository.transitInvalidCertificates() to CertStatusUpdateTask

- - - - -
0744f1a6 by Endi S. Dewata at 2021-03-29T15:26:36-05:00
Move CertificateRepository.transitValidCertificates() to CertStatusUpdateTask

- - - - -
3893fc05 by Endi S. Dewata at 2021-03-29T15:34:12-05:00
Move CertificateRepository.transitRevokedExpiredCertificates() to CertStatusUpdateTask

- - - - -
232fa71e by Endi S. Dewata at 2021-03-29T15:34:12-05:00
Move transit attributes from CertificateRepository to CertStatusUpdateTask

- - - - -
955a1199 by Endi S. Dewata at 2021-03-29T17:09:52-05:00
Clean up CertificateRepository.transitCertList() (part 2)

The code that notifies CRL issuing points on revoked and expired
certs has been moved from CertificateRepository.transitCertList()
to CertStatusUpdateTask.updateRevokedExpiredCertificates().

- - - - -
6abb91c5 by Endi S. Dewata at 2021-03-29T17:09:55-05:00
Remove redundant CertificateRepository.mCRLIssuingPoints

- - - - -
c8c2db56 by Endi S. Dewata at 2021-03-29T17:09:57-05:00
Remove redundant CAService.mCRLIssuingPoints

- - - - -
0285ce46 by Endi S. Dewata at 2021-03-29T17:10:00-05:00
Update log messages in AuthSubsystem.init()

- - - - -
15fef884 by Endi S. Dewata at 2021-03-29T18:09:24-05:00
Update log messages in CertificateRepository.addCertificateRecord()

- - - - -
93a0d250 by Endi S. Dewata at 2021-03-29T18:09:24-05:00
Update log messages in PublisherProcessor.init()

- - - - -
8eaac030 by Endi S. Dewata at 2021-03-29T18:09:24-05:00
Update log messages in ProfileSubsystem.init()

- - - - -
c9955024 by Endi S. Dewata at 2021-03-30T11:18:56-05:00
Remove unused CertificateRepository.mRequestBaseDN

- - - - -
6286d12e by Endi S. Dewata at 2021-03-30T11:18:59-05:00
Clean up CertificateRepository constructor

The CertificateRepository constructor has been modified to
remove the base DN params.

- - - - -
ba964bec by Endi S. Dewata at 2021-03-30T11:19:01-05:00
Remove redundant CertificateRepository.dbSubsystem

- - - - -
35c0c3e4 by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Remove redundant CertificateRepository.getDN()

- - - - -
4a39266b by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Clean up CRLRepository constructor

The CRLRepository constructor has been modified to remove the
base DN param.

- - - - -
d90b561c by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Remove redundant CRLRepository.dbSubsystem

- - - - -
4011e9b2 by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Remove redundant CRLRepository.getDN()

- - - - -
279fbc79 by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Clean up ReplicaIDRepository constructor

The ReplicaIDRepository constructor has been modified to remove
the base DN param.

- - - - -
5d61ec14 by Endi S. Dewata at 2021-03-30T16:43:45-05:00
Remove redundant RequestRepository.dbSubsystem

- - - - -
b917a2d8 by Endi S. Dewata at 2021-03-30T16:48:51-05:00
Update log messages in CRLIssuingPoint.updateCRLNow()

- - - - -
3ec3a553 by Endi S. Dewata at 2021-03-30T16:48:53-05:00
Update log messages in CRLIssuingPoint.generateFullCRL()

- - - - -
db6ad974 by Endi S. Dewata at 2021-03-30T16:48:54-05:00
Update log messages in CRLIssuingPoint.generateDeltaCRL()

- - - - -
929451d3 by Endi S. Dewata at 2021-03-30T19:31:22-05:00
Update log messages in RevocationProcessor.processRevocationRequest()

- - - - -
2938dca4 by Endi S. Dewata at 2021-03-30T19:32:07-05:00
Update log messages in RevocationProcessor.processUnrevocationRequest()

- - - - -
24749820 by Endi S. Dewata at 2021-03-30T19:32:07-05:00
Update log messages in CertificateRepository.isCertificateRevoked()

- - - - -
c7125abb by Endi S. Dewata at 2021-03-31T10:20:16-05:00
Clean up tests for PKI tools

- - - - -
f56c7f48 by Endi S. Dewata at 2021-03-31T11:06:37-05:00
Update CryptoUtil.createX509CertInfo()

The CryptoUtil.createX509CertInfo() has been modified to take
a CertificateExtensions parameter.

- - - - -
458cfb94 by Endi S. Dewata at 2021-03-31T11:06:37-05:00
Update default params for pki nss-cert-request and nss-cert-issue

- - - - -
b162c939 by Endi S. Dewata at 2021-03-31T11:06:37-05:00
Add hash parameter for pki nss-cert-issue

- - - - -
7267186b by Endi S. Dewata at 2021-03-31T13:36:48-05:00
Add test for creating CA agent

- - - - -
ee0badcd by Endi S. Dewata at 2021-03-31T13:36:48-05:00
Add test for creating and revoking CA agent cert

- - - - -
44d8ba0c by Endi S. Dewata at 2021-03-31T13:36:48-05:00
Add test for issuing SSL server cert using PKI NSS CLI

- - - - -
eefa742e by Endi S. Dewata at 2021-03-31T13:36:48-05:00
Add pki-server ca-cert-find

The pki-server ca-cert-find has been added to list the
certs in the DS when PKI server is not running.

- - - - -
2e5f79e3 by Endi S. Dewata at 2021-04-01T10:37:02-05:00
Update log messages in NSSDatabase

- - - - -
1279f195 by Endi S. Dewata at 2021-04-01T12:25:54-05:00
Add test for generating cert with existing key

- - - - -
515e7f51 by Endi S. Dewata at 2021-04-01T19:36:38-05:00
Fix PKCS10Client -x parameter

Previously the -x parameter in PKCS10Client was parsed but
never used. The code has been modified to use the parameter
to select the key usage mask when generating an EC key.

- - - - -
b6fb1a50 by Endi S. Dewata at 2021-04-05T09:39:28-05:00
Move notifiers from CAEngine to CMSEngine

- - - - -
fdc56a0b by Endi S. Dewata at 2021-04-05T09:39:32-05:00
Move notifiers from KeyRecoveryAuthority to CMSEngine

- - - - -
947fc3d9 by Endi S. Dewata at 2021-04-05T10:58:11-05:00
Move LdapUnrevocationListener into separate file

- - - - -
9391d644 by Endi S. Dewata at 2021-04-05T11:00:10-05:00
Move LdapRevocationListener into separate file

- - - - -
2f5fad2b by Endi S. Dewata at 2021-04-05T11:01:59-05:00
Move LdapRenewalListener into separate file

- - - - -
15aba464 by Endi S. Dewata at 2021-04-05T11:03:59-05:00
Move LdapEnrollmentListener into separate file

- - - - -
e6e92e27 by Endi S. Dewata at 2021-04-05T11:24:47-05:00
Remove redundant ICertAuthority.getCertificateRepository()

- - - - -
16e3840b by Endi S. Dewata at 2021-04-05T11:24:49-05:00
Refactor RequestNotifier.checkAvailablePublishingConnections()

The code in RequestNotifier.checkAvailablePublishingConnections()
only works in CA so it has been moved into CANotify.

- - - - -
5fca754f by Endi S. Dewata at 2021-04-05T11:39:07-05:00
Refactor PublisherProcessor.mLdapRequestListener

The PublisherProcessor.mLdapRequestListener has been converted
into IRequestListener to remove dependency on LdapRequestListener.

- - - - -
39612940 by Endi S. Dewata at 2021-04-05T14:35:20-05:00
Merge IReplicaIDRepository into ReplicaIDRepository

- - - - -
dd25b87b by Endi S. Dewata at 2021-04-05T14:35:21-05:00
Add PublishingConfig

The PublishingConfig has been added to encapsulate ca.publish.*
parameters.

- - - - -
429af6fe by Endi S. Dewata at 2021-04-05T14:35:23-05:00
Add PublishingPublisherConfig

The PublishingPublisherConfig has been added to encapsulate
ca.publish.publisher.* parameters.

- - - - -
79d6af4c by Endi S. Dewata at 2021-04-05T14:35:23-05:00
Add PublishingMapperConfig

The PublishingMapperConfig has been added to encapsulate
ca.publish.mapper.* parameters.

- - - - -
8c7ee283 by Endi S. Dewata at 2021-04-05T14:35:23-05:00
Add PublishingRuleConfig

The PublishingRuleConfig has been added to encapsulate
ca.publish.rule.* parameters.

- - - - -
1612f615 by Endi S. Dewata at 2021-04-05T14:49:00-05:00
Split PublisherProcessor into CAPublisherProcessor

The CA-specific code in PublisherProcessor has been moved
into CAPublisherProcessor.

- - - - -
40c44d47 by Endi S. Dewata at 2021-04-05T14:49:00-05:00
Move LdapRequestListener to pki-ca

- - - - -
232d60c7 by Endi S. Dewata at 2021-04-05T14:49:00-05:00
Move CAPublisherProcessor to pki-ca

- - - - -
e5f2cafc by Endi S. Dewata at 2021-04-05T14:49:00-05:00
Move LocalConnector to pki-ca

- - - - -
4d209526 by Endi S. Dewata at 2021-04-06T12:53:06-05:00
Move GetTransportCert to pki-kra

- - - - -
f046985b by Endi S. Dewata at 2021-04-06T12:53:08-05:00
Move IRequestQueue.getRequestRepository() to CAEngine

- - - - -
57aa2f37 by Endi S. Dewata at 2021-04-06T12:53:11-05:00
Refactor Repository constructor

The Repository constructor has been modified to take radix and
repository ID parameters.

- - - - -
994f0135 by Endi S. Dewata at 2021-04-06T12:53:13-05:00
Replace Repository.mRepo with repository config

The Repository.mRepo field that contains the repository ID
has been replaced with a repositoryConfig Hashtable.

- - - - -
90db55c8 by Endi S. Dewata at 2021-04-06T12:53:16-05:00
Remove unused methods in DBSubsystem

- - - - -
8f68df8f by Endi S. Dewata at 2021-04-06T12:53:16-05:00
Refactor repository config initialization

The code that initializes repository configs in DBSubsystem
has been moved into each repository constructor.

- - - - -
93893132 by Endi S. Dewata at 2021-04-06T17:33:41-05:00
Remove DBSubsystem singleton

The CMSEngine has been modified to create a new DBSubsystem
instance instead of use a singleton.

- - - - -
c0c1983f by Endi S. Dewata at 2021-04-06T17:34:20-05:00
Merge IRequestQueue into ARequestQueue

- - - - -
ecfbd717 by Endi S. Dewata at 2021-04-06T18:02:51-05:00
Refactor ARequestQueue.newRequest()

The ARequestQueue.newRequest() has been modified to take a
request ID.

- - - - -
3001de08 by Endi S. Dewata at 2021-04-06T18:04:25-05:00
Refactor CANotify constructor

The CANotify constructor has been modified to no longer
take a CertificateAuthority object.

- - - - -
7a618296 by Endi S. Dewata at 2021-04-06T18:09:35-05:00
Add RequestNotifier.getRequestRepository()

The RequestNotifier.getRequestRepository() has been added
to provide the request repository object.

- - - - -
c7e41c46 by Endi S. Dewata at 2021-04-06T18:09:54-05:00
Remove unused methods in ARequestQueue

- - - - -
925006c4 by Endi S. Dewata at 2021-04-06T18:11:42-05:00
Refactor KeyRequestDAO.getTransientData()

The KeyRequestDAO.getTransientData() has been modified to
get the KeyRecoveryAuthority object from KRAEngine.

- - - - -
520a02da by Endi S. Dewata at 2021-04-06T18:16:23-05:00
Refactor CMSRequestDAO.queue

The CMSRequestDAO.queue has been modified such that it will
be initialized by CMSRequestDAO subclasses.

- - - - -
82f7d2c5 by dpuniaredhat at 2021-04-07T19:36:59+05:30
Disable allow failure on QE upstream pipeline (#3494)

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
07f4c43a by Endi S. Dewata at 2021-04-07T09:19:51-05:00
Remove unused DBSubsystem.mRepos

- - - - -
bcd4b32c by Endi S. Dewata at 2021-04-07T09:19:53-05:00
Move DBSubsystem.setMin/MaxSerialConfig() to Repository

- - - - -
8ce2f2dc by Endi S. Dewata at 2021-04-07T09:19:54-05:00
Move DBSubsystem.setNextMin/MaxSerialConfig() to Repository

- - - - -
3b7ab61d by Endi S. Dewata at 2021-04-07T09:44:25-05:00
Move DBSubsystem.getNextRange() to Repository

- - - - -
96786ec9 by Endi S. Dewata at 2021-04-07T09:44:25-05:00
Move DBSubsystem.hasRangeConflict() to Repository

- - - - -
f5849ec1 by Endi S. Dewata at 2021-04-07T09:44:25-05:00
Move DBSubsystem.getNextMin/MaxSerialConfig() to Repository

- - - - -
c3ca0959 by Endi S. Dewata at 2021-04-07T10:36:42-05:00
Remove redundant DBSubsystem.NAME

- - - - -
961ffdd3 by Endi S. Dewata at 2021-04-07T15:20:58-05:00
Replace DBSubsystem.PROP_BASEDN with Repository.mBaseDN

- - - - -
cf5e092f by Endi S. Dewata at 2021-04-07T15:21:20-05:00
Replace DBSubsystem.PROP_RANGE_DN with Repository.rangeDN

- - - - -
8a9bb61d by Endi S. Dewata at 2021-04-07T15:22:00-05:00
Replace DBSubsystem.PROP_MIN with Repository.mMinSerialNo

- - - - -
3146efa5 by Endi S. Dewata at 2021-04-07T15:29:07-05:00
Replace DBSubsystem.PROP_MAX with Repository.mMaxSerialNo

- - - - -
f1edf67c by Endi S. Dewata at 2021-04-07T15:29:07-05:00
Replace DBSubsystem.PROP_NEXT_MIN with Repository.mNextMinSerialNo

- - - - -
1be8e849 by Endi S. Dewata at 2021-04-07T15:31:14-05:00
Replace DBSubsystem.PROP_NEXT_MAX with Repository.mNextMaxSerialNo

- - - - -
8c27fa49 by Endi S. Dewata at 2021-04-07T15:31:14-05:00
Replace DBSubsystem.PROP_LOW_WATER_MARK with Repository.mLowWaterMarkNo

- - - - -
734c06c7 by Endi S. Dewata at 2021-04-07T15:31:14-05:00
Replace DBSubsystem.PROP_INCREMENT with Repository.mIncrementNo

- - - - -
144234ea by Endi S. Dewata at 2021-04-07T15:31:14-05:00
Clean up OCSP test artifacts

The OCSP tests have been modified to store PKI and DS config
files and log files into a single file.

- - - - -
2824c7e5 by Endi S. Dewata at 2021-04-07T19:10:32-05:00
Update log messages in PublisherProcessor.getRules()

- - - - -
a1eeb629 by Endi S. Dewata at 2021-04-07T19:10:32-05:00
Update log messages in LdapSimpleMap

- - - - -
f5a02cd2 by Endi S. Dewata at 2021-04-07T19:17:41-05:00
Update log messages in LdapCaSimpleMap

- - - - -
43613046 by Endi S. Dewata at 2021-04-07T19:21:59-05:00
Update log messages in LdapCrlPublisher

- - - - -
7c25ef38 by Endi S. Dewata at 2021-04-07T19:21:59-05:00
Update log messages in LdapUserCertPublisher

- - - - -
ec110e58 by Endi S. Dewata at 2021-04-07T19:21:59-05:00
Update log messages in LdapRule

- - - - -
8e719766 by Endi S. Dewata at 2021-04-07T19:25:36-05:00
Update log messages in LdapSimpleExpression

- - - - -
7306e97e by Endi S. Dewata at 2021-04-08T09:30:22-05:00
Update docs for deploying ACME with DS on OpenShift

- - - - -
988939d0 by Endi S. Dewata at 2021-04-08T11:32:05-05:00
Remove redundant Repository.setSerialNumber()

- - - - -
b4114079 by Endi S. Dewata at 2021-04-08T11:32:08-05:00
Remove unused Repository.mNext

- - - - -
b3ff1117 by Endi S. Dewata at 2021-04-08T11:32:10-05:00
Remove unused Repository.BI_INCREMENT

- - - - -
f0d33a2f by Endi S. Dewata at 2021-04-08T11:32:13-05:00
Remove unused IRepository.resetSerialNumber()

- - - - -
4b56cbdd by Endi S. Dewata at 2021-04-08T11:32:16-05:00
Remove unused ARequestQueue.getPagedRequests()

- - - - -
081eb1e9 by Endi S. Dewata at 2021-04-08T11:32:17-05:00
Move ListEnumeration into separate file

- - - - -
8b58bf79 by Endi S. Dewata at 2021-04-08T11:32:21-05:00
Move SearchEnumeration into separate file

- - - - -
97f3daf9 by Endi S. Dewata at 2021-04-08T13:07:22-05:00
Add test for PKI NSS CLI with ECC

- - - - -
ea9ddaf5 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Move KRA's request repository and queue into CMSEngine

- - - - -
e6d0bd00 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant ARequestNotifier.getRequestQueue()

- - - - -
b7606ee8 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant Profile.getRequestQueue()

- - - - -
288c4927 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant IAuthority.getRequestQueue()

- - - - -
dcb87d4c by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant ICertificateAuthority.getRequestQueue()

- - - - -
05929a14 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant IKeyRecoveryAuthority.getRequestQueue()

- - - - -
d2560cf1 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant IRegistrationAuthority.getRequestQueue()

- - - - -
393766d1 by Endi S. Dewata at 2021-04-08T13:32:51-05:00
Remove redundant ITKSAuthority.getRequestQueue()

- - - - -
4439263d by Endi S. Dewata at 2021-04-08T13:34:35-05:00
Remove redundant CertificateAuthority.getRequestQueue()

- - - - -
ba213056 by Endi S. Dewata at 2021-04-08T13:34:38-05:00
Remove redundant KeyRecoveryAuthority.getRequestQueue()

- - - - -
c16db929 by Endi S. Dewata at 2021-04-08T13:34:41-05:00
Remove redundant OCSPAuthority.getRequestQueue()

- - - - -
05f750a7 by Endi S. Dewata at 2021-04-08T13:35:00-05:00
Remove redundant TKSAuthority.getRequestQueue()

- - - - -
49867ef2 by Endi S. Dewata at 2021-04-08T13:35:06-05:00
Remove redundant TPSSubsystem.getRequestQueue()

- - - - -
30aa783a by Endi S. Dewata at 2021-04-08T13:35:12-05:00
Remove redundant ChallengePhraseAuthentication.getReqQueue()

- - - - -
ae4a72a9 by Endi S. Dewata at 2021-04-08T13:35:20-05:00
Remove redundant SSLClientCertAuthentication.getReqQueue()

- - - - -
045d59cc by Endi S. Dewata at 2021-04-08T13:35:24-05:00
Remove redundant CMSEngine.getReqQueue()

- - - - -
02f2da00 by Endi S. Dewata at 2021-04-08T13:35:27-05:00
Remove redundant KeyRecoveryAuthority.getRequestRepository()

- - - - -
40ea7b87 by Endi S. Dewata at 2021-04-08T13:35:32-05:00
Remove redundant RequestNotifier.getRequestRepository()

- - - - -
7c044623 by Endi S. Dewata at 2021-04-08T15:55:01-05:00
Remove redundant EnrollmentRequest

- - - - -
e734153b by Endi S. Dewata at 2021-04-08T17:53:54-05:00
Remove redundant ARequestQueue.createRequest()

- - - - -
185f62f2 by Endi S. Dewata at 2021-04-08T17:53:58-05:00
Merge ARequestRecord into RequestRecord

- - - - -
7a8775b1 by Endi S. Dewata at 2021-04-08T18:36:23-05:00
Merge IRequestRecord into RequestRecord

- - - - -
69e08bec by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Convert anonymous RequestAttr into RequestType

- - - - -
31fc25ef by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Add IRequest.setCreationTime() and setModificationTime()

- - - - -
2e38b81c by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Remove unused IRequestMod from RequestAttr.read()

- - - - -
0eb3f190 by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Remove unused IRequestMod from RequestRecord.read()

- - - - -
b4d4ceeb by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Remove unused IRequestMod

- - - - -
05275461 by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Add RequestRecord.toRequest()

- - - - -
5b6a6f7b by Endi S. Dewata at 2021-04-08T18:36:26-05:00
Replace RequestQueue.makeRequest() with RequestRecord.toRequest()

- - - - -
ed07e270 by Endi S. Dewata at 2021-04-09T11:32:10-05:00
Merge RequestQueue.getLastRequestIdInRange() into RequestRepository

- - - - -
7f806d08 by Endi S. Dewata at 2021-04-09T11:32:10-05:00
Merge ARequestQueue.getPagedRequestsByFilter()

- - - - -
f68f86e0 by Endi S. Dewata at 2021-04-09T12:37:22-05:00
Move RequestQueue.getPagedRequestsByFilter() into RequestRepository

- - - - -
2b178ff4 by Endi S. Dewata at 2021-04-09T12:37:22-05:00
Remove unused RequestRepository.mRequestQueue

- - - - -
49d4716a by Endi S. Dewata at 2021-04-09T13:46:35-05:00
Remove unused Repository.getSerialNumber()

- - - - -
88e095e0 by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Remove unused DBSubsystem.mNextSerialConfig

- - - - -
9aaf6868 by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Move ARequestQueue.newRequestId() into RequestRepository

- - - - -
03e2a855 by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Move ARequestQueue.newEphemeralRequestId() into RequestRepository

- - - - -
c8044bbe by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Move ARequestQueue.cloneRequest() into RequestQueue

- - - - -
204c2dcf by Endi S. Dewata at 2021-04-09T13:46:36-05:00
Move ARequestQueue.newRequest() into RequestRepository

- - - - -
4df39b8c by Endi S. Dewata at 2021-04-09T13:54:38-05:00
Move RequestQueue.newRequest() to RequestRepository

- - - - -
f2168b8d by Endi S. Dewata at 2021-04-09T13:54:38-05:00
Move RequestQueue.addRequest() to RequestRepository

- - - - -
86497d8f by Endi S. Dewata at 2021-04-09T16:31:04-05:00
Remove redundant CertificateRepository.createCertRecord()

- - - - -
ba94e261 by Endi S. Dewata at 2021-04-09T16:52:14-05:00
Move CAConfigurator.createCertRecord() into CertificateRepository

- - - - -
0beb04af by Endi S. Dewata at 2021-04-09T16:52:15-05:00
Move ARequestQueue.updateRequest() to RequestQueue

- - - - -
9fd8bdc2 by Endi S. Dewata at 2021-04-09T16:52:15-05:00
Move RequestQueue.modifyRequest() to RequestRepository

- - - - -
daebec6f by Endi S. Dewata at 2021-04-09T16:52:15-05:00
Remove redundant ARequestQueue.setRequestStatus()

- - - - -
f3b674c5 by Endi S. Dewata at 2021-04-09T17:01:05-05:00
Rename CertInfoProfile into BootstrapProfile

- - - - -
b449cdf2 by Endi S. Dewata at 2021-04-09T17:17:19-05:00
Move CAConfigurator.initCertRequest() to CAEngine

- - - - -
589b3828 by Endi S. Dewata at 2021-04-09T17:17:19-05:00
Move CAConfigurator.updateLocalRequest() to CAEngine

- - - - -
8099d25c by Endi S. Dewata at 2021-04-12T13:24:12-05:00
Add scripts to save test artifacts

- - - - -
bffbb0ca by Endi S. Dewata at 2021-04-12T13:24:12-05:00
Clean up TKS test artifacts

The TKS tests have been modified to store PKI and DS config
and log files into a single tarball.

- - - - -
4997c3e8 by Endi S. Dewata at 2021-04-12T13:24:12-05:00
Clean up TPS test artifacts

The TPS tests have been modified to store PKI and DS config
and log files into a single tarball.

- - - - -
2afe6141 by Endi S. Dewata at 2021-04-12T13:31:36-05:00
Clean up ACME test artifacts

The ACME tests have been modified to store PKI and DS config
and log files into a single tarball.

- - - - -
70ca1ab0 by Endi S. Dewata at 2021-04-12T15:27:53-05:00
Clean up IPA test artifacts

The IPA tests have been modified to store IPA, PKI, and DS
config and log files into a single tarball.

- - - - -
27e6e67f by Endi S. Dewata at 2021-04-12T15:27:53-05:00
Clean up QE test artifacts

The QE tests have been modified to store PKI and DS config
and log files into a single tarball.

- - - - -
6fc465f8 by Endi S. Dewata at 2021-04-12T18:24:37-05:00
Fix UpdateAllowLinking.update_context_xml()

The UpdateAllowLinking.update_context_xml() has been modified
to check whether the context.xml exists before upgrading it.

- - - - -
6cb4fd96 by Endi S. Dewata at 2021-04-12T18:24:40-05:00
Split RequestRepository for certs and keys

The RequestRepository has been split into CertRequestRepository
and KeyRequestRepository which use different filters.

- - - - -
64d22050 by dpuniaredhat at 2021-04-13T17:52:36+05:30
acme upstream pipeline fixes (#3496)

Fixes the acme openshift database file entry. earlier it was using the default commented postgress entry.

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
cfbff0cd by Endi S. Dewata at 2021-04-13T18:27:01-05:00
Clean up CryptoUtil.generateECCKeyPair() parameters

The CryptoUtil.generateECCKeyPair() parameters have been
reordered for consistency with generateRSAKeyPair().

- - - - -
edb7204a by Endi S. Dewata at 2021-04-14T10:45:30-05:00
Move GenerateKeyPairServlet to pki-kra

- - - - -
86ca2d43 by Endi S. Dewata at 2021-04-14T13:40:43-05:00
Move RequestQueue.readRequest() to RequestRepository

- - - - -
b20fb3f0 by Endi S. Dewata at 2021-04-14T13:40:43-05:00
Add CAEngine.getCertRequestRepository()

- - - - -
8c6aff1e by Endi S. Dewata at 2021-04-14T13:40:43-05:00
Add KRAEngine.getKeyRequestRepository()

- - - - -
ed885382 by Endi S. Dewata at 2021-04-14T20:49:00-05:00
Merge CertificateAuthority.createCertInfo() into CAConfigurator

- - - - -
1acf07a5 by Endi S. Dewata at 2021-04-14T20:49:03-05:00
Refactor CAEngine.updateCertRequest()

The CAEngine.updateCertRequest() has been modified to take
an X500Name subjectName instead of String.

- - - - -
ce4d7551 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Refactor Configurator.createLocalCert()

The Configurator.createLocalCert() has been modified to take
issuer DN and signing private key parameters.

- - - - -
899f5ed5 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Remove unused fields reported by Eclipse

- - - - -
93251e37 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated Boolean constructor

- - - - -
4149088e by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated Integer constructor

- - - - -
78998acc by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated Long constructor

- - - - -
567692b4 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated Class.newInstance()

- - - - -
af8664e7 by Endi S. Dewata at 2021-04-15T15:12:50-05:00
Replace deprecated IOUtils.toString()

- - - - -
47597173 by Endi S. Dewata at 2021-04-15T16:01:47-05:00
Move RequestQueue.listRequestsByFilter() to RequestRepository (part 1)

- - - - -
064f7e16 by Endi S. Dewata at 2021-04-15T16:01:47-05:00
Move RequestQueue.listRequestsByFilter() to RequestRepository (part 2)

- - - - -
01fbbafb by Endi S. Dewata at 2021-04-15T16:05:59-05:00
Move RequestQueue.listRequestsByFilter() to RequestRepository (part 3)

- - - - -
b190a9ed by Endi S. Dewata at 2021-04-15T17:48:13-05:00
Move ARequestQueue.recoverWillBlock() to RequestQueue

- - - - -
25a0911b by Endi S. Dewata at 2021-04-15T17:48:13-05:00
Replace RequestQueue.findRequest() in CMSRequestDAO

- - - - -
921a0717 by Endi S. Dewata at 2021-04-15T17:48:13-05:00
Replace RequestQueue.findRequest() in CMSServlet

- - - - -
a170d8a9 by Endi S. Dewata at 2021-04-15T17:48:13-05:00
Replace RequestQueue.findRequest() with RequestRepository.readRequest()

- - - - -
00c0c419 by Endi S. Dewata at 2021-04-15T20:17:12-05:00
Split ProcessReq for certs and keys

- - - - -
bd423877 by Endi S. Dewata at 2021-04-15T20:17:12-05:00
Split SearchReqs for certs and keys

- - - - -
35f3a973 by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Split QueryReq for certs and keys

- - - - -
38ddfb50 by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move GetCertFromRequest to pki-ca

- - - - -
84cbbe9f by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move ImportCertsTemplateFiller to pki-ca

- - - - -
a6efac62 by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move GetEnableStatus to pki-ca

- - - - -
96dac5fa by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move CertReqParser to pki-ca

- - - - -
c90ae080 by Endi S. Dewata at 2021-04-15T20:23:59-05:00
Move KeyReqParser to pki-kra

- - - - -
f7d15bed by Endi S. Dewata at 2021-04-19T10:02:59-05:00
Replace RequestStatus.fromString() with valueOf()

- - - - -
c86aca59 by Endi S. Dewata at 2021-04-19T13:28:55-05:00
Add JSON converter for CertRequestInfos

- - - - -
b4ccf4b8 by Endi S. Dewata at 2021-04-19T14:37:48-05:00
Move CMSEngine.initCertRequest() to CertRequestRepository

- - - - -
85810814 by Endi S. Dewata at 2021-04-19T14:53:47-05:00
Move CAEngine.updateCertRequest() to CertRequestRepository

- - - - -
0835ad75 by Endi S. Dewata at 2021-04-19T15:29:22-05:00
Swap params in CertRequestRepository.initRequest() and updateRequest()

- - - - -
76fff8d7 by Christina Fu at 2021-04-20T17:13:50-07:00
Update ServerSideKeygen.adoc
- - - - -
287bfdac by Christina Fu at 2021-04-22T16:14:11-07:00
Bug1952628 CRMF requests with non-SKID extensions

This patch address the issue where if a CRMF request bears any extension
 other than SKID then it fails to process.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1952628

- - - - -
642e25a3 by Endi S. Dewata at 2021-04-23T07:02:46-05:00
Fix cert file loading in CryptographyCryptoProvider

As suggested by cheimes, the CryptographyCryptoProvider
has been modified to load the cert file as binary.

Resolves: https://github.com/dogtagpki/pki/issues/3499

- - - - -
396241d1 by Christian Heimes at 2021-04-23T10:12:05-05:00
Make python-nss optional

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
e02f3934 by Christian Heimes at 2021-04-23T10:12:05-05:00
Remove deprecated DRM client

The code was marked as deprecated in commit f4aafb999e from 2014.

- - - - -
e005cb74 by Endi S. Dewata at 2021-04-23T10:30:56-05:00
Move ARequestQueue.markRequestPending() to RequestQueue

- - - - -
ea613d16 by Endi S. Dewata at 2021-04-23T10:30:59-05:00
Move ARequestQueue.cancelRequest() to RequestQueue

- - - - -
83873611 by Endi S. Dewata at 2021-04-23T10:31:02-05:00
Move ARequestQueue.rejectRequest() to RequestQueue

- - - - -
48dc1ba4 by Endi S. Dewata at 2021-04-23T10:31:06-05:00
Move ARequestQueue.approveRequest() to RequestQueue

- - - - -
5203e26e by Endi S. Dewata at 2021-04-23T10:31:08-05:00
Move ARequestQueue.markAsServiced() to RequestQueue

- - - - -
c03c8c87 by Endi S. Dewata at 2021-04-26T13:05:55-05:00
Remove unused SecurityDomainLogin servlet

- - - - -
30274623 by Endi S. Dewata at 2021-04-26T13:05:55-05:00
Remove unused LoginServlet

- - - - -
cdf7fe10 by Endi S. Dewata at 2021-04-26T13:05:55-05:00
Remove unused BaseServlet

- - - - -
87ec464c by Endi S. Dewata at 2021-04-26T13:05:55-05:00
Remove velocity dependency

The remaining servlets that use velocity have been removed
since they are no longer used so the velocity dependency
can be removed as well.

Resolves: #1952969

- - - - -
fd06a6d6 by Endi S. Dewata at 2021-04-27T07:58:56-05:00
Reorganized ACME database configuration docs

- - - - -
41d0ddab by Chris Kelley at 2021-04-30T17:54:29+01:00
Remove unused istack-commons-runtime.jar from classpath

Resolves build issue in f33+
- - - - -
994650a9 by Endi S. Dewata at 2021-05-03T21:53:57-05:00
Fix missing pip3 in QE test

- - - - -
93eed0ce by Endi S. Dewata at 2021-05-03T23:25:14-05:00
Reorganize CA sources

The CA main and test code has been moved into base/ca/src/main
and base/ca/src/test. All references have been updated.

- - - - -
6928ce60 by dependabot[bot] at 2021-05-04T14:21:00-05:00
Bump commons-io from 2.6 to 2.7

Bumps commons-io from 2.6 to 2.7.

Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
c78b43c2 by Endi S. Dewata at 2021-05-04T14:44:19-05:00
Reorganize KRA sources

The KRA main and test code has been moved into base/kra/src/main
and base/kra/src/test. All references have been updated.

- - - - -
7fd5cb49 by Endi S. Dewata at 2021-05-04T15:45:05-05:00
Reorganize OCSP sources

The OCSP sources have been moved into base/ocsp/src/main.
All references have been updated.

- - - - -
9f8abf63 by Endi S. Dewata at 2021-05-04T17:04:41-05:00
Reorganize TKS sources

The TKS sources have been moved into base/tks/src/main.
All references have been updated.

- - - - -
0f95c778 by Endi S. Dewata at 2021-05-04T17:48:15-05:00
Reorganize TPS sources

The TPS sources have been moved into base/tps/src/main.
All references have been updated.

- - - - -
5b1578e4 by Endi S. Dewata at 2021-05-04T17:50:35-05:00
Reorganize Console sources

The Console sources have been moved into base/console/src/main.
All references have been updated.

- - - - -
189d16fa by Endi S. Dewata at 2021-05-04T18:31:05-05:00
Reorganize Server sources

The Server main and test sources have been moved into
base/server/src/main and base/server/src/test. All references
have been updated.

- - - - -
5271e8af by Endi S. Dewata at 2021-05-04T19:05:25-05:00
Remove unused CMake variables

- - - - -
1e947dc5 by Endi S. Dewata at 2021-05-04T19:54:37-05:00
Reorganize Tomcat sources

The Tomcat sources have been moved into base/tomcat/src/main
and base/tomcat-9.0/src/main. All references have been updated.

- - - - -
6b610b53 by Pritam Singh at 2021-05-05T15:05:53+05:30
Added_fix_for_upstream_topo_00_master (#3507)

[SKIP CI]
Added_fix_for_upstream_topo_00_master

Signed-off-by: Pritam Singh <prisingh at redhat.com>
- - - - -
1599f78a by Chris Kelley at 2021-05-06T14:49:37+01:00
Replace deprecated java.awt.Dialog::{hide,show} with setVisible(boolean)

These methods were deprecated in Java 1.5. They are overrides of methods
defined in java.awt.Component, which were themselves deprecated back in
Java 1.1! Some care required was required as we could change behaviour
if we defined a subclass of Dialog and override show() or hide(), but I
couldn't find any examples of this in the codebase so I think we're
fine.
- - - - -
a1afd954 by Endi S. Dewata at 2021-05-06T18:16:12-05:00
Update QE tests

The QE tests have been modified to run on the latest
Ubuntu container and use the latest python-ansible.

- - - - -
b36fe2ee by Endi S. Dewata at 2021-05-06T18:16:20-05:00
Remove unused commons-httpclient.jar from .classpath

- - - - -
4cdf952a by Chris Kelley at 2021-05-07T10:37:28+01:00
Replace JTable.createScrollPaneForTable with JScrollPane constructor

The JTable method is deprecated.

- - - - -
5528d202 by Chris Kelley at 2021-05-07T10:37:28+01:00
Replace deprecated JTable::sizeColumnsToFit(true) with JTable.doLayout()
- - - - -
193ce9d6 by Chris Kelley at 2021-05-07T10:37:28+01:00
Replace deprecated Sui{OptionPane,Table} with J{OptionPane,Table}

I couldn't find any source for
com.netscape.management.nmclf.SuiOptionPane, but the bytecode says it
extends JOptionPane. Replacing references with the superclass compiles
but my bytecode reading isn't strong enough to see if the Sui version,
whatever it is, overloaded either of these methods.
- - - - -
6d318e74 by Chris Kelley at 2021-05-07T15:57:42+01:00
Remove unnecessary @SuppressWarnings annotations

No functional change, just unnecessary instructions for the compiler.
- - - - -
f8c62034 by Chris Kelley at 2021-05-07T15:57:42+01:00
Remove unused private methods

Not called within their classes so just clutter.

ConfigurationTest.generateCRMFRequest has been made public, we want to
keep this method and make it accessible via CLI

- - - - -
932e4dad by Chris Kelley at 2021-05-07T15:57:42+01:00
Remove unused field mQueue from CheckRequest

Removing this field makes the local variable engine redundant, so this
too is removed.
- - - - -
6dc331a4 by Endi S. Dewata at 2021-05-07T09:58:13-05:00
Remove JNA dependency

The SystemdStartupNotifier has been renamed to SystemdNotifier
and modified to use systemd-notify instead of JNA to notify
other systems when the subsystem is ready.

Since the SystemdNotifier is no longer dependent on JNA, it
has been moved into pki-server.jar and the JNA dependency has
been dropped.

The StartupNotifier has been renamed into SubsystemListener
such that it can be expanded to listen to other subsystem
events (e.g. shutdown).

Resolves: #1953671

- - - - -
ef9b9bdf by Fraser Tweedale at 2021-05-07T09:58:13-05:00
SystemdNotifier: document how to configure systemd unit

- - - - -
e202ef69 by Endi S. Dewata at 2021-05-07T11:04:22-05:00
Reorganize ACME issuer doc

- - - - -
6d706a47 by Endi S. Dewata at 2021-05-07T13:07:14-05:00
Reorganize ACME realm doc

- - - - -
b79c8e87 by Endi S. Dewata at 2021-05-07T14:27:00-05:00
Add ACME metadata doc

- - - - -
a497903c by Endi S. Dewata at 2021-05-07T17:18:40-05:00
Update ACME install doc

- - - - -
0a8a1083 by fdelehay at 2021-05-10T17:51:12+02:00
Update Nuxwdog.md

typo in command
- - - - -
400fbaec by Tomasz Torcz at 2021-05-10T12:59:55-05:00
acme: don't fail on resubmitted valid challenges

Some acme clients, like cert-manager, happen to resubmit already
valid challenges. This is not 100% in line with RFC8555, but it is
not a reason to throw Exception.

- - - - -
82ab12ac by Endi S. Dewata at 2021-05-11T11:30:20-05:00
Restore pytest-ansible 2.2.3

Previously the requirements.txt was changed in commit
a1afd9548bd241520d0ef3924fa57ef9569056be to remove
the explicit version number for pytest-ansible. Since
it's causing some problems the change is reverted.

- - - - -
c92a0bb9 by Chris Kelley at 2021-05-13T16:27:03+01:00
Update GitHub workflows to run against F34 and not EOL F32
- - - - -
d36b82bd by Chris Kelley at 2021-05-13T22:15:42+01:00
Remove references to xml-commons.api.jar

This JAR contains packages/classes that are present in OpenJDK 11. As of
Java 9 it is a compile time failure for packages/classes to be available
from multiple modules. In order to be Java 11 compatible this JAR needs
to be removed and the multiply-sourced code sourced from the JDK.

References to the JAR in scripts, build tools etc have also been
removed.
- - - - -
c2f88ba3 by Endi S. Dewata at 2021-05-13T17:17:41-05:00
Fix installation with HSM

During installation with HSM the server is
stopped to import the permanent SSL server cert
into the NSS database. This operation creates
new files in the NSS database directory with a
wrong ownership and permissions, so the server
fails to start again.

To fix the problem the NSS database ownership
and permissions need to be reset after importing
the permanent SSL server cert.

- - - - -
3ef7c2b3 by Endi S. Dewata at 2021-05-13T20:21:14-05:00
Clean up deployment loggers

All loggers used for deployment have been changed to
use the module name such that they can be referred to
collectively as 'pki'.

- - - - -
f7f0a7e8 by Endi S. Dewata at 2021-05-14T18:50:20-05:00
Merge base/test into base/util/src/test

- - - - -
f22acd73 by Chris Kelley at 2021-05-17T16:23:08+01:00
Add new constructor to com.netscape.certsrv.base.Link class

The deprecated org.jboss.resteasy.plugins.providers.atom.Link has a
constructor with signature Link(String, URI), but our chosen temporary
replacement does not. As we are attempting to preserve the API by making
this temporary switch, I create a new constructor with the current
signature instead of modifying the calling code.

- - - - -
6c4c0759 by Chris Kelley at 2021-05-17T16:23:08+01:00
Fix createCreatedResponse methods that now expect URI, but take String
- - - - -
0db142b6 by Chris Kelley at 2021-05-17T16:23:08+01:00
Switch org.jboss.resteasy.plugins.providers.atom.Link for
com.netscape.certsrv.base.Link.Link

Converts old Link.getRel() -> new Link.getRelationship()
- - - - -
bef84e33 by Chris Kelley at 2021-05-17T21:57:21+01:00
Remove dependency on resteasy-atom-provider
- - - - -
6561bd3b by dpuniaredhat at 2021-05-18T19:55:27+05:30
Updating the IMG_NAME to execute QE test on Fedora 33 (#3531)

Currently QE test are getting executed on Fedora 32 and updating that to execute test cases on Fedora 33

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
33e15f8b by Endi S. Dewata at 2021-05-18T17:59:54-05:00
Drop pytest-runner dependency

The dependency on pytest-runner has been dropped since
it has been deprecated.

Resolves: #1961613

- - - - -
73062597 by Christina Fu at 2021-05-18T16:09:32-07:00
Bug 1925311 RFE Add a Boolean to Not Allow a CA Certificate Issued Past Issuing CA's Validity

This RFE was to request for a boolean to disallow ca certs being issued past
the CA's own validity.  As it turns out, such a boolean does exist in
CAValidityDefault.java which is a profile default plugin that's used
by the profile caCACert.cfg.  The variable is called bypassCAnotafter.
When it's true, the requested ca signing cert is allowed  to past the
signing CA's notAfter, while if false (which is the default), the natAfter time
would be reset to match that of the signing CA's.
The problem is, as I found out during my investigation, there is a bug in
the plugin so it is always treated as false.  I have it fixed in this patch.
However, I think the reporter didn't use this profile default plugin, as
if so they would not have reported the issue;  I think the proper solution
should be a system-wide boolean in CS.cfg, although the additional one in
the plugin to allows for finer control.
I'm leaving the fix in CAValidityDefault.java to get some feedback from
the reviewer.
The new bolean in CS.cfg is called ca.enablePastCATime

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1925311

- - - - -
1deeb245 by Chris Kelley at 2021-05-19T16:01:57+01:00
Replace deprecated PosixParser with DefaultParser
- - - - -
78e49942 by Chris Kelley at 2021-05-19T21:59:41+01:00
Remove redundant superinterface implementations
- - - - -
db7c9ee3 by Chris Kelley at 2021-05-20T10:26:04+01:00
Add missing @Deprecated annotations
- - - - -
82c94c27 by Chris Kelley at 2021-05-20T10:26:04+01:00
Add missing @Override annotations
- - - - -
f953f627 by Chris Kelley at 2021-05-20T21:46:11+01:00
Update Java.cmake to use Java 11 source and target
- - - - -
ea0b5782 by Chris Kelley at 2021-05-20T21:52:15+01:00
Remove unnecessary type specification and replace with diamond operator

Automatically generated by Eclipse
- - - - -
a9e560d6 by Chris Kelley at 2021-05-20T21:52:43+01:00
Replace deprecated Double constructor
- - - - -
4de8ba6a by Chris Kelley at 2021-05-21T15:37:26+01:00
Convert CertificateRepository to use try-with-resources
- - - - -
a2b4be29 by Chris Kelley at 2021-05-21T15:38:44+01:00
Remove unnecessary type specifications from anonymous inner classes
- - - - -
540b7c34 by Endi S. Dewata at 2021-05-26T16:42:16-05:00
Drop git dependency

- - - - -
b61557dc by Chris Kelley at 2021-06-01T22:38:44+01:00
Simplify AAclAuthz.isTypeUnique() method
- - - - -
75c6e375 by Chris Kelley at 2021-06-01T22:48:55+01:00
Remove unused log() method from JssSSLSocketFactory

No references to this method in the workspace
- - - - -
fc6bf07b by Chris Kelley at 2021-06-01T22:48:55+01:00
Autoformat JssSSLSocketFactory
- - - - -
8eb74c29 by Chris Kelley at 2021-06-01T22:49:40+01:00
Remove getExtensionAt() method

No references in the workspace
- - - - -
61fa1cb1 by Chris Kelley at 2021-06-01T22:49:40+01:00
Autoformat SingleResponse
- - - - -
156cac41 by Endi S. Dewata at 2021-06-01T23:47:59-05:00
Fix build.sh --without-test

The build.sh and pki.spec file have been modified not to
run the test when the --without-test option is specified.

- - - - -
0fe70dad by Endi S. Dewata at 2021-06-01T23:47:59-05:00
Fix CMake files to optionally build without test

The CMake files have been modified not to build the test
classes when the --without-test is specified.

- - - - -
52c44e40 by Endi S. Dewata at 2021-06-01T23:47:59-05:00
Remove unused code

- - - - -
51b7b226 by dpuniaredhat at 2021-06-02T13:41:26+05:30
Bug Automation 1925311 RFE Add a Boolean to Not Allow a CA Certificate Issued past issuing CA's Validity (#3545)

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
bd22a320 by Chandan Pinjani at 2021-06-03T16:10:15+05:30
Enabled beaker provisioning for pytest-ansible (#3542)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
4f80e99c by Christina Fu at 2021-06-03T09:18:50-07:00
Bug1889434 Unable to start HSM configured CA with after enabling Nuxwdog

The bug itself was actually a "not a bug" according to Chandan's latest
finding how it was working again when setup on a different vm.
However, I found a possible issue that could only be seen on the vm
where he initially had issue with.  I don't know how to reproduce other
than being able to see the correct message if my debugging was enabled
in this patch.
The nature of the issue that this patch tries to fix is that in case
when pwd is returned with "keyctl_read_alloc:..." regarding password not
found, and it treated the result as thought it was a password to be
saved.

relating to https://bugzilla.redhat.com/show_bug.cgi?id=1889434

- - - - -
b35672f1 by Endi S. Dewata at 2021-06-03T21:22:16-05:00
Clean up Java dependency

The spec file has been modified to explicitly require Java 11.

- - - - -
c62c4d6c by Endi S. Dewata at 2021-06-03T22:09:43-05:00
Fix JAVA_HOME

- - - - -
3ef27289 by Endi S. Dewata at 2021-06-03T23:32:59-05:00
Update version number to 10.11.0-alpha2

- - - - -
5b09fcaf by Endi S. Dewata at 2021-06-09T11:23:12-05:00
Use password file when creating admin user

The pki-server <subsystem>-user-add has been updated to
provide a --password-file option. The deployment tool
has been modified to use this option when creating the
admin user to avoid the password from getting logged in
the debug mode.

Resolves: CVE-2021-3551

- - - - -
b01cd8cc by Endi S. Dewata at 2021-06-09T11:23:15-05:00
Fix permission for new installation logs

The enable_pki_logger() has been updated to disable
world access for new installation logs to be created
in /var/log/pki.

Resolves: CVE-2021-3551

- - - - -
0c2f3b84 by Endi S. Dewata at 2021-06-09T11:23:15-05:00
Fix permission for existing installation logs

The spec file has been updated to remove world access
from existing installation logs in /var/log/pki.

Resolves: CVE-2021-3551

- - - - -
e3cf3373 by Chris Kelley at 2021-06-10T10:59:00+01:00
Remove IConfigPasswordCheck interface

There is only one implementation in PasswordChecker, and it 1)
duplicates the functionality of the IPasswordCheck interface/impl and 2)
is not referenced anywhere in the workspace.

Also, we don't care about the distinction between an empty password and
a password that is too short when we are deciding if the password is
good, which greatly simplifies isGoodPassword().
- - - - -
a6aeca19 by Endi S. Dewata at 2021-06-10T08:31:44-05:00
Add missing apache-commons-logging dependency

- - - - -
922c4d5c by Endi S. Dewata at 2021-06-10T08:32:59-05:00
Remove unused references to commons-httpclient.jar

- - - - -
4104740d by Endi S. Dewata at 2021-06-10T08:33:43-05:00
Fix HAMCREST_JAR for Rawhide

- - - - -
e790f34d by Endi S. Dewata at 2021-06-10T09:34:07-05:00
Update contact information

- - - - -
5627de5c by Endi S. Dewata at 2021-06-10T12:26:33-05:00
Move CI files into tests folder

- - - - -
4a25b89c by Endi S. Dewata at 2021-06-10T14:31:45-05:00
Move pki-lint files into tests folder

- - - - -
8bf522e9 by Endi S. Dewata at 2021-06-10T17:49:40-05:00
Update version number to 11.0.0-alpha1

- - - - -
894293a6 by Endi S. Dewata at 2021-06-10T20:26:22-05:00
Update JSS references

- - - - -
97debc7b by 06shalini at 2021-06-13T22:21:03+05:30
Added exception handeling in performance tests (#3488)

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
287489bc by Endi S. Dewata at 2021-06-16T15:24:35-05:00
Clean up IPA test

- - - - -
8643e03b by Endi S. Dewata at 2021-06-16T16:11:03-05:00
Add configurable test matrix

The test workflows have been modified to load the
matrix from MATRIX secret variable. If the secret is
undefined it will use Fedora 33 and 34 by default.

- - - - -
58e69a97 by Endi S. Dewata at 2021-06-16T17:08:06-05:00
Update JSS, TomcatJSS, and LDAPJDK dependencies

- - - - -
a6a24bcc by Alexander Scheel at 2021-06-16T19:45:05-05:00
Remove pki-console from Fedora 35+, RHEL 9+

- - - - -
81adacee by Endi S. Dewata at 2021-06-16T19:45:05-05:00
Add build.sh --with-console option

- - - - -
abdbbc6a by Chris Kelley at 2021-06-17T14:29:35+01:00
Allow automatic determination of Fedora versions to test against

- - - - -
91ba383d by Alexander Scheel at 2021-06-17T15:19:51-05:00
Remove Legacy VBScript Web Code

No modern browser supports VBScript except IE 11. Microsoft announced its
removal and deprecation in August 2019. Every modern, graphical browser
supports JavaScript, including IE 2+, Edge, Safari, Chrome, and Firefox.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
80e64e5c by Endi S. Dewata at 2021-06-17T21:46:31-05:00
Fix Javadoc warnings

- - - - -
7a74753c by Endi S. Dewata at 2021-06-18T09:56:22+01:00
Add test script for creating CA agent

The test code that creates a CA agent has been moved
into a shell script.

- - - - -
b78d76a8 by Endi S. Dewata at 2021-06-18T09:56:22+01:00
Add test scripts for CA agent cert revocation

The test code that creates, revokes, and unrevokes
a CA agent cert has been moved into shell scripts.

- - - - -
d4119692 by Endi S. Dewata at 2021-06-18T09:13:44-05:00
Add JSON mapper for UserCertData

- - - - -
f02f08fc by Chris Kelley at 2021-06-18T21:25:30+01:00
Add JSON mapper for Account
- - - - -
f8f4a583 by Chris Kelley at 2021-06-18T21:26:04+01:00
Add JSON wrapper for AuthorityData

* Make fields of AuthorityData private and provide setters for test
* Remove unused Link setter
- - - - -
582e4c26 by Pritam Singh at 2021-06-21T15:16:34+05:30
clone_job_fix (#3573)

[SKIP CI]

Signed-off-by: Pritam Singh <prisingh at redhat.com>

Co-authored-by: Pritam Singh <prisingh at redhat.com>
- - - - -
1ae9fc63 by Chris Kelley at 2021-06-21T17:19:04+01:00
Add JSON wrappers for classes in com.netscape.certsrv.base

Also adds AuthorityDataTest to the cmake file, I forgot to do it in a
previous PR
- - - - -
963883e2 by Chris Kelley at 2021-06-21T17:22:50+01:00
Add JSON mapper for ClientConfig
- - - - -
8bb1536e by Chris Kelley at 2021-06-21T21:44:04+01:00
Add JSON wrappers for classes org.dogtagpki.common

Requires overriding equals() and hashCode() in Link class, otherwise the
equals check for ConfigData fails on object equivalence for the Links
- - - - -
a3de157d by Chris Kelley at 2021-06-21T21:45:05+01:00
Add JSON wrappers for classes in com.netscape.certsrv.group

Also adds annotations to AuthorityData, which were missed in a previous
PR.
- - - - -
75619288 by Chris Kelley at 2021-06-21T23:55:59+01:00
Remove jakarta-activation from .classpath

This dependency is satisfied through resteasy-client -> resteasy-core,
so no need to explicitly depend on it like this.
- - - - -
9f409750 by Chris Kelley at 2021-06-22T14:10:50-05:00
Remove jboss-annotations-1.2-api from .classpath

This dependency is satisfied through resteasy-client -> resteasy-core,
so no need to explicitly depend on it like this.
- - - - -
94f698f6 by Chris Kelley at 2021-06-22T22:29:30+01:00
Add JSON wrappers for classes in com.netscape.certsrv.logging

Also removes unused AuthorityData.toString() I missed in earlier PR
- - - - -
866c632a by Chris Kelley at 2021-06-22T23:14:50+01:00
Add JSON wrapper for Descriptor
- - - - -
3a1c75d9 by Chris Kelley at 2021-06-22T23:55:33+01:00
Reorder modifiers in Constants to match the JLS
- - - - -
860e80ba by Christina Fu at 2021-06-22T17:46:50-07:00
Bug1963220-RevokeViaRestAPIwExtAgent

This patch resolves the issue that when a client cert is issued by an
external CA, the revocation check inside the CA REST service handler
(ca/src/org/dogtagpki/server/ca/rest/CertService.java)
assumes that all client certs are issued by this CA.

The fix is to check the issuer, and add an option, allowExtCASignedAgentCerts
to allow for external CA signed agent certs.

If the issuer is external, and ca.allowExtCASignedAgentCerts is true, then the
internal cert status check is bypassed and to rely on OCSP enablement
(enableOCSP) in server.xml.

The ca.allowExtCASignedAgentCerts config param currently is only used in
the rest revocation case.  It is not used anywhere else (not even unrevocation)

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1963220

- - - - -
aa4406c7 by Endi S. Dewata at 2021-06-22T20:24:17-05:00
Fix build classpaths

- - - - -
9b698d6c by Chris Kelley at 2021-06-23T10:49:47+01:00
Add JSON wrappers for classes in com.netscape.certsrv.key
- - - - -
bfcc6d52 by Chris Kelley at 2021-06-23T10:51:50+01:00
Add JSON wrappers for classes in com.netscape.certsrv.request
- - - - -
bcde3dc9 by Chris Kelley at 2021-06-23T10:56:41+01:00
Add JSON wrappers for classes in com.netscape.certsrv.selftests
- - - - -
80464590 by Chris Kelley at 2021-06-23T17:22:41+01:00
Add JSON wrappers for classes in com.netscape.certsrv.cert
- - - - -
6fe2e290 by Endi S. Dewata at 2021-06-23T20:56:03-05:00
Drop httpcomponents dependency

The direct dependency on httpcomponents has been dropped
from pom.xml since it is already provided by resteasy.
There is no such dependency in pki.spec.

- - - - -
649ec1c0 by Chris Kelley at 2021-06-24T10:54:10+01:00
Add JSON wrappers for classes in com.netscape.certsrv.profile
- - - - -
2a5a7485 by Chris Kelley at 2021-06-24T22:25:14+01:00
Code cleanup in TokenStatus

* Reorder modifiers to match JLS
* Simplify isValid()
* Some whitespace added
- - - - -
30b3b411 by Chris Kelley at 2021-06-24T22:30:12+01:00
Add JSON wrappers for classes in com.netscape.certsrv.tps
- - - - -
4f62a962 by Chris Kelley at 2021-06-24T23:04:37+01:00
Autoformat CryptoUtil
- - - - -
36450f67 by Chris Kelley at 2021-06-24T23:04:37+01:00
Tidy up some if statements in CryptoUtil
- - - - -
77bd3464 by Chris Kelley at 2021-06-24T23:04:37+01:00
Remove superfluous throws declarations in CryptoUtil
- - - - -
39da6dbd by Chandan Pinjani at 2021-06-25T18:21:31+05:30
Added Automation for BZ 1930586 (#3594)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
1f5d4472 by Chris Kelley at 2021-06-25T15:11:36+01:00
Add JSON wrappers for classes in com.netscape.certsrv.system

- - - - -
8b53e1ca by Endi S. Dewata at 2021-06-25T16:27:59+01:00
Update client's default message format

- - - - -
fbc37bfb by Chris Kelley at 2021-06-25T21:26:41+01:00
Add JSONSerializer interface

Provide default methods for classes that wish to serialize to/from JSON
to reduce boilerplate code, as all classes do the same thing.

Also beneficial as a marker interface for the REST API, as this is the
dominant use case of the serialization to/from JSON.
- - - - -
751ae5e0 by Chris Kelley at 2021-06-25T21:26:41+01:00
Make ACME classes implement JSONSerializer to reduce boilerplate code
- - - - -
c0b42872 by Christina Fu at 2021-06-25T17:31:58-07:00
Bug1976010-restrict EE profile list and enrollment submission per LDAP group without immediate issuance

It's always been the case by design that if authentication (auth.instance_id=X) is specified in a profile, then as long as a request passes both authentication and authorization (authz.Y) then the issuance would be granted.
In this patch, an option per profile is added to override such design and would require explicit agent approval even when both auth and authz passed.

This new option is auth.explicitApprovalRequired and the value is true
or false,with false being the default if not set.

An example configuration in a directory-based authentication profile
would have something like the following:

         auth.instance_id=UserDirEnrollment
         auth.explicitApprovalRequired=true
         authz.acl=group=requestors

addressed https://bugzilla.redhat.com/show_bug.cgi?id=1976010

- - - - -
59dcf7e2 by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Add PKIConnection.target

The PKIConnection has been modified to create the
WebTarget object from the server URL.

- - - - -
0252a415 by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Add PKIClient.messageFormat

The PKIClient has been modified to construct the
content type object from the client configuration.

- - - - -
f1971c02 by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Update PKIClient.createProxy()

The PKIClient.createProxy() method has been modified
to no longer require a leading slash in the path.

- - - - -
5d010ab7 by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Update PKIClient.get()

The PKIClient.get() methods have been modified to
no longer require a leading slash in the path.

- - - - -
009f0edd by Endi S. Dewata at 2021-06-25T20:50:09-05:00
Update PKIClient.post()

The PKIClient.post() methods have been modified to
no longer require a leading slash in the path.

- - - - -
2b6749b9 by Endi S. Dewata at 2021-06-25T20:50:43-05:00
Merge PKIConnection.target() methods

- - - - -
c93ee9e1 by Chris Kelley at 2021-06-28T17:20:47+01:00
Remove XML tagging from Descriptor
- - - - -
9a37dbf5 by Christian Heimes at 2021-06-28T15:29:29-07:00
PKCS#12 export: encrypt private key with AES (#3590)

pk12util export defaults to "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2
CBC". The algorithm is no longer supported by OpenSSL 3.0.0. Use modern
PBES2 with AES-128-CBC to encrypt private key and leave public certs
unencrypted.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975406
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
85d4d23d by Chris Kelley at 2021-06-29T10:22:19+01:00
Make CA classes implement JSONSerializer to reduce boilerplate code
- - - - -
869e1180 by Chris Kelley at 2021-06-29T22:52:16+01:00
Move JSONSerializer to common directory from server only directory
- - - - -
b60d8218 by Endi S. Dewata at 2021-06-29T17:48:52-05:00
Add doc for PKI TPS Configuration CLI

- - - - -
878a7020 by Endi S. Dewata at 2021-06-29T18:08:07-05:00
Clean up CA tests

- - - - -
08ffba17 by Chris Kelley at 2021-06-30T09:29:20+01:00
Remove XML mappers from AuthorityData
- - - - -
d1124d33 by Chris Kelley at 2021-06-30T09:29:48+01:00
Remove XML mappers from com.netscape.cersrv.selftests
- - - - -
f62f8951 by Christina Fu at 2021-06-30T17:51:44-07:00
Bug1978017 PKCS10Client Attribute Encoding

PKCS10Client has an option "-k" which allows for individual DN
attributes to be encoded differently and separately.
For example:
    PKCS10Client -p <passwd> -d . -k true -o req.txt -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'

This option might have been accidentally disabled.  In this patch, the
attribute encoding code is moved to CryptoUtil.java with some
refactoring, and calls to getJssName() is re-enabled for subjectName
in PKCS10Client;

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1978017

- - - - -
131850d9 by Endi S. Dewata at 2021-06-30T20:16:09-05:00
Add test for CA certs

- - - - -
47e3be52 by Chris Kelley at 2021-07-01T10:37:41+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In org.dogtagpki.common package
- - - - -
7b245ced by Chris Kelley at 2021-07-01T15:52:49+01:00
Consolidate the building step in the CI to a separate workflow
- - - - -
40f114b6 by Chris Kelley at 2021-07-01T15:52:49+01:00
fop
- - - - -
9676dfdc by Christina Fu at 2021-07-01T09:49:59-07:00
Bug1978017 (clean up imports) PKCS10Client Attribute Encoding
This patch is to clean up some imports that were missed in the previous
patch for
  Bug1978017 PKCS10Client Attribute Encoding

additional cleanup for https://bugzilla.redhat.com/show_bug.cgi?id=1978017

- - - - -
9bbcec92 by Chris Kelley at 2021-07-01T18:09:20+01:00
Revert "fop"

This reverts commit 40f114b6f38c839fcf52fa334f4a8b0202696446.

- - - - -
b4f93dd6 by Chris Kelley at 2021-07-01T18:09:20+01:00
Revert "Consolidate the building step in the CI to a separate workflow"

This reverts commit 7b245cedbc02977d0b12c96e1110f77363cbc756.

- - - - -
a91518c1 by Chris Kelley at 2021-07-01T23:03:53+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In following packages:

com.netscape.certsrv.account
com.netscape.certsrv.authority
com.netscape.certsrv.cert
com.netscape.certsrv.base

Introduces additional methods to provide access to private fields if
required
- - - - -
bf2d303e by Chris Kelley at 2021-07-01T23:03:53+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In following packages:

com.netscape.certsrv.logging
com.netscape.certsrv.request
com.netscape.certsrv.property
com.netscape.certsrv.profile

- - - - -
f36bd103 by Chris Kelley at 2021-07-01T23:04:11+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In following packages:

com.netscape.certsrv.system
com.netscape.certsrv.selftests
- - - - -
52819513 by Endi S. Dewata at 2021-07-01T19:32:51-05:00
Display CLI exception stack trace

The pki CLI has been modified to show the exception
stack trace by default to help troubleshooting.

- - - - -
6e1db6ef by Endi S. Dewata at 2021-07-01T19:51:22-05:00
Drop unnecessary sudo dependency

- - - - -
f4fb25e4 by Chris Kelley at 2021-07-02T09:02:28+01:00
Remove XML tagging from com.netscape.certsrv.group
- - - - -
d9f35385 by Endi S. Dewata at 2021-07-02T12:41:26-05:00
Add tests for CA auditor

New tests have been added to verify creating CA auditor
with basic auth and client cert auth and retrieving
audit logs.

- - - - -
21fde138 by Chris Kelley at 2021-07-02T22:27:15+01:00
Remove XML tagging from ClientConfig
- - - - -
92b0df5b by Chris Kelley at 2021-07-02T22:29:41+01:00
Remove field visibility functionality from JSONSerializer

Only required to make one prvivate field visible, so just make it public
- - - - -
33b86f35 by Endi S. Dewata at 2021-07-02T17:04:18-05:00
Remove unused references to commons-collections.jar

- - - - -
8d1cc0c2 by Endi S. Dewata at 2021-07-07T20:47:13-05:00
Add doc for pki <subsystem>-audit

- - - - -
7cbdc90f by Chris Kelley at 2021-07-08T10:42:54+01:00
Automatically detect unit tests in CMakeLists files

Currently if you add a JUnit test case you have to know/remember to add
it in the cmake files, which is brittle process.
- - - - -
4917f7be by Chris Kelley at 2021-07-08T10:43:13+01:00
Make more classes implement JSONSerializer to reduce boilerplate code

In following packages:

com.netscape.certsrv.key
com.netscape.certsrv.client
com.netscape.certsrv.group

- - - - -
16e89c9e by dpuniaredhat at 2021-07-08T15:20:30+05:30
Bug Automation 1963220 revoke with allowExtCASignedAgentCerts parms (#3642)

1. Install CA and SubCA.
2. Create certificate on external CA for agent with name extCA-agent.
3. Create agent on main CA and import extCA-agent certificate.
4. Test with default value of ca.allowExtCASignedAgentCerts=false without any changes.
5. Test with parameter ca.allowExtCASignedAgentCerts=true in CS.cfg parameter

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
c781ab61 by Chris Kelley at 2021-07-08T09:39:07-05:00
Remove XML tagging from org.dogtagpki.common
- - - - -
a010fa7c by Endi S. Dewata at 2021-07-08T09:39:25-05:00
Update Link constructor

The Link constructor has been modified not to set the type
if it's not specified to match RESTEasy's Link constructor:
https://github.com/resteasy/Resteasy/blob/3.0.26.Final/providers/resteasy-atom/src/main/java/org/jboss/resteasy/plugins/providers/atom/Link.java#L54-L58

- - - - -
8d37206a by Endi S. Dewata at 2021-07-08T09:39:25-05:00
Update pki tps-config doc

The doc for pki tps-config has been updated to use
JSON instead of XML file format.

- - - - -
a51f61a6 by Endi S. Dewata at 2021-07-08T09:39:25-05:00
Add doc for switching from XML to JSON REST API

- - - - -
18f86a4c by Endi S. Dewata at 2021-07-08T12:02:13-05:00
Add doc for pki ca-cert

[skip ci]

- - - - -
80f93b9e by Chris Kelley at 2021-07-08T23:01:35+01:00
Remove XML tagging from com.netscape.certsrv.logging
- - - - -
d91c8a73 by Endi S. Dewata at 2021-07-08T23:01:50+01:00
Fix pki <subsystem>-audit CLIs

The pki <subsystem>-audit-show and -mod commands have been
modified to store the output file in JSON format.

https://bugzilla.redhat.com/show_bug.cgi?id=1980368

- - - - -
629cb441 by Endi S. Dewata at 2021-07-08T23:01:50+01:00
Update pki <subsystem>-audit doc

The doc for pki <subsystem>-audit has been updated to use
JSON instead of XML file format.

- - - - -
9d280f73 by dpuniaredhat at 2021-07-09T17:05:53+05:30
fix upstream nightly pipeline (#3646)

installation_podman_acme-dp

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
6cfbf958 by Endi S. Dewata at 2021-07-09T10:35:58-05:00
Remove deprecated pki commands

- - - - -
0c161e74 by Chris Kelley at 2021-07-12T14:30:09+01:00
Remove XML mapping from com.netscape.cersrv.tps

Adds in JSON mapping to ProfileData which I missed in an earlier PR
- - - - -
1747c2af by Chris Kelley at 2021-07-12T14:35:18+01:00
Replace XML Response object in GetTransportCert with a JSON object
- - - - -
10a789a7 by Endi S. Dewata at 2021-07-12T18:55:10-05:00
Add jakarta-activation to .classpath

The jakarta.activation.jar has been added into .classpath
since it's needed to run unit tests in Eclipse.

[skip ci]

- - - - -
98ec4987 by Chris Kelley at 2021-07-13T10:53:37+01:00
Remove XML mappers from com.netscape.certsrv.user

Also adds some missing JSON mapping/tests
- - - - -
a713f1e7 by Chris Kelley at 2021-07-14T08:39:32+01:00
Remove XML tagging from com.netscape.certsrv.system
- - - - -
0cbc2861 by Chris Kelley at 2021-07-14T22:54:53+01:00
Remove XML tagging from Link
- - - - -
9b08876a by Chris Kelley at 2021-07-14T23:07:21+01:00
Remove XML mapping from com.netscape.certsrv.key
- - - - -
e95e27fb by Kees Bakker at 2021-07-15T15:02:05-05:00
Use get_token_password instead of get_password

The function get_password will not normalize the token name and then it
fails to find the password in the config file. After that it will prompt
for the password.

The solution is to use get_token_password instead.

- - - - -
4e1b040f by Endi S. Dewata at 2021-07-16T15:41:53-05:00
Add GitLab synchronization job

The .gitlab-ci.yml has been added to define a job to
synchronize a branch from an upstream repository to a
GitLab repository.

- - - - -
98adff64 by Chris Kelley at 2021-07-19T20:55:58+01:00
Remove XML mappers from CertRequestInfo{s}
- - - - -
bc3739a1 by Endi S. Dewata at 2021-07-19T19:57:24-05:00
Remove unused BUILDDIR var

- - - - -
e41fa4c3 by Endi S. Dewata at 2021-07-19T20:39:38-05:00
Remove unused COPR_REPO var

- - - - -
5a6b1afc by dpuniaredhat at 2021-07-21T12:38:00+05:30
fix upstream nightly pipeline (#3658)

pipeline fixes under this PR
externalca_nssdb-topo-03-sk
topology_02_ldaps_sk
topo-03-kra-bugzilla

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
1d186dce by Chandan Pinjani at 2021-07-21T20:37:20+05:30
Clone Job Fix (#3663)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
76457449 by Endi S. Dewata at 2021-07-21T12:03:01-05:00
Update Python tests

The Python tests have been modified to build a test
container and run the tests in the container.

The pki-lint script has been modified to use pylint
and flake8 configuration files from the parent folder.

The script has also been modified to get the sources
from Python library path and upgrade folders.

The script dependencies have been moved into pki.spec.
The direct dependency on python3-pyflakes has been
removed since it's already required by python3-flake8.

- - - - -
89d2c255 by c-dorney at 2021-07-22T18:02:31+01:00
BZ-1981850 Check directory for files on load subsystems (#3666)

* BZ-1981850 Check directory for files on load subsystems
- - - - -
1b405f1d by Endi S. Dewata at 2021-07-23T14:11:38-05:00
Add test for SCEP responder

A CI test has been added to set up SCEP responder,
build SSCEP client, then run an enrollment test.

- - - - -
441a4688 by dpuniaredhat at 2021-07-26T17:30:01+05:30
fix acme assertion changes (#3672)

Executed Pipeline : https://gitlab.com/dpunia/pki/-/pipelines/342821832

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
58e03f50 by Chris Kelley at 2021-07-26T16:18:11+01:00
Replace use of python with python3 on Ubuntu

TIL that on Ubuntu, there isn't a python module per se - but python2 and
python3. There is supposedly some symlink chicanery you can do if your
project requires "python" explicitly, but we have no requirement for
python2 so just state python3 explicitly.

Fixes currently broken CI pipeline
- - - - -
0f858253 by Endi S. Dewata at 2021-07-26T12:46:31-05:00
Ignore failures when gathering CI artifacts

- - - - -
6ba18315 by Endi S. Dewata at 2021-07-26T16:32:11-05:00
Ignore known JSS issue

The CI has been modified to ignore a known JSS issue:
https://github.com/dogtagpki/jss/issues/781

- - - - -
309337ed by Endi S. Dewata at 2021-07-26T19:04:30-05:00
Update pki-console dependency

The pki.spec has been modified to obsolete older pki-console,
pki-console-theme, and idm-console-framework packages such that
they will be uninstalled on upgrade. The current pki-console
can still be installed optionally.

- - - - -
539b84e0 by Chris Kelley at 2021-07-27T08:17:58+01:00
Remove XML tagging from ProfileRetrievalRequest
- - - - -
5ec82d3f by Endi S. Dewata at 2021-07-27T17:10:11-05:00
Update pki.spec

The pki.spec has been updated to require PKI packages
with the same version and release numbers to ensure
that the packages installed are from the same build.

- - - - -
4932ef6d by Endi S. Dewata at 2021-07-28T15:57:11-05:00
Add init-workflow.sh

The init-workflow.sh has been added to configure the test
matrix based on the BASE64_MATRIX variable. The test matrix
needs to be base64-encoded since otherwise GitHub will mask
the value rendering it unusable.

- - - - -
6f2c0f00 by 06shalini at 2021-07-29T12:19:32+05:30
Fixed performance issues#3481 by fixing the session object sharing among threads (#3569)

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
d42954ec by Endi S. Dewata at 2021-07-29T15:57:21-05:00
Add test repository configuration

The init-workflow.sh has been modified to load the test
repository from BASE64_REPO variable. The test repository
will be configured in the runner image so all tests using
the same image will automatically use the same repository.

- - - - -
eef1f62d by Endi S. Dewata at 2021-07-29T17:28:56-05:00
Update default test matrix

The init-workflow.sh has been modified to test
against the latest Fedora version by default.

- - - - -
2d99d278 by Christina Fu at 2021-07-30T09:33:51-07:00
Bug 708162 - DRM error reporting page for noOfRequiredRecoveryAgents has a typo

quick typo fix
fixes https://bugzilla.redhat.com/show_bug.cgi?id=708162

- - - - -
9a6cb98f by Endi S. Dewata at 2021-08-03T16:37:56-05:00
Remove unused Requires(preun) in pki.spec

- - - - -
acc08128 by Endi S. Dewata at 2021-08-04T18:38:36-05:00
Clean up test names

- - - - -
3e367124 by Christina Fu at 2021-08-04T17:47:45-07:00
Bug1973870 SubCA two-step installation fails with error while validating SubCA ca signing certificate

This patch fixes the issue where the CA signing cert is not imported
properly into the nssdb with trust.
The pki cli command is changed from 'nss-import-cert' to 'client-import-cert'
and '--cert' changed to '--ca-cert'.
See https://github.com/dogtagpki/pki/wiki/PKI-Client-CLI#importing-ca-certificate
In addition, if pkispawn fails the pki-server subsystem-cert-validate call,
it will provide more detail on the failure while allow pkispawn to complete.

This would allow admins to manually add the ca signing cert manually.
(Although with the fix mentioned above, it should not be encountered)

fixes master for  https://bugzilla.redhat.com/show_bug.cgi?id=1973870

- - - - -
196f4494 by Christina Fu at 2021-08-05T15:13:22-07:00
Bug1990608 PS Allowing Token Transactions while the CA is Down

This patch propagates the exception thrown when revocation/unrevocation
fails so that the token record is not updated on TPS; This allows
the TPS token to be consistent with the certs on the CA.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1990608

- - - - -
d5eecddf by Endi S. Dewata at 2021-08-06T16:11:31-05:00
Add PKI PKCS12 CLI test

A new CI test has been added to validate pki pkcs12
commands.

https://github.com/dogtagpki/pki/wiki/PKI-PKCS12-CLI

- - - - -
2586825d by Chris Kelley at 2021-08-09T15:37:39+01:00
Make getStatus return JSON instead of XML

Introduces JSONObject class to begin to replace instances of the
XMLObject class.
- - - - -
e16a3c76 by Chris Kelley at 2021-08-09T16:48:59+01:00
Replace XMLObjects with JSONObjects in com.netscape.cms.servlet.csadmin
- - - - -
d1a02c89 by Chris Kelley at 2021-08-09T11:42:13-05:00
Remove duplicate buttons from Retrieval List Certificates page
- - - - -
15182145 by Endi S. Dewata at 2021-08-09T11:42:39-05:00
Fix navigation buttons in CA EE list certs page

The renderNextButtonElement() has been modified to fix a
typo in commit 13f4c7fe7d71d42b46b25f3e8472ef7f35da5dd6.

https://bugzilla.redhat.com/show_bug.cgi?id=1978345

- - - - -
4289cecf by Endi S. Dewata at 2021-08-09T11:42:39-05:00
Fix thread safety in ListCerts

The mReverse, mHardJumpTo, and mDirection fields in ListCerts
servlet has been converted into regular variables to avoid
potential concurrency issues.

- - - - -
2f953491 by Chris Kelley at 2021-08-10T10:02:29+01:00
Replace XMLObject with JSONObject in PortsServlet
- - - - -
b8e6015b by Endi S. Dewata at 2021-08-10T13:35:38-05:00
Reorganize changes docs

[skip ci]

- - - - -
3e25eeda by Christina Fu at 2021-08-11T09:31:25-07:00
Bug 1992337 - Double issuance of non-CA subsystem certs at installation

This patch removes an extra  profile.submit() call that was accidentally
left off during manual cherry-picking of another bug (1905374):
commit 8e78a2b912e7c3bd015e4da1f1630d0f35145104 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1992337

- - - - -
1be7cb19 by Chris Kelley at 2021-08-11T17:39:56+01:00
Cherry-pick fix for BZ 1955633 to master
- - - - -
c3707a54 by Chris Kelley at 2021-08-11T17:40:10+01:00
Port fix for BZ 1960743 to master

Simple cherry-pick was not possible as the files have been moved and the
CMS class log methods replaced with an SLF4J logger instance. Also the
config store is pulled from the subsystem and not the CMS,
- - - - -
39ac8234 by Endi S. Dewata at 2021-08-11T12:25:13-05:00
Rename PKI packages

The pki-* packages have been renamed into dogtag-pki-*.
The Obsoletes: directives have been added to replace
installed pki-* packages. The Provides: directives have
been added for backward compatibility.

The vendor_id and brand macros have been replaced with
product_name, product_id, and theme macros.

- - - - -
edaab139 by Endi S. Dewata at 2021-08-11T20:54:24-05:00
Fix Javadoc directory

- - - - -
83452b29 by Endi S. Dewata at 2021-08-11T21:29:05-05:00
Update version number to 11.0.0-alpha2

- - - - -
e8a03bcb by Endi S. Dewata at 2021-08-12T13:01:36-05:00
Add --log-file option for pkispawn/pkidestroy

pkispawn and pkidestroy have been modified to provide a
--log-file option to specify the installation log file path.

- - - - -
715861f9 by Endi S. Dewata at 2021-08-17T21:13:31-05:00
Update PKIConnection logging

The PKIConnection has been modified to log the content of
HTTP requests and responses in debug mode.

- - - - -
405a1853 by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add support for custom XML mapping

The PKIClient and PKIService classes have been modified
to support optional XML mapping using fromXML() and
toXML(). This can be used to implement a custom XML
mapping using DOM instead of JAXB.

- - - - -
8e5f2bc8 by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add DOM mapping for Link

- - - - -
52b6c0dc by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add DOM mapping for CertDataInfo

- - - - -
648bf64c by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add DOM mapping for CertDataInfos

- - - - -
8b25d201 by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Add XML mapping using DOM for CertDataInfos

- - - - -
15703570 by Endi S. Dewata at 2021-08-18T09:37:21-05:00
Drop JAXB from CertDataInfo

- - - - -
3d44a8dc by Endi S. Dewata at 2021-08-18T10:29:38-05:00
Add DOM mapping for Account

- - - - -
d39acd9d by Endi S. Dewata at 2021-08-18T10:29:38-05:00
Drop JAXB from Account

The Account class has been modified to use DOM
instead of JAXB for XML mapping.

- - - - -
78f6d6b1 by Endi S. Dewata at 2021-08-18T11:35:09-05:00
Add DOM mapping for CertData

- - - - -
214b3cc3 by Endi S. Dewata at 2021-08-18T11:35:09-05:00
Drop JAXB from CertData

The CertData class has been modified to use DOM
instead of JAXB for XML mapping.

- - - - -
be299603 by Endi S. Dewata at 2021-08-18T15:44:01-05:00
Add DOM mapping for CertRetrievalRequest

- - - - -
318e05c2 by Endi S. Dewata at 2021-08-18T15:44:01-05:00
Drop JAXB from CertRetrievalRequest

- - - - -
8112771d by Chris Kelley at 2021-08-18T23:25:26+01:00
Drop jaxb from ProfileDataInfo
- - - - -
26f3f176 by Chris Kelley at 2021-08-19T11:00:59+01:00
Drop jaxb from ProfileDataInfos
- - - - -
279be2c3 by Chandan Pinjani at 2021-08-19T18:05:45+05:30
Added BZ_1426572_fix (#3701)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
9e734330 by Endi S. Dewata at 2021-08-19T11:18:12-05:00
Reorganize IPA tests

To simplify troubleshooting the basic IPA tests have
been split into separate steps, and the tests will stop
immediately on error. The IPA ACME test has also been
moved into a separate job.

- - - - -
4c2cdbc8 by Endi S. Dewata at 2021-08-19T13:31:30-05:00
Clean up CACertFindCLI

The CACertFindCLI has been modified to use Files.readString()
to read the input file into a String.

- - - - -
0c955aef by Endi S. Dewata at 2021-08-19T15:43:12-05:00
Refactor CertRevokeRequest

The CertRevokeRequest.reason has been converted into String
to remove dependency on RevocationReasonAdapter which is also
dependent on JAXB.

- - - - -
633d7553 by Endi S. Dewata at 2021-08-19T15:43:12-05:00
Add DOM mapping for CertRevokeRequest

- - - - -
64f44a53 by Endi S. Dewata at 2021-08-19T15:43:12-05:00
Drop JAXB from CertRevokeRequest

- - - - -
9b6a9358 by Endi S. Dewata at 2021-08-20T10:00:40+01:00
Add DOM mapping for CertSearchRequest

- - - - -
6a62a24d by Endi S. Dewata at 2021-08-20T10:00:40+01:00
Replace JAXB with DOM in CertSearchRequest

The CertSearchRequest has been modified to use DOM
instead of JAXB in toXML() and fromXML().

- - - - -
070c45f8 by Chris Kelley at 2021-08-20T11:15:59+01:00
Modify PolicyConstraintTest to produce more accurate XML output

So we can see whether the DOM replacement for jaxb produces equivalent

- - - - -
670c8377 by Chris Kelley at 2021-08-20T11:15:59+01:00
Replace jaxb with DOM in PolicyConstraintValue
- - - - -
9f3c03e0 by Chris Kelley at 2021-08-20T11:15:59+01:00
Replace jaxb with DOM in PolicyConstraint
- - - - -
70521f55 by Chris Kelley at 2021-08-20T11:33:41+01:00
Drop jaxb from ProfileParameter
- - - - -
3fa319f8 by Chris Kelley at 2021-08-20T11:33:41+01:00
Drop jaxb from ProfileAttribute
- - - - -
7e54b4f2 by Chris Kelley at 2021-08-20T15:12:09+01:00
Improve PolicyOutputTest by adding in ProfileAttributes
- - - - -
39b4569d by Chris Kelley at 2021-08-20T15:12:09+01:00
Drop jaxb from ProfileOutput
- - - - -
6c5f4600 by Endi S. Dewata at 2021-08-20T15:11:32-05:00
Replace RevocationReason.fromInt() with valueOf()

- - - - -
f128af5a by Endi S. Dewata at 2021-08-20T15:11:33-05:00
Replace RevocationReason.toInt() with getCode()

- - - - -
2a66010d by Ciarán Dorney at 2021-08-20T22:19:47+01:00
Add DOM mapping for ProfileInput

- - - - -
6ee96a4a by Chris Kelley at 2021-08-20T23:04:33+01:00
Improve PolicyDefaultTest by filling out more fields in test object
- - - - -
a19a6dd2 by Chris Kelley at 2021-08-20T23:04:33+01:00
Drop jaxb from PolicyDefault
- - - - -
5bacbd1e by Endi S. Dewata at 2021-08-20T17:58:51-05:00
Add DOM mapping for ResourceMessage

- - - - -
582e8144 by Endi S. Dewata at 2021-08-20T17:58:51-05:00
Add XML mapping for Info

- - - - -
57658046 by Endi S. Dewata at 2021-08-20T17:58:51-05:00
Replace JAXB with DOM in PKIException

- - - - -
68904bac by Chris Kelley at 2021-08-21T00:01:29+01:00
Improve ProfilePolicyTest by adding Policy{Constraint,Default}
- - - - -
25d23ba6 by Chris Kelley at 2021-08-21T00:01:29+01:00
Drop jaxb from ProfilePolicy
- - - - -
241eb238 by Endi S. Dewata at 2021-08-20T20:56:36-05:00
Fix JSON mapping in Info

- - - - -
5ce9d586 by Endi S. Dewata at 2021-08-20T20:56:36-05:00
Clean up PKIClient.handleErrorResponse()

- - - - -
d14aa68a by Endi S. Dewata at 2021-08-20T20:56:36-05:00
Add PKIClient.unmarshall()

The code that unmarshalls response object in
PKIClient.getEntity() has been moved into a new
unmarshall() method. The handleErrorResponse()
has been modified to use unmarshall() as well.

- - - - -
731c8f18 by Endi S. Dewata at 2021-08-23T10:37:22-05:00
Add JSON mapping for PKIException

- - - - -
5dc388d6 by Endi S. Dewata at 2021-08-23T10:37:22-05:00
Drop JAXB from PKIException

- - - - -
63813fd7 by Endi S. Dewata at 2021-08-23T10:42:20-05:00
Fix XML mapping in CertSearchRequest

- - - - -
9f695cec by Endi S. Dewata at 2021-08-23T10:42:20-05:00
Fix JSON mapping in CertDataInfo

- - - - -
f453271a by Endi S. Dewata at 2021-08-23T10:42:20-05:00
Fix JSON and XML mapping in Link

- - - - -
d03c6661 by Endi S. Dewata at 2021-08-23T10:42:20-05:00
Fix XML mapping in ResourceMessage

- - - - -
169b6750 by Endi S. Dewata at 2021-08-23T11:16:02-05:00
Rename PKIService.convert() to marshall()

- - - - -
c0867bb9 by Endi S. Dewata at 2021-08-23T13:22:23-05:00
Refactor PKIService.marshall()

The if-statement has been moved into the try-catch
block so it can be extended to handle JSON later.

- - - - -
22b89df1 by Endi S. Dewata at 2021-08-23T17:16:51-05:00
Add support for custom request mapping

The PKIClient.marshall() and PKIService.unmarshall()
have been added to suport custom mapping of request
objects.

- - - - -
a745bab3 by Endi S. Dewata at 2021-08-23T17:16:51-05:00
Refactor CertService.searchCerts()

The CACertClient.findCerts() has been modified
to marshall the CertSearchRequest into a String.
The CertService.searchCerts() has been modified to
unmarshall the String back into CertSearchRequest.

- - - - -
90767089 by Endi S. Dewata at 2021-08-23T17:16:51-05:00
Drop JAXB from CertSearchRequest

- - - - -
8230a17d by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Add DOM mapping for CMSRequestInfo

- - - - -
c119193e by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Add DOM mapping for CertRequestInfo and CertRequestInfos

- - - - -
4af33c33 by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Add DOM mapping for KeyRequestInfo and KeyRequestInfoCollection

- - - - -
121da3ea by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Add serializer/deserializer for RequestStatus

- - - - -
35ccbe20 by Endi S. Dewata at 2021-08-23T20:16:03-05:00
Drop JAXB from CMSRequestInfo

- - - - -
fb1c70cc by c-dorney at 2021-08-24T10:19:22+01:00
Add CertEnrollmentRequest DOM mappings (#3711)


- - - - -
148a155d by Endi S. Dewata at 2021-08-24T11:10:01-05:00
Refactor CertEnrollmentRequest

The toDOM() and fromDOM() in CertEnrollmentRequest have
been modified such that they can be reused by its subclass,
i.e. CertReviewResponse.

- - - - -
5d4ed1a3 by Endi S. Dewata at 2021-08-24T11:10:01-05:00
Add DOM mapping for CertReviewResponse

- - - - -
5498e40d by Endi S. Dewata at 2021-08-24T11:10:01-05:00
Replace JAXB with DOM in CertReviewResponse

- - - - -
6e4dfd29 by Endi S. Dewata at 2021-08-24T11:10:01-05:00
Drop JAXB from CertReviewResponse

- - - - -
8be1e7c7 by Chris Kelley at 2021-08-24T17:11:16+01:00
Improve ProfileDataTest to produce better test object
- - - - -
e17bb5fc by Chris Kelley at 2021-08-24T17:11:16+01:00
Drop Jaxb from ProfileData

Also fixes mapping bug in PolicyConstraint
- - - - -
53584cb3 by Endi S. Dewata at 2021-08-24T11:47:23-05:00
Fix XML mapping in CertRequestInfos and KeyRequestInfoCollection

- - - - -
cfbf3dee by Endi S. Dewata at 2021-08-24T12:45:01-05:00
Update TestRunner output

- - - - -
15dc1dc5 by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Fix JSON mapping for ResourceMessage

The ResourceMessage class has been modified to provide
a JSON serializer/deserializer for the attributes to
match the original JAXB mapping.

- - - - -
e65e4aa5 by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Fix JSON mapping for Profile classes

- - - - -
9c049a31 by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Fix JSON mapping for CertReviewResponse

- - - - -
3fe17043 by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Add XML mapping for ProfileDataInfos

- - - - -
2acff95a by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Refactor CertRequestService.enrollCert()

The CACertClient.enrollRequest() has been modified to
marshall the CertEnrollmentRequest into a String. The
CertRequestService.enrollCert() has been modified to
unmarshall the String back into CertEnrollmentRequest.

- - - - -
1d09759d by Endi S. Dewata at 2021-08-24T16:05:30-05:00
Drop JAXB from CertEnrollmentRequest

- - - - -
0715b7b0 by Chris Kelley at 2021-08-24T22:28:52+01:00
Remove XML mapping in com.netscape.certsrv.request
- - - - -
e636a57a by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused DateAdapter

- - - - -
c6786aee by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused RequestIdAdapter

- - - - -
b7009151 by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused KeyIdAdapter

- - - - -
23b75ac2 by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused CertIdAdapter

- - - - -
af236210 by Endi S. Dewata at 2021-08-24T18:09:37-05:00
Remove unused TokenStatusAdapter

- - - - -
bb0c1fa0 by Endi S. Dewata at 2021-08-24T18:37:12-05:00
Refactor KRAKeyRecoverCLI

The code that parses XML file has been moved into
KeyRecoveryRequest.fromXML().

- - - - -
643beaa6 by Endi S. Dewata at 2021-08-24T19:06:01-05:00
Update InfoService

The InfoService has been modified to capture generic
exceptions instead of JAXB exception.

- - - - -
8bebc433 by Endi S. Dewata at 2021-08-24T20:09:16-05:00
Remove unused methods

- - - - -
ff798889 by Endi S. Dewata at 2021-08-24T20:10:26-05:00
Refactor KeyRecoveryRequest.fromXML()

The KeyRecoveryRequest.fromXML() has been modified to
reuse the ResourceMesssage.fromDOM().

- - - - -
0d0e4e6f by Endi S. Dewata at 2021-08-24T20:58:47-05:00
Drop JAXB from DataCollection

- - - - -
4978a9b6 by Endi S. Dewata at 2021-08-24T20:58:47-05:00
Refactor ProfileCLI.saveEnrollmentTemplateToFile()

- - - - -
92cf53a9 by Endi S. Dewata at 2021-08-24T21:32:47-05:00
Refactor ProfileCLI.saveProfileToFile()

- - - - -
f84acce1 by c-dorney at 2021-08-25T16:28:03+01:00
Encode cert request as bytes before writing to file (#3718)


- - - - -
f52ef72c by Endi S. Dewata at 2021-08-25T10:34:21-05:00
Fix XML mapping in CertRequestInfos

- - - - -
c1354df2 by Chris Kelley at 2021-08-25T18:21:53+01:00
Fix KRA List Requests by using correct parser
- - - - -
7317586a by Endi S. Dewata at 2021-08-25T16:18:46-05:00
Fix XML mapping in ProfileOutput

The ProfileOutput.toDOM() has been modified to reuse
the XML mapping code in ProfileAttribute.

- - - - -
3e6618df by Endi S. Dewata at 2021-08-25T16:18:46-05:00
Add XML mapping for ResourceMessage

- - - - -
359904b4 by Endi S. Dewata at 2021-08-25T16:18:46-05:00
Update ResourceMessage test and subclasses

The ResourceMessage test and subclasses have been modified
to use the new XML mapping in ResourceMessage.

- - - - -
a7a36fc8 by Endi S. Dewata at 2021-08-25T16:18:46-05:00
Update pki kra-key-template CLIs

The pki kra-key-template-find and -show commands have been
modified to use the XML mapping in ResourceMessage.

- - - - -
50e8abfa by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Refactor ProfileCLI.readProfileFromFile()

- - - - -
d0c68148 by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Update ProfileClient and ProfileService to use custom mapping

The ProfileClient has been modified to marshall ProfileData
into a String. The ProfileService has been modified to
unmarshall the String back into ProfileData.

- - - - -
07e79dcb by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Fix XML mapping for Descriptor

The XML mapping for Descriptor has been consolidated into the
Descriptor class for consistency and to match PKI 10.11.

- - - - -
fe28acdc by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Fix XML mapping for PolicySet

The ProfileData.fromDOM() has been modified to iterate through
the immediate children of <PolicySet> to find <id> and <value>.

- - - - -
3f7ae8ca by Endi S. Dewata at 2021-08-25T17:32:00-05:00
Fix miscellaneous issues in XML mapping for profile

- - - - -
62a9e659 by Endi S. Dewata at 2021-08-26T13:47:47-05:00
Fix XML mapping for ProfilePolicySet

- - - - -
d37eb804 by Endi S. Dewata at 2021-08-26T13:47:47-05:00
Drop JAXB annotations from profile classes

- - - - -
490935d6 by Christina Fu at 2021-08-26T17:27:24-07:00
Bug1694417-TLS Session audit events establish/terminate when CS acting as a client

The description of this bug could be a litte off so I'll try to explain
when CLIENT_ACCESS_SESSION_ESTABLISH and CLIENT_ACCESS_SESSION_ERMINATED
are supposed to happen first before explaining the patch.

CLIENT_ACCESS_SESSION_ESTABLISH is supposed to happen when a CS instance
tries to connect to its TLS server (for a CA, that'd be a DS server or
KRA).  And CLIENT_ACCESS_SESSION_ERMINATED is supposed to happen when
a connection closes, be it initiated by the CS instance itself, or the
TLS server.

In the case when the TLS server is the DS server, CS actually tries to
create a minimum # of connections at system startup for every "module"
of CS.  This minimum number is specified in the CS.cfg parameter
internaldb.minConns, which is defaulted to 3. It is because of this
mechanism, you will not see these establish/terminated events triggered
per action.
The "modules" I spoke of can be found by search for the following string
in the debug log (if debug.level=0) :
  "Creating LdapBoundConnFactor"
e.g.
  "Creating LdapBoundConnFactor(DBSubsystem)"

In my observation, DS seems to send a CLOSE_NOTIFY alert to CS after one
hour of inactivity.  In other words, you'd see 3 "sets" of the
TERMINATED after one hour of inactivity (see example later on what my patch
does). I also notice how CS is reacting to such "receiveAlert" with a
"sendAlert", so we essentially see two terminated events when DS times
out on CS.  Another thing I observe is that after a connection is
"terminated", further actions don't trigger any more "establish" events.
I think the connections just go back to the connection pool to be reused
at "terminate".

KRA is different from DS. For every key archival action, CA->KRA
connection is established and then terminated when done.  It is
therefore easier to see these audit events more clearly.

Now about the this patch.  I actually am not sure if there's anything
not working as expected as far as the two audit events go.
However, I find the events to be not as descriptive as it's hard to tell
when an CLIENT_ACCESS_SESSION_ERMINATED alert was triggered by the
server(DS or KRA) or by the client (CS). For this reason, I prepend
"alertSent:" or "alertReceived:" before the CLOSE_NOTIFY in the audit
Info.

Here are a couple examples:
CA->KRA when crmf is submitted for key archival
0.ConnectAsync - [25/Aug/2021:19:31:05 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=8443][SubjectID=SYSTEM][Outcome=Success] access session establish successfully when Certificate System acts as client
0.https-jsse-nio-8443-exec-17 - [25/Aug/2021:19:31:06 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=8443][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent: CLOSE_NOTIFY] access session terminated when Certificate System acts as client

CA->DS
At system (CS) startup:
0.main - [25/Aug/2021:12:49:17 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=636][SubjectID=SYSTEM][Outcome=Success] access session establish successfully when Certificate System acts as client
...
Do something such as
  pki -d . -c pAssword.123 -P https -p 8443 -n "PKI Administrator for example.com" ca-user-find
Notice how neither of the establish/terminated events get triggered.
...

After one hour (imposed by DS by default):
0.LDAPConnThread-9 ldaps://pki1.example.com:636 - [25/Aug/2021:13:49:17 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=10.19.34.104][ServerHost=10.19.34.104][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertReceived: CLOSE_NOTIFY] access session terminated when Certificate System acts as client
0.LDAPConnThread-9 ldaps://pki1.example.com:636 - [25/Aug/2021:13:49:17 EDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=a.b.c.d][ServerHost=a.b.c.d][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent: CLOSE_NOTIFY] access session terminated when Certificate System acts as client
Notice how one has "clientAlertReceived: CLOSE_NOTIFY" and the second one has
"clientAlertSent: CLOSE_NOTIFY", possible when CS received a timeout
notification it responded with a close notify.

I also adjusted some of the debug messages to make them easier to debug.

addresses https://bugzilla.redhat.com/show_bug.cgi?id=1694417

- - - - -
92cb2c3a by Endi S. Dewata at 2021-08-26T20:59:53-05:00
Update log messages in QueryReq

- - - - -
0ad78277 by Endi S. Dewata at 2021-08-26T20:59:53-05:00
Remove unused methods in ResourceMessage

- - - - -
3bef46fd by Endi S. Dewata at 2021-08-26T22:05:58-05:00
Use GH action cache for QE tests

- - - - -
ccdde3bc by Endi S. Dewata at 2021-08-26T22:05:58-05:00
Use GH action cache for IPA tests

- - - - -
ad2c1b05 by Chris Kelley at 2021-08-27T09:27:18+01:00
Remove jaxb-impl dependency
- - - - -
447d9605 by Endi S. Dewata at 2021-08-27T09:15:22-05:00
Add RESTMessage

The RESTMessage has been added as a copy of ResourceMessage
but without the JAXB annotations. Some of ResourceMessage's
subclasses have been changed to extend RESTMessage instead.

- - - - -
f72e3eb5 by Endi S. Dewata at 2021-08-27T09:15:22-05:00
Add XML mapping for key generation/archival/recovery classes

- - - - -
ccd723d2 by Endi S. Dewata at 2021-08-27T09:15:22-05:00
Update key generation/archival/recovery classes

The key generation/archival/recovery classes have been
modified to extend RESTMessage.

- - - - -
31657394 by Chris Kelley at 2021-08-27T16:10:15+01:00
Convert CertEnrollmentRequest to extend RESTMessage
- - - - -
82da3f15 by Chris Kelley at 2021-08-27T16:10:15+01:00
Improve CertReviewResponseTest object
- - - - -
b49e01cb by Chris Kelley at 2021-08-27T16:10:15+01:00
Replace ResourceMessage with RESTMessage in KRAKeyTemplate{find,show}CLI
- - - - -
9529ec19 by Chris Kelley at 2021-08-27T16:47:42+01:00
Remove unused ResourceMessage class (and test class)
- - - - -
9eb08e95 by jmagne at 2021-08-27T10:15:01-07:00
Fix: Bug 1964176 - KRA PKCS12 support for nCipher sw v12.60+. (#3691) (#3700)

Note much of this work is based on original work by Alex Scheel.
    aka, cipherboy : alexander.m.scheel at gmail.com
This is the pki portion of this bug. Features:

- Import and create our own version of nss's pk12util and name it p12tool.
The reason to do this is to add 3 new KWP algorithm SEC_OIDS dynamically to
nss. This allows the tool to be able to import p12 file that is wrapped with one
of these new algorithms. Otherwise this tool operates exactly like the nss pk1util,
but it's invokded with the name "p12tool".

- Added support to the KRA to be able to create a p12 file using one of the following algs:

"AES/None/PKCS5Padding/Kwp/128"
"AES/None/PKCS5Padding/Kwp/192"
"AES/None/PKCS5Padding/Kwp/256"

Note this requires a new version of jss upcoming that registers these 3 new algs.
They can be referenced by these names in java jss code. These algs are needed when
using an hsm of a certain firmware version that is more restrictive, especially under
FIPS mode.

If the admin knows that the kra is hooked up with such an hsm, the kra can be configured to use
one of those algs as follows:

In the KRA's CS.cfg:

kra.legacyPKCS12=false
kra.nonLegacyAlg=AES/None/PKCS5Padding/Kwp/256

This setting defaults to what we have orignally "AES/CBC/NoPadding".

Also note if we are using the most restrictive scenario with a given hsm, we
want to install both the CA and the KRA with PSS and have oaep enabled for both post configuration:

keyWrap.useOAEP=true

When attempting to recover a key, the code in jss attempts the current method, and
then tries our enhanced method, if the current method fails. This is to disturb original
functionality as little as possible if not needed.

- CRMFPopClient has been lightly modified to be able to use the AES_KEY_WRAP_KWP wrapping mechanism:

Here is an example of generating a cert request :

CRMFPopClient -d . -p ******  -n "cn=ladycfu, uid=ladycfu" -q POP_SUCCESS -l 2048 -b transport.txt -oaep -w "AES KeyWrap/Wrapped" -h NHSM-CONN-XC -y -v -o test1.req

Note the alg "AES KeyWrap/Wrapped" will wrap up the private key with this alg, and the archival routing on the server's kra subsystem will be able to deal with it.

When emplying the KRA's gui to recover a key, the kra must be configured with the "kra.nonLegacyAlg=AES/None/PKCS5Padding/Kwp/256, an example,
to be able to deal with this key and recover it to a p12 file.

Then when importing such a p12 into a software nss db, we must use the new "p12tool" to do so, since it's the only one that recognizes the noew algorithms:

ex:  p12tool -i test.p12 -d .

Note: That this import only works on software for now, since we need further support in nss to make this a reality. The goal of this fix and the corresponding
jss fix was to be able to get this use case working on the hsm in fips mode without modifying nss at all.
- - - - -
50495e5e by Endi S. Dewata at 2021-08-27T16:02:11-05:00
Stop QE tests immediately on error

- - - - -
7dc75c82 by Endi S. Dewata at 2021-08-27T16:02:11-05:00
Drop resteasy-jaxb-provider dependency

- - - - -
52af304b by Christina Fu at 2021-08-30T10:54:57-07:00
Bug1990105- TPS Not properly enforcing Token Profile Separation

This patch addresses the issue that TPS agent operations on tokens, activities, and profiles are not limited by the types (profiles) permmtted to the agent (as described in the documentation). This is a regression from 8.x.

The affected operations are:
 - findProfiles
 - getProfiles
 - updateProfile
 - changeStatus (of a profile)
 - retrieveTokens
 - getToken
 - modifyToken
 - changeTokenStatus
 - retrieveActivities
 - getActivity

Note that some operations that seem like should be affected are not
due to the fact that they are TPS admin operations and are shielded
from entering the TPS service at the activity level.  For example,
deleting a token would be such a case.

The authorization enforcement added in this patch should affect both
access from the web UI as well as access from PKI CLI.
Reference: https://github.com/dogtagpki/pki/wiki/PKI-TPS-CLI

Another note: the VLV complicates the resulting page.  If the returned
entries on the page are all restricted then nothing would be shown.  To
add a bit more clarity, an <restricted> entry is added to reflect such
effect so that it would be less confusing to the role user.
The <restricted> entries are left with the epoch date.
This would affect both WEB UI and PKI CLI.

Also, a list minute addition to address an issue with 1911472 in
CertService.java where the subject DN of the CA signing cert should
be used instead of the issuer.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1990105

- - - - -
b758c038 by Chris Kelley at 2021-09-01T17:03:53+01:00
Remove UserResource.replaceUser() method

This REST endpoint is not used internally, nor is it exposed via the PKI
CLI interface. It is accessible however using curl, with strange
results, so it is probably safest to simply remove this method.
- - - - -
8a137b51 by Chris Kelley at 2021-09-01T21:23:49+01:00
Update API-changes doc after UserService.replaceUser() removal
- - - - -
03fdf6bc by Dino at 2021-09-01T14:31:53-06:00
Return an ACME badSignatureAlgorithm response instead of Unsupported JWS algorithm exception

- - - - -
2c2876a5 by Chris Kelley at 2021-09-02T16:59:35+01:00
Make JSON the default message format in PKIService
- - - - -
18405361 by Chris Kelley at 2021-09-03T11:00:08+01:00
Update version number to 11.0.0-beta1

- - - - -
9cd75761 by Chris Kelley at 2021-09-03T11:18:19+01:00
Update version number to 11.0.0-beta1

- - - - -
37e4ad05 by Chris Kelley at 2021-09-03T11:21:58+01:00
Update _phase to -beta1

- - - - -
0c463036 by Chris Kelley at 2021-09-06T11:16:29+01:00
Simplify getSW{1,2}() methods in APDUResponse

These complicated if-else blocks contain 3 return statements, two of
which are the same. It can be drastically simplified by using the
ternary operator and taking advantage of the short-circuit evaluation of
the || operator to reduce to a one-liner.
- - - - -
e82b196e by Chris Kelley at 2021-09-07T14:38:36+01:00
Simplify boolean expressions in ArgBlock

Remove redundant boolean literal comparisons
Invert if (!exp) to if (exp) for readability
Use ternary operator where possible
Remove unnecessary else clauses
- - - - -
e9e9b353 by Chris Kelley at 2021-09-07T14:44:57+01:00
Tidy up logical expressions in CAService

Remove redundant boolean literal comparisons
Invert if (!exp) to if (exp) for readability
Use ternary operator where possible
Remove unnecessary else clauses

- - - - -
1a7e9b49 by jmagne at 2021-09-16T15:48:37-07:00
Fix Bug 2001576 - pki instance creation fails for IPA server in FIPS mode (RHEL-8.5) (#3742)

It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command
that runs before the server runs. In order for this command to succeed, we must alter the python script that
runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false".

This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in
fips mode.
- - - - -
04344b2f by Endi S. Dewata at 2021-09-22T15:30:26-05:00
Disable CI caching

The actions/cache has been replaced with upload/download-artifact
since it's causing problems.

- - - - -
4afe6c7b by Endi S. Dewata at 2021-09-22T15:30:30-05:00
Remove unused RESTEASY_ATOM_PROVIDER_JAR

- - - - -
fa5dc71f by Endi S. Dewata at 2021-09-22T18:30:33-05:00
Clean up comments

- - - - -
af60791a by Endi S. Dewata at 2021-09-22T22:09:41-05:00
Drop glassfish-jaxb-api dependency

- - - - -
115778bf by Jack Magne at 2021-09-23T14:24:31-04:00
Fix Bug 2001576 - pki instance creation fails for IPA server in FIPS mode (RHEL-8.5).
Additional fix to this issue to account for our standalone java tools.

- - - - -
077c137c by Endi S. Dewata at 2021-09-24T13:17:10-05:00
Drop NSSCryptoProvider

The pki.crypto.NSSCryptoProvider has been removed since
python-nss is no longer supported.

The unused pki.crypto.CKM_DES3_CBC_PAD has been removed
as well.

- - - - -
df9b4a2c by Chris Kelley at 2021-09-27T17:14:24+01:00
Don't check for null when using instanceof in TokenService

instanceof returns false if the object to be compared is null so
explicitly checking for null is unnecessary.
- - - - -
7df059bb by Chris Kelley at 2021-09-27T17:42:26+01:00
Remove boolean literals from logical expressions

They're not necessary and make code harder to read/increase probability
of mistakes.
- - - - -
81bb4474 by Christina Fu at 2021-09-29T13:39:22-07:00
Bug1984431- pkispawn:SEC_ERROR_ADDING_CERT for KRA admin cert

The issue reported in Bug1984431 was with pkispawn two-step installation
for KRA where if pki_import_admin_cert is specified in the pkispawn config
file, installation would fail with the following error:
  INFO: Importing admin certificate into /opt/topology-cc-KRA/kra/alias
  DEBUG: Command: certutil -A -d /opt/topology-cc-KRA/kra/alias -f /opt/topology-cc-KRA/kra/password.conf -n PKI KRA Administrator for Example.Org -a -i /opt/topology-cc-KRA/kra_admin.cert -t ,,
  certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.
  CalledProcessError: Command '['certutil', '-A', '-d', '/opt/topology-cc-KRA/kra/alias', '-f', '/opt/topology-cc-KRA/kra/password.conf', '-n', 'PKI KRA Administrator for Example.Org', '-a', '-i', '/opt/topology-cc-KRA/kra_admin.cert', '-t', ',,']' returned non-zero exit status 255.

My investigation reveals the following:
The code didn't put into account that the KRA admin cert was already being
manually issued (after pkispawn step 1) and imported into the kra admin nssdb.
It errornously generates a 2nd CSR and sent directly to the CA and received
a new cert.  It was at the time when it attempts to import the 2nd admin cert,
using the same nickname where certutil blows up and breaks the installation.

While it was observed that if it were the exact same cert, certutil would
function without issue, but this is a different cert.  Also, the format of
the 2nd csr is not CMC, which is the requirement that's breached.

This patch detects the "step 2" status of a non-CA and skips over the
re-generation of the 2nd csr for KRA admin.

My test of the patch is able to get past the reported SEC_ERROR_ADDING_CERT issue.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1984431

- - - - -
2cec6775 by Christina Fu at 2021-09-29T13:50:49-07:00
Bug1984431-issue2-missing system certs in config

This fixes the 2nd issue with regards to failed KRA (or non-ca) two-step
installation with HSM, where system certs are missing from CS.cfg:
  <subsystem type>.<cert id>.cert=
e.g. kra.transport.cert=

The issue was due to missing token name when nssdb.get_cert is called
inside def update_system_cert, causing certutil -L in nssdb.get_cert to
silently return nothing for each cert on the HSM.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1984431

- - - - -
dd7ac58c by Christina Fu at 2021-09-29T14:11:07-07:00
Bug2000184-hsm CMC shared Secret failed unwrap

With the latest nCipher firmware version (> v.12.60) in FIPS mode,
CMC Shared Secret authentication would fail since the HSM does not
allow the default issuance protection cert (CA subsystme cert) keys
to do unwrap (Application error: Key 0x000004FA doesn't allow decrypt).

To overcome the issue, the issuance protection cert needs to be replaced
with one that has such capability.  The tool 'certutil' came to mind as
it advertised the '--keyOpFlagsOn opflags' option. However, my experiment
has shown that certutil has trouble processing the one of the needed opflag
 "sign_recover"  ("Unknown flag (recover)")

This patch modifies PKCS10Client so that a new option '-w' is added to
allow for generation of an RSA key pair (thus CSR) which is capable of
handling wrapping/unwrapping on the aformentioned hsm version.

The steps to issue a new CA issuance protection cert involves the following:

A. generate a CSR:
  e.g. PKCS10Client -d /var/lib/pki/<ca instance>/alias -h hsm-module -a rsa -l 2048 -n "CN=CA issuanceProt cert" -w -v -o ca-issuanceProt-cfu.csr.b64

B. create a CMCRequest cfg file to be signed by a CA agent (instruction
can be found in doc;

C. Use HttpClient to submit the cmc request to the CA using caCMCcaIssuanceProtectionCert

D. Use CMCResponse with -v to print out certs in the chain (pick Cert:0) in b64 encoding; then save the b64 of the cert into a file (e.g. caIssuanceProt.cert)
Be sure to add the "brackets" above and below the b64 blob:
-----BEGIN CERTIFICATE-----
 cert b64 blob
-----END CERTIFICATE-----

E. stop the CA

F. import the cert in caIssuanceProt.cert into both the hsm that the CA uses
and the nssdb where the CA agent will be generating the cmc shared secret..
Assume CA agent nssdb has been set up with the proper CA cert trust and
agent (bootstrap admin user by default) cert:
  * certutil -d /var/lib/pki/<ca instance>/alias -h <hsm module> -A -t "u,u,u" -n "issuanceProt-091521b.cert" -i caIssuanceProt.cert
  * certutil -d <agent nssdb dir> -A -t ",," -n "issuanceProt-091521b.cert" -i caIssuanceProt.cert

G. edit CA CS.cfg by adding (or modirying, if it exists):
ca.cert.issuance_protection.nickname=<hsm module>:<issuance protection cert nickname>
e.g.
  ca.cert.issuance_protection.nickname=myHSM:issuanceProt-091521b.cert
While in there, add the following as well:
  keyWrap.useOAEP=true
And setup cmc Shared Secret authentication
e.g. (for better security, set up secure ldap)
  auths.instance.SharedToken.dnpattern=
  auths.instance.SharedToken.ldap.basedn=ou=People,dc=sjc,dc=redhat,dc=com
  auths.instance.SharedToken.ldap.ldapauth.authtype=BasicAuth
  auths.instance.SharedToken.ldap.ldapauth.bindDN=cn=Directory Manager
  auths.instance.SharedToken.ldap.ldapauth.bindPWPrompt=Rule SharedToken
  auths.instance.SharedToken.ldap.ldapauth.clientCertNickname=
  auths.instance.SharedToken.ldap.ldapconn.host=test.example.com
  auths.instance.SharedToken.ldap.ldapconn.port=389
  auths.instance.SharedToken.ldap.ldapconn.secureConn=false
  auths.instance.SharedToken.ldap.ldapconn.version=3
  auths.instance.SharedToken.ldap.maxConns=
  auths.instance.SharedToken.ldap.minConns=
  auths.instance.SharedToken.ldapByteAttributes=
  auths.instance.SharedToken.ldapStringAttributes=
  auths.instance.SharedToken.pluginName=SharedToken
  auths.instance.SharedToken.shrTokAttr=shrTok

G. start CA

After this, you'll need to rerun CMCSharedToken to regenerate the shared secret,
and then modify the "shrTok" value of the user entry if
it contains another value generated using the previous issuanceProt cert
(default is CA's subsystem cert, which doesn't work with the aformentioned
 hsm version)

Finally, in the case of CRMF requests, where KRA is involved, please note
that if the 2-step procedure is followed to install KRA, at copmletion
add the DRM (KRA) transport cert to each CA and KRA's CS.cfg files.
e.g.
CA's CS.cfg:
  ca.connector.KRA.transportCert=MIIEbjCC...kw==

KRA's CS.cfg:
  kra.transport.cert=MIIEIjCCA...kw==
and while in there, add the following:
  keyWrap.useOAEP=true
  kra.legacyPKCS12=false
  kra.nonLegacyAlg=AES/None/PKCS5Padding/Kwp/256

Restart both CA and KRA after configuration changes.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2000184

- - - - -
6350bc1c by Christina Fu at 2021-09-29T14:11:30-07:00
Bug1984431-issue3-pkispawn-kra-wrapKeys-v10.11

The main issue this patch fixes is to replace the certutil tool with
PKCS10Client so that keys with proper capabilities can be generated
for the CSR so that they can be used for KRA key storage and transport
cert to perform key wrapping/unwrapping with the latest hsm in fips mode.
This change also includes adding a new '-P' option for PKCS10Client
to accept a password file.

Additionally, it also addresses some other misc issues such as missing
token in calls to do cert validation (causing certs on hsm not being
verified), as well as adding more debug messages.

As the fix focuses mainly on getting KRA to install and function in
two steps in fips mode with HSM, other subsystems such as OCSP, TPS,
 and TKS are out of scope and could possibly need additional work to
install and function in the same environment.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1984431

- - - - -
dd627b30 by Endi S. Dewata at 2021-09-29T16:37:50-05:00
Clean up CI scripts

- - - - -
7bd67c3b by Endi S. Dewata at 2021-09-29T17:31:14-05:00
Fix flake8 errors

- - - - -
cda0d54d by Chris Kelley at 2021-09-30T11:35:55+01:00
Get config store from Engine not subsystem engine in TPSProcessor

This fixes the outstanding issue where various config is erroneously
prefixed with TPS

Resolves #1960743

- - - - -
e8660ffe by Endi S. Dewata at 2021-09-30T20:09:28-05:00
Update version number to 11.0.0

- - - - -
3be61444 by Chris Kelley at 2021-10-01T12:03:08+01:00
Replace XMLObject with JSONObject in CheckIdentity
- - - - -
f986f52e by Chris Kelley at 2021-10-04T16:05:02+01:00
Replace XMLObject with JSONObject in ImportTransportCert

Also fix modifier ordering to match the JLS
- - - - -
98f4f8e6 by Endi S. Dewata at 2021-10-05T10:23:24-05:00
Update version number to 11.1.0-alpha1

- - - - -
b2311dfc by Chris Kelley at 2021-10-06T14:42:20+01:00
Simplify logic in Request

* Don't return boolean literals
* Use ternary operator
- - - - -
935a7f44 by Endi S. Dewata at 2021-10-06T12:24:30-05:00
Remove references to resteasy-base

- - - - -
87e31bb0 by Endi S. Dewata at 2021-10-06T17:09:48-05:00
Rename pki-base-java to pki-java

- - - - -
6bcf65e9 by Endi S. Dewata at 2021-10-06T17:09:48-05:00
Rename pki-server-theme to pki-theme

- - - - -
68f57d64 by Chris Kelley at 2021-10-07T17:00:19+01:00
Deprecate XMLObject and replace with JSONObject in UpdateNumberRange

Keep XMLObject in client-side code until next major release for upgrade
backwards compatibility.
- - - - -
dcfa904e by Endi S. Dewata at 2021-10-08T14:14:37-05:00
Add -D option for pkispawn

A new pkispawn option has been added to specify a deployment
parameter as command line parameter.

- - - - -
e4d891b4 by Endi S. Dewata at 2021-10-08T14:14:37-05:00
Modify CA tests to use DS container

Most of CA tests have been modified to use a separate
DS container instead of creating a local DS instance.
The remaining CA tests that use secure DS connection
will be modified separately later.

- - - - -
213382bc by Endi S. Dewata at 2021-10-08T14:18:32-05:00
Remove references to PKI console and its theme in tests

- - - - -
cc6fc570 by Chris Kelley at 2021-10-11T14:53:06+01:00
Tidy up logic in KeyRecoveryAuthority

* Remove unnecessary else clauses
* Don't return Boolean literals
* Invert statements that use !=
* Replace comparison to "" with isEmpty() - the preceding code checks
for null explicitly so this is as safe as the existing code
* Remove comparisons to Boolean literals
- - - - -
8be10af0 by Chris Kelley at 2021-10-11T14:54:25+01:00
Remove unnecessary else clauses in AsymKeyGenService
- - - - -
6a84cbe9 by Chris Kelley at 2021-10-11T14:54:25+01:00
Remove commented out debug statements in AsymKeyGenService
- - - - -
257af180 by Christina Fu at 2021-10-11T10:31:52-07:00
Bug2012349-pkispawn-TKS-TPS-2step-install

The goal of this patch is to allows TKS/TPS to be installed using pkispawn
two-step installation.  There will certainly be more work needed to allow
TMS to function properly in FIPS/(new)HSM.  This patch will provide the
basic platform for the continued work.
There is also possibility that some needed additional work could be worked
around manually.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2012349

- - - - -
5a02bded by Endi S. Dewata at 2021-10-11T16:05:17-05:00
Update pkispawn and pkidestroy logging

pkispawn and pkidestroy have been modified to only generate
the logs on the console. It can additionally store the logs
into a file using the --log-file option.

- - - - -
119b3d25 by Chris Kelley at 2021-10-13T15:58:41+01:00
Drop dependency on xerces-j2 & xalan-j2 to prepare for Java 17

I tested our code against the latest Java 17 as at some point Fedora
will start considering using Java 17 LTS version as the default.

Everything looks good except for some packages brought in by xerces-j2
that are also provided by the JRE. Newer versions of Java are increasing
the encapsulation of the JRE/stricter on name clashes with JRE
internals.

It transpires that the classes we need from xerces-j2 are the very ones
provided by the JRE, so we can simply drop xerces-j2 as a dependency.

As the classes are already present in the Java 11 JRE it is safe to drop
now, so I have done so.

As we only require xalan-j2 to satisfy dependencies of xerces-j2, we can
also drop this as a dependency.

- - - - -
850b6b47 by Endi S. Dewata at 2021-10-13T10:12:18-05:00
Update ds-container-create/remove.sh

The ds-container-create/remove.sh scripts have been
modified to take a container name argument.

- - - - -
4c10fdd8 by Chris Kelley at 2021-10-13T16:35:36+01:00
Replace XMLObject with JSONObject in RegisterUser
- - - - -
ff64d5ec by Endi S. Dewata at 2021-10-13T10:52:35-05:00
Rename PKIDIR to SHARED

- - - - -
c8aaef5b by Jon Parrish at 2021-10-13T17:40:04+01:00
Not a duplicate one is supposed to be at the top

Revert "Remove duplicate buttons from Retrieval List Certificates page"

This reverts commit d1a02c8983da2e7417a429aa35319f51c16162b9.

- - - - -
57b7da15 by Jon Parrish at 2021-10-13T17:40:04+01:00
Close table so that top navigation is at the top

- - - - -
42dfdcc5 by Endi S. Dewata at 2021-10-13T13:10:27-05:00
Update ds-container-remove.sh

The ds-container-remove.sh has been modified to remove
the volume as well.

- - - - -
735e18ec by Endi S. Dewata at 2021-10-13T18:34:04-05:00
Fix missing CA test artifacts

The ds/pki-artifacts-save.sh scripts have been modified
to provide options to specify the instance name and the
output directory and to store the container logs.

- - - - -
4487a8d5 by Endi S. Dewata at 2021-10-14T09:15:25-05:00
Add ds-container-start/stop.sh

The ds-container-start/stop.sh scripts have been added
to start/stop DS container.

- - - - -
42955344 by Endi S. Dewata at 2021-10-14T09:15:25-05:00
Add ds-container-certs-import.sh

The ds-container-certs-import.sh has been added to import
certs into DS container.

The ds-container-create.sh has been modified to create the
folder for importing certs.

- - - - -
4f6c0630 by Endi S. Dewata at 2021-10-14T09:15:25-05:00
Update CA tests using secure DS connection

The CA tests using a secure connection to a local DS instance
have been modified to use a separate DS container instead.

- - - - -
264dc25b by Endi S. Dewata at 2021-10-14T12:18:34-05:00
Update KRA tests to use DS container

The KRA tests have been modified to use a separate DS
container.

- - - - -
3ee4941e by Endi S. Dewata at 2021-10-14T12:22:49-05:00
Remove obsolete scripts

- - - - -
109d1b16 by Endi S. Dewata at 2021-10-14T20:16:59-05:00
Fix ds-container-create.sh

The ds-container-create.sh has been modified to read the
ldapadd input properly and to validate the result.

- - - - -
8d0c5197 by Endi S. Dewata at 2021-10-14T20:17:52-05:00
Update ACME test dependencies

- - - - -
e995cfc2 by Endi S. Dewata at 2021-10-14T22:30:28-05:00
Fix typo in KRA test

- - - - -
87905e9a by Chris Kelley at 2021-10-15T12:52:31+01:00
Remove KRA CLI XML options

* Only allow JSON
* Provide JSON templates
- - - - -
c7e07f55 by Chris Kelley at 2021-10-15T13:06:50+01:00
Simplify logic in EnrollProfile

* Remove unnecessary else clauses
* Use ternary operator to improve readability
* Invert "if !=" to "if ==" to improve readability
* Remove unnecessary bracketing from boolean expressions
* Remove unnecessary boolean literals
- - - - -
2f280b0c by Endi S. Dewata at 2021-10-15T09:41:11-05:00
Update OCSP tests to use DS container

The OCSP tests have been modified to use a separate DS
container.

- - - - -
d47e4128 by Endi S. Dewata at 2021-10-15T09:42:42-05:00
Update TKS tests to use DS container

The TKS tests have been modified to use a separate DS
container.

- - - - -
c1f4690b by Endi S. Dewata at 2021-10-15T11:57:38-05:00
Update TPS tests to use DS container

The TPS tests have been modified to use a separate DS
container.

- - - - -
14220f05 by Endi S. Dewata at 2021-10-15T12:43:55-05:00
Update ACME tests to use DS container

The ACME tests have been modified to use a separate DS
container.

- - - - -
901ba9ca by Chris Kelley at 2021-10-18T10:53:36+01:00
Simplify logic in EnrollDefault

* Remove an empty if clause and check for null instead
* Remove unnecessary Boolean literals
* Don't unnecessarily box primitives to extract their value
* Remove unnecessary else clauses
* Remove unnecessary bracketing
- - - - -
98745edc by Chris Kelley at 2021-10-18T17:26:58+01:00
Remove unused method parameter from ProfileCLI.printProfile()

* Also tidy up getFullName() by using ternary operator
- - - - -
9a15f0bd by Chris Kelley at 2021-10-19T15:13:59+01:00
Tidy up logic in CMSAdminServlet

* Remove unnecessary else clauses
* Use if-elseif-else rather than nested if-else
* Invert "if !=" statements
* Use ternary operator where appropriate
- - - - -
292ec603 by Endi S. Dewata at 2021-10-19T17:06:17-05:00
Update ACME tests

The ACME tests have been updated to show the cert info to
help troubleshooting.

- - - - -
aef3e072 by Chris Kelley at 2021-10-20T14:45:07+01:00
Tidy up logic in TPSProcessor

* Invert "if !="
* Remove unnecessary else clauses
* Use ternary operator where appropriate
* Remove unnecessary Boolean literals
- - - - -
b21303ff by Chris Kelley at 2021-10-20T14:49:16+01:00
Provide user friendly error message when trying to parse invalid JSON

Original JsonParseException is logged, and a new PKIException is thrown
with a user-friendly message.
- - - - -
b3afc3ec by Endi S. Dewata at 2021-10-20T12:50:28-05:00
Refactor ACMEEngine.parseCSRExtensions()

The ACMEEngine.parseCSRExtensions() has been converted into
CertUtil.getSANExtension() such that it can be used to get
the SAN extension from a collection of extensions.

- - - - -
74836382 by Endi S. Dewata at 2021-10-20T12:50:28-05:00
Refactor ACMEEngine.parseCSR() (part 1)

The code that gets the SAN extension from a PKCS #10
request has been moved from ACMEEngine.parseCSR() into
CertUtil.getSANExtension() such that it can be reused.

- - - - -
f0acfd39 by Endi S. Dewata at 2021-10-20T12:50:28-05:00
Refactor ACMEEngine.parseCSRSAN()

The ACMEEngine.parseCSRSAN() has been converted into
CertUtil.getDNSNames() such that it can be reused to get
DNS names from a SAN extension.

The error message for unsupported type has been adjusted
such that it's more appropriate for general usage.

- - - - -
49362100 by Endi S. Dewata at 2021-10-20T12:50:28-05:00
Refactor ACMEEngine.parseCSR() (part 2)

The ACMEEngine.parseCSR() has been converted into
CertUtil.getDNSNames() such that it can be reused
to get DNS names from a PKCS #10 request.

- - - - -
aece2460 by Christina Fu at 2021-10-20T11:16:47-07:00
Bug2000184-CMCSharedToken-hsm-nonPSS

The previous patch missed the nonPSS case;  This patch simply excludes
the check for the pki_use_pss_rsa_signing_algorithm parameter in
the installation config and only checks for pki_hsm_enable = True
to request for wrapping keys on KRA transport and storage certs.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2000184

- - - - -
7ebe4de9 by Chris Kelley at 2021-10-21T14:11:47+01:00
Check whether server is alive before asking certbot to register

To diagnose an intermittent CI issue with ACME, we can try to narrow
down the issue by making sure the server is responding before trying to
do anything with certbot. This will tell us that the issue is not
certbot, but either something went wrong in the container or the CI env
itself.
- - - - -
2af01012 by Chris Kelley at 2021-10-21T16:07:27+01:00
Tidy up logic in APolicyRule

* Use ternary operators
* Remove unnecessary Boolean literals
- - - - -
18c36a97 by Endi S. Dewata at 2021-10-21T15:01:52-05:00
Remove unused references to xml-commons-resolver

- - - - -
9f025052 by Endi S. Dewata at 2021-10-21T21:26:28-05:00
Refactor server config folder creation/removal

The code that creates/removes the server config folder/link
in PKIServer and PKIInstance classes has been moved into
create_conf_dir() and remove_conf_dir().

- - - - -
2a1adfcc by Endi S. Dewata at 2021-10-21T21:27:28-05:00
Refactor ServerConfiguration.get_connector()

The ServerConfiguration.get_connector() has been modified
to return None if the requested connector does not exist.
This is more consistent with Python dict.get().

- - - - -
2cc9291a by Chris Kelley at 2021-10-25T18:16:48+01:00
Automatically detect JUnit tests when running build.sh

Currently you have to remember to add new unit tests manually, but now
they will be picked up automatically.
- - - - -
494569f0 by Chris Kelley at 2021-10-25T18:24:59+01:00
Tidy up GPParams

* Make static constants final
* Decrease visibility of no-op constructor
* Remove Boolean literals
* Don't create variables to just return them
- - - - -
0990fee0 by Endi S. Dewata at 2021-10-25T20:47:03-05:00
Update ACME tests

The ACME tests have been modified to save some additional
client artifacts.

- - - - -
650a406c by Endi S. Dewata at 2021-10-26T12:55:57-05:00
Update pki nss-cert-request

Previously the pki nss-cert-request command generated the
cert requests using certutil command. Now it has been updated
to use JSS API.

- - - - -
fd13502c by Endi S. Dewata at 2021-10-26T12:55:57-05:00
Update pki nss-cert-issue

Previously the pki nss-cert-issue command generated the certs
using certutil command. Now it has been updated to use JSS API.

- - - - -
6552c742 by Endi S. Dewata at 2021-10-26T12:55:57-05:00
Fix default cert validity in NSS issuer for ACME

The NSS issuer for ACME has been modified to set the default
cert validity to 3 months instead of relying on certutil's
default cert validity.

- - - - -
3889ff9a by Endi S. Dewata at 2021-10-26T12:55:57-05:00
Fix SAN extension in NSS issuer for ACME

The NSS issuer for ACME has been modified to add a SAN
extension from the DNS names provided in the PKCS #10
request. These DNS names are already validated earlier
so they are safe to use.

- - - - -
a7ef3c68 by Endi S. Dewata at 2021-10-27T10:32:33-05:00
Refactor build jobs

The CI build jobs have been modified to build the packages
before building the containers such that the dependencies
can be stored in the cache using GH action.

- - - - -
66a6e594 by Endi S. Dewata at 2021-10-27T10:32:33-05:00
Cache build dependencies

The CI build jobs have been modified to keep the packages after
installation and to store them in cache (except COPR packages)
to speed up the CI execution. The cache will be invalidated when
the pki.spec is updated.

The build jobs have also been modified to no longer use the
commit ID to avoid calling dnf before restoring the cache.

- - - - -
d375d50d by Chris Kelley at 2021-10-27T17:24:59+01:00
Use human-readable date format on TPS Agent page

Based on patch by czinda, changes made to patch include:

* Use of ternary operator to simplify logic
* Use N/A instead of Date(null), which will print 1st Jan 1970
* Use === instead of ==
* Explicitly define variables
- - - - -
c6185dcc by Endi S. Dewata at 2021-10-27T15:26:49-05:00
Remove unnecessary git dependency in tools tests

- - - - -
7433abae by Endi S. Dewata at 2021-10-27T19:10:46-05:00
Update pki pkcs11-cert-find/show

The pki pkcs11-cert-find/show commands have been modified
to show the cert validity range.

- - - - -
d589f9c5 by Chris Kelley at 2021-10-28T15:40:40+01:00
Remove unused RAAdminServlet
- - - - -
1d50e562 by Endi S. Dewata at 2021-10-28T12:37:39-05:00
Add pki pkcs11 tests

New tests have been added to inspect, export, and remove certs
and keys in internal token and HSM using pki pkcs11 CLIs.

- - - - -
53412b26 by Endi S. Dewata at 2021-10-28T22:46:26-05:00
Update CA clone tests

The CA clone tests have been modified to display the users
and the security domain hosts.

- - - - -
ade79f52 by Endi S. Dewata at 2021-10-29T16:37:41-05:00
Fix pki-server <subsystem>-user-cert description

- - - - -
e4577a03 by Endi S. Dewata at 2021-11-01T09:45:31-05:00
Bump dependency to Python 3.9

- - - - -
db6216f4 by Endi S. Dewata at 2021-11-01T09:45:31-05:00
Clean up log messages

Some log messages have been converted into DEBUG since they
would be more useful for development/troubleshooting. INFO
messages are meant for users so they should be kept simple.

- - - - -
77bb2872 by Endi S. Dewata at 2021-11-01T09:45:31-05:00
Fix Python warnings

FutureWarning: The behavior of this method will change in
future versions. Use specific 'len(elem)' or 'elem is not
None' test instead.

- - - - -
dae4dc45 by Endi S. Dewata at 2021-11-01T11:28:29-05:00
Add pki-server <subsystem>-user-del

The pki-server <subsystem>-user-del has been added to provide
a way for the admin to remove a user from the database while
the server is offline.

- - - - -
f5748b85 by Endi S. Dewata at 2021-11-01T18:28:22-05:00
Update LDAPConfigurator

The customizeFile() and importLDIF() in LDAPConfigurator have
been modified to take a parameter map argument to override the
shared parameter map loaded from the configuration file.

- - - - -
ec45bb54 by Endi S. Dewata at 2021-11-02T14:03:59-05:00
Fix replica reinstallation

The pkispawn and pkidestroy have been modified to ignore
failures caused by adding an entry or attribute that is
already exists and to check whether a file exists before
removing it during replica removal and reinstallation.

One of the CA clone tests has been modified to test
removing and reinstalling a replica.

Resolves: https://github.com/dogtagpki/pki/issues/3544

- - - - -
e50f5046 by Endi S. Dewata at 2021-11-03T17:57:33-05:00
Refactor LDAPConfigurator.setupDatabaseManager()

The LDAPConfigurator.setupDatabaseManager() has been modified
to provide a parameter for the database manager DN.

- - - - -
8e8b9a92 by Endi S. Dewata at 2021-11-03T19:11:27-05:00
Bump dependency to Tomcat 9.0.31

The pki.spec has been modified to require Tomcat 9.0.31
to ensure that it works with the "secret" parameter in
the AJP connector.

- - - - -
2c27095e by Chris Kelley at 2021-11-04T11:19:36+00:00
Fixes for classpath on F35+

* Remove JARs that are no longer needed from classpath
* Replace Matcher expectedException.expect() with JUnit's assertThrows()
- - - - -
ba69343c by Endi S. Dewata at 2021-11-04T10:56:09-05:00
Add acme-wait.sh

The acme-wait.sh has been added to wait for the ACME server
to start before running the tests.

- - - - -
567e3fef by Endi S. Dewata at 2021-11-04T14:38:33-05:00
Replace deprecated constants/methods

- - - - -
1e1aaf7c by Endi S. Dewata at 2021-11-04T14:40:38-05:00
Bump dependency to JSS 5.1

- - - - -
e30e785b by Endi S. Dewata at 2021-11-05T10:13:07-05:00
Add pki-server <subsystem>-db-access-grant/revoke

The pki-server <subsystem>-db-access-grant/revoke have been
added to grant/revoke database access to/from a user.

The LDAPConfigurator.setupDatabaseManager() has been renamed
into grantDatabaseAccess(). The revokeDatabaseAccess() has
been added to revert the operation.

The manager.ldif has been renamed to db-access-grant.ldif.
The db-access-revoke.ldif has been added to revert the
changed made by db-access-grant.ldif.

The code that grants the database access has been moved
from pki-server <subsystem>-db-init into configuration.py.
The code has also been modified to use the pki_share_db
and pki_share_dbuser_dn parameters to determine the
database user DN.

- - - - -
28ff081f by Chris Kelley at 2021-11-08T11:05:12+00:00
Remove SHA-1 from signingAlgsAllowed in configuration files

- - - - -
b351a8e0 by Chris Kelley at 2021-11-08T16:13:57+00:00
Introduce SubsystemCLI class to refactor out common code

Start by introducing two new methods:

* initializeJss()
* getEngineConfig()

- - - - -
5cbc4549 by Chris Kelley at 2021-11-08T17:19:39+00:00
Deprecated all SHA-1 constants, classes and enum entries.

- - - - -
8a773d52 by Endi S. Dewata at 2021-11-08T18:24:27-06:00
Add doc for pki-server <subsystem>-db-access

- - - - -
76443812 by Endi S. Dewata at 2021-11-08T18:24:27-06:00
Update log messages in ACME realm

- - - - -
8a011329 by Endi S. Dewata at 2021-11-08T18:24:40-06:00
Fix NPE in NSSDatabase.createCertificate()

- - - - -
8b77756e by Endi S. Dewata at 2021-11-10T11:22:46-06:00
Update NSSDatabase.create_request(), create_cert(), add_cert()

The NSSDatabase.create_request(), create_cert(), and add_cert()
have been modified to provide an option to use JSS-based PKI CLIs
instead of NSS-based certutil to generate a CSR, issue a cert,
and import the cert. In the future the methods will only use the
PKI CLIs since they can support long serial numbers.

The pkispawn has been modified to use the PKI CLIs to generate
the temporary SSL server certificate during installation.

- - - - -
fc3a4a01 by Endi S. Dewata at 2021-11-10T13:36:57-06:00
Clean up help and log messages

- - - - -
fd9b9f56 by Endi S. Dewata at 2021-11-10T17:02:40-06:00
Fix pki-server run

The path for the logging.properties has been changed from
/etc/pki/pki-tomcat to /var/lib/pki/pki-tomcat/conf such that
the server can be run on the foreground using pki-server run.

- - - - -
22d8780f by Endi S. Dewata at 2021-11-10T17:40:59-06:00
Add NSSCertCLI.printCertInfo()

The code that prints the cert info in NSSCertShowCLI has been
moved into NSSCertCLI.printCertInfo().

- - - - -
7a1396e2 by Endi S. Dewata at 2021-11-10T20:54:06-06:00
Remove unused KRAConnector.execute_using_sslget()

- - - - -
33784baa by Endi S. Dewata at 2021-11-11T08:07:41-06:00
Remove pkidaemon status

The pkidaemon status command was already deprecated in PKI 10.
Now the command and the related code have been removed from the
current version.

- - - - -
3e34ed21 by Endi S. Dewata at 2021-11-11T08:09:45-06:00
Remove hard-coded temp SSL server cert params

Previously the parameters for the temp SSL server cert were
hard-coded as follows:
- pki_self_signed_serial_number: 0
- pki_self_signed_validity_period: 12 months
- pki_self_signed_trustargs: CTu,CTu,CTu

The hard-coded values have been removed so it will use the
default values provided by the pki nss-cert commands:
- serial number: 128-bit random integer
- validity: 3 months
- trust attribute: none

The new default values should be fine since the cert will
only exists temporarily during installation.

This change also allows the admin to override the default
values if necessary by specifying these parameters in the
pkispawn configuration.

- - - - -
9452a016 by Endi S. Dewata at 2021-11-11T08:45:38-06:00
Generate warnings for deprecated algorithms on server startup

The PKI server has been modified to generate warnings for
deprecated algorithms in the config files and cert profiles
when the server is started.

- - - - -
c44916c2 by Chris Kelley at 2021-11-11T17:20:21+00:00
Tidy up logic in TBSRequest

* Use ternary operators
- - - - -
8738d185 by Endi S. Dewata at 2021-11-11T13:09:08-06:00
Clean up CMSServlet.auditSubjectID()

- - - - -
000b5e5e by Endi S. Dewata at 2021-11-11T13:45:47-06:00
Clean up SecurityDomainProcessor.addHost()

- - - - -
f3c1270b by Endi S. Dewata at 2021-11-11T13:48:25-06:00
Clean up SecurityDomainProcessor.removeHost()

- - - - -
a0704b0d by Endi S. Dewata at 2021-11-11T16:09:00-06:00
Fix server restart in pkidestroy

pkidestroy has been modified to wait until the server has
completely stopped/started before continuing.

- - - - -
89ada9bb by c-dorney at 2021-11-12T12:20:31+00:00
Fix Bug 2001169 - Audit event 'ACCESS_SESSION_ESTABLISH' is not generating for PKI instances acting as Server [10.2.1] (#3745) (#3763) (#3822)

This fix allows us to actually see ssl connection events in the audit log from the pki /server perspective.
This fill will also require support bug fixes for both jss and tomcatjss.

Added fix for stray alerts showing up after a server is going down.

Sample audit log messages:

0.https-jsse-nio-18443-exec-6 - [29/Sep/2021:21:09:31 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=--][ServerIP=--][SubjectID=CN=PKI Administrator,E=example at testdomain.com,OU=rhcs94-CA-cfu_rsa-nocp11,O=Example-rhcs94-CA_cfu-rsa][Outcome=Success] access session establish success
0.https-jsse-nio-18443-exec-16 - [29/Sep/2021:21:09:32 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.ee.profiles][Op=list] authorization success

0.https-jsse-nio-18443-exec-16 - [29/Sep/2021:21:11:34 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=--][ServerIP=--][SubjectID=CN=PKI Administrator,E=example at testdomain.com,OU=rhcs94-CA-cfu_rsa-nocp11,O=Example-rhcs94-CA_cfu-rsa][Outcome=Success][Info=serverAlertReceived: CLOSE_NOTIFY] access session terminated
0.https-jsse-nio-18443-exec-16 - [29/Sep/2021:21:11:34 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=--][ServerIP=--][SubjectID=CN=PKI Administrator,E=example at testdomain.com,OU=rhcs94-CA-cfu_rsa-nocp11,O=Example-rhcs94-CA_cfu-rsa][Outcome=Success][Info=serverAlertSent: CLOSE_NOTIFY] access session terminated
- - - - -
ab3caef9 by Chris Kelley at 2021-11-12T15:48:52+00:00
Remove unnecessary boolean literals from WIMasterOrClone
- - - - -
63065ec7 by Chris Kelley at 2021-11-12T16:33:47+00:00
Tidy up logic in SecureChannel

* Remove unnecessary else clauses
* Use ternary operator
* Remove dead code (kill == 1 can never be true)
* Return methods rather than using unnecessary Boolean literals

- - - - -
21cdf393 by Chris Kelley at 2021-11-12T16:57:17+00:00
Tidy up SelfTestSubsystem

* Don't return unnecessary Boolean literals
* Combine identical catch blocks
* Remove unnecessary else clauses

- - - - -
31a223c5 by Chris Kelley at 2021-11-12T17:13:33+00:00
Tidy up OCSPNoCheckExtDefault

* Use Boolean.parseBoolean()
* Remove unnecessary else clauses
* Use ternary operator

- - - - -
d2f34169 by Chris Kelley at 2021-11-12T17:17:54+00:00
Refactor getAuthInfo() into SubsystemCLI to de-duplicate subclass code
- - - - -
8a50a82a by Chris Kelley at 2021-11-15T12:53:14+00:00
Tidy up WizardBasePanel

* Don't return unnecessary Boolean literals
* Use try-with-resources to take advantage of Autoclosable
* Prevent possible NullPointerException in getErrorMessage()
* Print value of sendStatus before returning

- - - - -
43e194aa by Endi S. Dewata at 2021-11-15T20:43:24+07:00
Add pki nss-cert-find

The pki nss-cert-find command has been added to list certs
in NSS database.

- - - - -
05e5f99f by Endi S. Dewata at 2021-11-15T22:40:06+07:00
Move UpdateDomainXML audit into SecurityDomainProcessor

The audit code in UpdateDomainXML has been moved into
SecurityDomainProcessor such that the audit logs will be
generated properly when the security domain is updated
using pki securitydomain-host-add/del commands which
call the SecurityDomainProcessor as well.

- - - - -
47879e13 by Endi S. Dewata at 2021-11-16T10:44:13+07:00
Refactor PKISubsystem.update_config()

The code that retrieves and validates the master config
params in PKISubsystem.update_config() has been moved
into configuration.py. The remaining code that imports
the master config params has been converted into
import_master_config().

- - - - -
b606b888 by c-dorney at 2021-11-16T10:05:18+00:00
Add retry when adding expired profile (#3806)


- - - - -
b325c0bd by Christina Fu at 2021-11-16T16:40:46-08:00
Bug008162-TPS-profile-enforce-permitted-agents

this patch addresses additional issues for https://bugzilla.redhat.com/show_bug.cgi?id=2001166

This patch specifically addresses the pki cli "tps-cert-find" option.
e.g. # pki -d /opt/pki/certdb -P https -p 25443 -h localhost -c SECret.123 -n 'TPS_AgentV' tps-cert-find --token 40906145C76224192D11

additional restrictions are added to TokenService.java replaceToken and
removeToken methods
where I do not see direct access to as a "just in case" move.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2008162

- - - - -
f4a0fb96 by Endi S. Dewata at 2021-11-17T11:49:11-06:00
Add PKISubsystem.setup_replication()

The Java code that sets up replication in SubsystemDBInitCLI
has been moved into SubsystemDBReplicationSetupCLI so that
later it can be reused as a separate CLI. The Python code that
calls SubsystemDBInitCLI with replication params has been moved
into setup_replication() to call SubsystemDBReplicationSetupCLI.

- - - - -
4542e1f5 by Chris Kelley at 2021-11-18T10:46:19+00:00
Tidy up logic in SecureChannelProtocol classes

* Use ternary operator and invert logic
- - - - -
827c0a8c by Endi S. Dewata at 2021-11-18T20:45:29+07:00
Drop preop.internaldb.master

Previously pkispawn would retrieve the internaldb.* params from
the master server and store it under preop.internaldb.master in
the replica's CS.cfg so SubsystemDBReplicationSetupCLI can use
it. Later these params will be removed from CS.cfg.

To minimize changes to the replica's CS.cfg, these params will
now be stored in a separate temporary file instead.

- - - - -
84c375c2 by dpuniaredhat at 2021-11-19T17:43:26+05:30
fix kra key recovery automated test for bugzilla 1392616 (#3847)

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
8ff4c469 by Endi S. Dewata at 2021-11-22T13:23:11+07:00
Add default image for runner-init.sh

- - - - -
aba75046 by Endi S. Dewata at 2021-11-22T13:23:15+07:00
Remove default password for ds-container-create.sh

- - - - -
d81f92bc by Chris Kelley at 2021-11-22T10:53:25+00:00
Tidy up CertDateCompare with a ternary operator
- - - - -
15ad1755 by Chris Kelley at 2021-11-22T14:00:05+00:00
Tidy up logic in JssSubsystem

* Remove unnecessary else clauses
* Use ternary operators
* Invert logic where appropriate
* Don't create variable just to return it
- - - - -
fb3490fc by Endi S. Dewata at 2021-11-22T22:28:57+07:00
Switch to Java 17

The pki.spec has been modified to depend on Java 17.
The runner-init.sh has been modified to no longer mount
/sys/fs/cgroup to avoid the following warnings:

  Warning: warning][os,container] Duplicate cpuset controllers
  detected. Picking /sys/fs/cgroup/cpuset, skipping
  /sys/fs/cgroup/cpuset.

- - - - -
900a170d by Endi S. Dewata at 2021-11-23T07:02:10+07:00
Fix Java home in pki.spec

- - - - -
961001ba by Chris Kelley at 2021-11-23T12:18:58+00:00
Replace deprecated Provider constructor
- - - - -
ad7d3104 by Endi S. Dewata at 2021-11-24T13:05:58+07:00
Remove unused instanceId variable

- - - - -
73201aca by Endi S. Dewata at 2021-11-24T17:48:40+07:00
Remove unused Setup class

- - - - -
e54b4997 by Endi S. Dewata at 2021-11-24T18:12:35+07:00
Replace pki_force_destroy param with PKIDeployer.force

- - - - -
072f20ea by Endi S. Dewata at 2021-11-24T19:15:32+07:00
Fix pki_source_profiles and pki_subsystem_profiles_path params

The pki_source_profiles and pki_subsystem_profiles_path params
have been modified not to include the 'ca' folder such that
they can include all folders under 'profiles'.

- - - - -
3df40baf by Endi S. Dewata at 2021-11-24T20:37:23+07:00
Move emails and profiles to config folder

pkispawn has been modified to install the emails and profiles
in the instance's config folder instead of base folder since
they are a part of CA configuration.

For backward compatibility the old folders have been replaced
with links to the new locations.

An upgrade script has been added to relocate the emails and
profiles in existing instances.

- - - - -
ed33158a by Endi S. Dewata at 2021-11-24T23:32:40+07:00
Remove unused subsystem webapp folders

pkispawn has been modified to no longer create the subsystem
webapps folders.

An upgrade script has been added to remove the folders from
existing instances.

- - - - -
757b9f29 by Chris Kelley at 2021-11-24T17:08:09+00:00
Use try-with-resources in KeyRepository
- - - - -
2516ea35 by Chris Kelley at 2021-11-26T12:55:23+00:00
Update version number to 11.1.0-alpha2

- - - - -
2ffa7930 by Endi S. Dewata at 2021-11-29T12:24:36+07:00
Replace pki_remove_logs param with PKIDeployer.remove_logs

- - - - -
25d4bfe5 by Endi S. Dewata at 2021-11-29T12:24:36+07:00
Update log messages in PKIServer class

- - - - -
5946415b by Endi S. Dewata at 2021-11-29T12:24:36+07:00
Add PKIServer.create_logging_properties()

The code that creates a copy of or a link to logging.properties
has been moved into PKIServer.create_logging_properties().

- - - - -
7b7dd0e9 by Endi S. Dewata at 2021-11-29T20:02:26+07:00
Remove unused static info in server.xml

The server.xml has been modified to no longer include some
static info since it can be obtained using pki-server status.

A new upgrade script has been added to remove the unused info
from existing instances.

- - - - -
836e68f2 by Endi S. Dewata at 2021-11-29T20:58:00+07:00
Update SCEP test

The SCEP test has been updated to use the pre-built SSCEP
package from the COPR repository.

- - - - -
616b7a98 by Endi S. Dewata at 2021-11-30T09:10:52+07:00
Remove unused conf.d folder

- - - - -
aacfcc91 by Endi S. Dewata at 2021-11-30T10:38:11+07:00
Add CertUtil.getCommonName()

The code in CertUtil.getDNSNames() that gets the common name
from an X.500 name has been moved into getCommonName().

- - - - -
7fabec41 by Endi S. Dewata at 2021-11-30T20:25:49+07:00
Remove unused Tomcat systemd link

The Tomcat systemd link at /var/lib/pki/<instance>/<instance>
is not used so it has been removed.

An upgrade script has been added to remove the link from
existing instances.

- - - - -
e0ccfa50 by Chris Kelley at 2021-12-01T11:19:43+00:00
Use Python 3 no-arg super() in scripts

- - - - -
8c4c40d9 by Endi S. Dewata at 2021-12-01T19:30:27+07:00
Replace PKI symkey with JSS symkey

https://github.com/dogtagpki/pki/issues/1368

- - - - -
5b43799a by Endi S. Dewata at 2021-12-01T23:08:18+07:00
Remove PKI symkey library

The symkey library has been moved into JSS, so the code and
the package has been removed from PKI.

https://github.com/dogtagpki/pki/issues/1368

- - - - -
a3beb1fd by Endi S. Dewata at 2021-12-02T13:30:57+07:00
Add PKIServer.is_running()

The PKIServer.is_running() has been added to check whether
the server is running.

- - - - -
8f6c0048 by Endi S. Dewata at 2021-12-02T13:36:00+07:00
Update PKIServer.get_sslserver_cert_nickname()

The PKIServer.get_sslserver_cert_nickname() has been modified
to return None if the SSL server certificate is not available
instead of throwing an exception.

- - - - -
4c6d3ffb by Endi S. Dewata at 2021-12-02T23:37:36+07:00
Remove unused RA SelfTest

The RA subsystem was dropped a long time ago, but some of its
code remains because parts of it are still needed by tpsclient.
Other parts of RA that are no longer used such as the SelfTest
can be removed.

- - - - -
4330044a by Endi S. Dewata at 2021-12-07T09:46:30+07:00
Clean up DS scripts

- - - - -
30660b44 by Endi S. Dewata at 2021-12-07T09:46:30+07:00
Update DS scripts

The DS scripts have been modified to support DS server created
from RPM packages or DS container from the specified image.

- - - - -
a9de00ea by Chris Kelley at 2021-12-07T14:26:08+00:00
Use -fstack-protector-strong compiler flag

* Fixes gating issues with annobin

Resolves: #1936636
- - - - -
acac32b1 by Endi S. Dewata at 2021-12-07T21:36:16+07:00
Remove admin PKCS12 password file from examples

The admin PKCS12 password file is only created if the
pki_client_database_purge is set to False, which is not
the default, so the examples have been updated to use
the password directly.

- - - - -
e9636b17 by Endi S. Dewata at 2021-12-07T21:36:16+07:00
Remove pki_client_database_purge from examples

Previously the pki_client_database_purge param was used in
the examples to retain the temporary NSS database used to
generate the admin certificate so it can be reused after
installation. The param has been removed from the examples
since it's recommended to import the admin PKCS12 file
instead of reusing the temporary NSS database.

- - - - -
5c3076e3 by Endi S. Dewata at 2021-12-07T21:36:16+07:00
Remove pki_client_database_password from examples

The pki_client_database_password param has been removed
from examples since it's not used except for installation
with existing certs and standalone installation where the
installation is done in two steps and pkispawn needs to
use the same NSS database password in both steps.

- - - - -
0340ef3e by Chris Kelley at 2021-12-10T12:04:14+00:00
Fix Invalid Date error in TPS UI

Will make unmodified dates show Thu Jan 01 1970 01:00:00 GMT+0100. A
previous attempt tried to show N/A instead but the date is parsed for
some other purpose and this caused an error - so I have modified it to
return a legitimate Date object
- - - - -
60e9051d by Endi S. Dewata at 2021-12-13T08:49:42+07:00
Fix NSSExtensionGenerator.createSANExtension()

Previously the NSSExtensionGenerator.createSANExtension() would
add a SAN extension to all certs or requests created with it.

The code has been modified to add a SAN extension only if the
subjectAltName param is specified. The param currently supports
two options:

- DNS:request_subject_cn which will copy the DNS name from the
  CN attribute of the request's subject name
- DNS:request_san_ext which will copy the DNS names from the
  request's SAN extension

The sslserver.conf has been modified to use the new param.

- - - - -
edc01f75 by Endi S. Dewata at 2021-12-13T08:49:42+07:00
Add NSSExtensionGenerator.createGenericExtensions()

The NSSExtensionGenerator.createGenericExtensions() has been
added to support user-provided generic extensions such as
Microsoft's SubCA extension.

A new subca_signing.conf has been added as an example.

- - - - -
6c596575 by Endi S. Dewata at 2021-12-13T08:49:42+07:00
Add test for PKI NSS CLI with extensions

A new test has been added to verify that the PKI NSS CLI will
add the cert and request extensions properly according to:

- ca_signing.conf
- subca_signing.conf
- sslserver.conf

- - - - -
da1a8724 by Endi S. Dewata at 2021-12-13T08:51:43+07:00
Update HSM test for PKI NSS CLI

The HSM test for PKI NSS CLI has been updated to issue
an SSL server cert using the CA signing cert in HSM,
then import the cert into HSM as well.

- - - - -
7bb491a9 by Chris Kelley at 2021-12-13T14:52:55+00:00
Remove unused keyId variable
- - - - -
3819c6af by Chris Kelley at 2021-12-13T14:53:08+00:00
Remove unnecessary else clause from KRAService
- - - - -
e98313f8 by Endi S. Dewata at 2021-12-14T02:05:16+07:00
Update log messages in keygen.py

- - - - -
cdf00a3b by Endi S. Dewata at 2021-12-14T09:48:47+07:00
Move CSR/cert extension tests into scripts

- - - - -
ddcd2597 by Endi S. Dewata at 2021-12-14T12:10:00+07:00
Remove hardcoded serials from standalone KRA/OCSP tests

- - - - -
6cbbc45a by Endi S. Dewata at 2021-12-15T19:03:14+07:00
Clean up test for installing KRA on separate instance

- - - - -
9d5876bc by Endi S. Dewata at 2021-12-15T19:03:14+07:00
Add test for installing OCSP on separate instance

- - - - -
91cf9541 by Endi S. Dewata at 2021-12-15T19:03:14+07:00
Add test for installing TKS on separate instance

- - - - -
3237afe7 by Endi S. Dewata at 2021-12-15T19:03:14+07:00
Add test for installing TPS on separate instance

- - - - -
91849932 by Endi S. Dewata at 2021-12-16T01:05:59+07:00
Clean up tests for installing KRA/OCSP with external certs

- - - - -
865ae232 by Endi S. Dewata at 2021-12-16T01:05:59+07:00
Add test for installing TKS with external certs

- - - - -
cea6622f by Endi S. Dewata at 2021-12-16T01:05:59+07:00
Add test for installing TPS with external certs

- - - - -
4af657cb by Christina Fu at 2021-12-16T10:29:29-08:00
Bug2033100-Invalid-subCA-certs-pkispawn-single

This patch takes care of the issue reported in the following bug
Bug 2033100 - Invalid certificates with creation of subCA (pkispawn single step)
where the subject DN of a certificate could be unintentionally recoded.

In addition, I found the CA enrollment profile caInstallCACert.cfg to have
only 2 year validity; Also the signingAlgsAllowed list is outdated.
This is also addressed.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2033100

- - - - -
9f067178 by Endi S. Dewata at 2021-12-20T10:48:50+07:00
Update test for external CA installation

The test for CA installation with external signing cert has
been updated to add a Microsoft Subordinate CA extension in
the CSR and in the issued cert.

The pkispawn default configuration file has been modified to
no longer include the extension since it's already provided
as an example in the subca_signing.conf.

- - - - -
fd11c334 by Endi S. Dewata at 2022-01-04T09:48:19+07:00
Clean up tests

- - - - -
c8b80343 by Endi S. Dewata at 2022-01-04T09:50:27+07:00
Update tests to display subsystem certs

- - - - -
f0ae6acb by Endi S. Dewata at 2022-01-04T09:50:29+07:00
Update log messages in PKIDeployer.setup_cert()

- - - - -
868169d9 by Endi S. Dewata at 2022-01-04T12:04:08+07:00
Consolidate system cert trust flag setup

The code that sets up the trust flags for all system certs
has been moved into PKIDeployer.setup_system_certs().

- - - - -
344edb3c by Endi S. Dewata at 2022-01-04T13:35:08+07:00
Update log messages in tpsclient

- - - - -
72ca49e5 by Endi S. Dewata at 2022-01-04T13:35:10+07:00
Remove unused RA::Initialize()

- - - - -
a126ca3e by Endi S. Dewata at 2022-01-04T13:35:10+07:00
Remove unused RA::Shutdown()

- - - - -
a37924ab by Endi S. Dewata at 2022-01-04T14:11:24+07:00
Remove unused code in CLI wrappers

- - - - -
ed2fd35f by Endi S. Dewata at 2022-01-04T14:21:24+07:00
Remove redundant %jaxrs_api_jar macro

The %jaxrs_api_jar macro is no longer needed since the location
of JAXRS_API_JAR can be found using CMake.

- - - - -
71a8fb6f by Endi S. Dewata at 2022-01-04T14:21:54+07:00
Remove redundant RESTEASY_LIB

The RESTEASY_LIB variable is no longer needed since the location
of RESTEasy can be found using CMake.

- - - - -
d85f70f1 by Endi S. Dewata at 2022-01-04T14:24:59+07:00
Remove redundant PKI_JAVA_PATH

The PKI_JAVA_PATH variable is no longer needed since the location
of java command can be found using JAVA_HOME variable.

- - - - -
dee65455 by Endi S. Dewata at 2022-01-04T20:52:39+07:00
Remove unused RA::InitializeInChild()

- - - - -
19630920 by Endi S. Dewata at 2022-01-04T20:52:40+07:00
Remove unused RA::Child_Shutdown()

- - - - -
607da1a2 by Endi S. Dewata at 2022-01-05T02:09:21+07:00
Remove unused RA Processors

- - - - -
3e2841a4 by Endi S. Dewata at 2022-01-05T02:09:24+07:00
Remove unused RA::InitializePublishers()

- - - - -
1e465290 by Endi S. Dewata at 2022-01-05T02:09:26+07:00
Remove unused RA::CleanupPublishers()

- - - - -
b021b3a7 by Endi S. Dewata at 2022-01-05T14:44:36+07:00
Remove unused RA::getPublisherById()

- - - - -
354e1bfd by Endi S. Dewata at 2022-01-05T14:44:38+07:00
Remove unused PublisherEntry

- - - - -
5b7aa51d by Endi S. Dewata at 2022-01-05T14:44:39+07:00
Remove unused NetkeyPublisher

- - - - -
c20630de by Endi S. Dewata at 2022-01-05T14:44:41+07:00
Remove unused IPublisher

- - - - -
e3870923 by Endi S. Dewata at 2022-01-05T19:11:54+07:00
Remove unused LDAP_Authentication

- - - - -
6007a7da by Endi S. Dewata at 2022-01-05T20:50:17+07:00
Remove unused RA::InitializeAuthentication()

- - - - -
b44b453c by Endi S. Dewata at 2022-01-05T21:05:30+07:00
Remove unused RA auth methods and fields

- - - - -
0fa83c59 by Endi S. Dewata at 2022-01-05T22:24:40+07:00
Remove unused AuthenticationEntry

- - - - -
5843668f by Endi S. Dewata at 2022-01-05T22:27:47+07:00
Remove unused Authentication

- - - - -
539f7ce7 by Endi S. Dewata at 2022-01-05T23:13:16+07:00
Remove unused RA::verifySystemCerts()

- - - - -
b0d01d81 by Endi S. Dewata at 2022-01-05T23:13:16+07:00
Remove unused RA::verifySystemCertByNickname()

- - - - -
b761027b by Endi S. Dewata at 2022-01-05T23:51:21+07:00
Remove unused RA::getCertificateUsage()

- - - - -
c754cdc2 by Endi S. Dewata at 2022-01-06T07:29:19+07:00
Remove unused RA::InitializeTokendb()

- - - - -
18d7c306 by Endi S. Dewata at 2022-01-06T07:36:33+07:00
Remove unused RA::tdb_add_token_entry()

- - - - -
4d273ac7 by Endi S. Dewata at 2022-01-06T07:36:33+07:00
Remove unused RA::ra_get_token_status()

- - - - -
900bd55d by Endi S. Dewata at 2022-01-06T07:43:02+07:00
Remove unused RA::ra_tus_has_active_tokens()

- - - - -
4cf06473 by Endi S. Dewata at 2022-01-06T07:47:06+07:00
Remove unused RA::ra_is_token_present()

- - - - -
2c177b9b by Endi S. Dewata at 2022-01-06T07:47:54+07:00
Remove unused RA::ra_is_tus_db_entry_disabled()

- - - - -
5cc30270 by Endi S. Dewata at 2022-01-06T07:49:59+07:00
Remove unused RA::ra_is_token_pin_resetable()

- - - - -
3e9538c1 by Endi S. Dewata at 2022-01-06T07:51:09+07:00
Remove unused RA::ra_is_update_pin_resetable_policy()

- - - - -
6311cb1f by Endi S. Dewata at 2022-01-06T07:52:21+07:00
Remove unused RA::ra_update_token_policy()

- - - - -
0ad26864 by Endi S. Dewata at 2022-01-06T07:53:42+07:00
Remove unused RA::ra_get_token_policy()

- - - - -
88e57119 by Chris Kelley at 2022-01-06T14:20:33+00:00
Force Date(null) for unmodified token timestamps

* Passing the argument directly into the constructor results in Invalid
Date, so for whatever reason it can't be parsed. Get around this by
using Date(null) explictly, which definitely gives a valid Date
- - - - -
f76a80f8 by Chris Kelley at 2022-01-10T17:36:39+00:00
Remove MD2, MD5 and SHA-1 options from console UI menus.

* These are deprecated so don't allow users to make new use of them
- - - - -
3b1a9e02 by Chris Kelley at 2022-01-10T17:38:13+00:00
Tidy up ProfileApproveServlet

* Remove unused method parameter
* Reorder modifiers to match JLS, use final where appropriate
* Use OP_APPROVE constant
* Simplify logic in auditProfileID()
* Simplify logic in auditProfileOp()
- - - - -
2ce14ff2 by Endi S. Dewata at 2022-01-10T12:36:40-06:00
Remove unused RA::transition_allowed()

- - - - -
88824646 by Endi S. Dewata at 2022-01-10T12:36:40-06:00
Remove unused RA::get_token_state()

- - - - -
caa9078e by Endi S. Dewata at 2022-01-10T12:36:40-06:00
Remove unused RA token methods

- - - - -
d21fea96 by Endi S. Dewata at 2022-01-10T12:36:53-06:00
Remove unused RA::tdb_update()

- - - - -
253fa339 by Endi S. Dewata at 2022-01-10T12:36:53-06:00
Remove unused RA::tdb_update_certificates()

- - - - -
ddd66694 by Endi S. Dewata at 2022-01-10T12:36:53-06:00
Remove unused RA::tdb_activity()

- - - - -
af183214 by Endi S. Dewata at 2022-01-10T13:23:38-06:00
Remove unused RA::setup_audit_log()

- - - - -
9d2a5e41 by Endi S. Dewata at 2022-01-10T13:25:02-06:00
Remove unused RA::enable_audit_logging()

- - - - -
1888f0b6 by Endi S. Dewata at 2022-01-10T13:28:38-06:00
Remove unused RA::InitializeSignedAudit()

- - - - -
3f3263dc by Endi S. Dewata at 2022-01-10T13:29:23-06:00
Remove unused RA::InitializeHttpConnections()

- - - - -
1fa9a443 by Endi S. Dewata at 2022-01-10T13:32:43-06:00
Remove unused RA::IsTpsConfigured()

- - - - -
5ab015e5 by Endi S. Dewata at 2022-01-10T13:33:26-06:00
Remove unused RA::IsTokendbInitialized()

- - - - -
0e8ba8a3 by Endi S. Dewata at 2022-01-10T17:46:20-06:00
Remove unused ECC profiles

The EC<name>.profiles have been removed since they have been
replaced by ecc<name>.profiles. The CI already has an ECC test
which verifies that the CA still works without these files.

See also the following links:

- https://github.com/dogtagpki/pki/wiki/PKI-10.5-pkispawn-ECC-Profile-Workaround
- https://github.com/dogtagpki/pki/issues/3077
- https://github.com/dogtagpki/pki/commit/9a8e54ab9a8f1192c240639c42f8a744160a8ef8

- - - - -
49b1632b by Endi S. Dewata at 2022-01-10T17:54:10-06:00
Clean up system cert profiles

- - - - -
7d3f49fb by Endi S. Dewata at 2022-01-10T18:02:48-06:00
Add doc for system profile changes

- - - - -
b74517cb by Endi S. Dewata at 2022-01-10T19:07:35-06:00
Update ds-container-create.sh to publish LDAP ports

- - - - -
4defa87e by Endi S. Dewata at 2022-01-10T20:40:15-06:00
Clean up CA test with ECC keys

- - - - -
d619511c by Endi S. Dewata at 2022-01-10T20:40:15-06:00
Update CA tests to check system certs

- - - - -
5b436610 by Endi S. Dewata at 2022-01-11T11:36:22-06:00
Remove unused RA::GetLogFile()

- - - - -
8e22bf77 by Endi S. Dewata at 2022-01-11T11:36:27-06:00
Remove unused m_selftest_log

- - - - -
2026b3f8 by Endi S. Dewata at 2022-01-11T11:36:32-06:00
Remove unused RollingLogFile

- - - - -
d99bdb51 by Endi S. Dewata at 2022-01-11T14:10:28-06:00
Remove unused RA::ra_update_token_status_reason_userid()

- - - - -
34c6c73c by Endi S. Dewata at 2022-01-11T14:12:43-06:00
Remove unused RA::ra_update_cert_status()

- - - - -
ae98ccf9 by Endi S. Dewata at 2022-01-11T14:14:48-06:00
Remove unused RA::ra_force_token_format()

- - - - -
1584b163 by Endi S. Dewata at 2022-01-11T18:24:47-06:00
Remove unused RA::ra_allow_token_renew()

- - - - -
97f66775 by Endi S. Dewata at 2022-01-11T18:25:52-06:00
Remove unused RA::ra_allow_token_reenroll()

- - - - -
0958e35f by Endi S. Dewata at 2022-01-13T10:55:25-06:00
Clean up log messages in CAValidityConstraint.validate()

- - - - -
8e613a75 by Endi S. Dewata at 2022-01-13T12:02:15-06:00
Remove unused RA::RunFlushThread()

- - - - -
263e37b9 by Endi S. Dewata at 2022-01-13T12:03:52-06:00
Remove unused RA::getLastSignature()

- - - - -
13cc3711 by Endi S. Dewata at 2022-01-13T12:05:01-06:00
Remove unused RA::IsValidEvent()

- - - - -
69980f27 by Endi S. Dewata at 2022-01-13T12:10:49-06:00
Remove unused RA::Audit()

- - - - -
6d08ab4f by Endi S. Dewata at 2022-01-13T12:14:34-06:00
Remove unused RA::AuditThis()

- - - - -
f93c9669 by Endi S. Dewata at 2022-01-13T12:54:17-06:00
Remove unused RA::SetBufferSize()

- - - - -
a6650cca by Endi S. Dewata at 2022-01-13T12:55:01-06:00
Remove unused RA::SetFlushInterval()

- - - - -
f5c8d95b by Endi S. Dewata at 2022-01-13T12:55:48-06:00
Remove unused RA::FlushAuditLogBuffer()

- - - - -
f1be6ac2 by Endi S. Dewata at 2022-01-13T12:57:07-06:00
Remove unused RA::SignAuditLog()

- - - - -
afdebdb3 by Endi S. Dewata at 2022-01-13T12:57:50-06:00
Remove unused RA::GetAuditSigningMessage()

- - - - -
85bbd616 by Endi S. Dewata at 2022-01-13T12:58:49-06:00
Remove unused RA::IsAuditEventSelected()

- - - - -
86e4c1b7 by Endi S. Dewata at 2022-01-13T13:37:52-06:00
Remove unused RA audit methods

- - - - -
a4f42e4f by Endi S. Dewata at 2022-01-13T13:38:00-06:00
Remove unused RA audit fields

- - - - -
c259e07d by Endi S. Dewata at 2022-01-13T13:42:12-06:00
Remove unused audit.h

- - - - -
697e54f5 by Endi S. Dewata at 2022-01-13T14:30:40-06:00
Remove unused RA::testTokendb()

- - - - -
a4b4d20f by Endi S. Dewata at 2022-01-13T14:32:03-06:00
Remove unused RA::ra_find_tus_certificate_entries_by_order_no_vlv()

- - - - -
861b31d4 by Endi S. Dewata at 2022-01-13T14:33:13-06:00
Remove unused RA::ra_find_tus_certificate_entries_by_order()

- - - - -
820783eb by Endi S. Dewata at 2022-01-13T14:34:26-06:00
Remove unused RA::ra_find_tus_token_entries_no_vlv()

- - - - -
a564d78f by Endi S. Dewata at 2022-01-13T14:36:15-06:00
Remove unused RA::ra_find_tus_token_entries()

- - - - -
7f8ddf4b by Endi S. Dewata at 2022-01-13T14:37:38-06:00
Remove unused RA::ra_get_token_reason()

- - - - -
b7a53829 by Endi S. Dewata at 2022-01-13T14:38:46-06:00
Remove unused RA::ra_get_token_userid()

- - - - -
1d1fdcbc by Endi S. Dewata at 2022-01-13T17:14:38-06:00
Remove unused RA::ra_get_cert_cn()

- - - - -
5b574e8a by Endi S. Dewata at 2022-01-13T17:15:33-06:00
Remove unused RA::ra_get_cert_status()

- - - - -
12ca3337 by Endi S. Dewata at 2022-01-13T17:16:39-06:00
Remove unused RA::ra_get_cert_type()

- - - - -
f4d277c8 by Endi S. Dewata at 2022-01-13T17:17:32-06:00
Remove unused RA::ra_get_cert_serial()

- - - - -
c248ea3a by Endi S. Dewata at 2022-01-13T17:18:24-06:00
Remove unused RA::ra_get_cert_issuer()

- - - - -
3c73ea6f by Endi S. Dewata at 2022-01-13T17:19:34-06:00
Remove unused RA::ra_delete_certificate_entry()

- - - - -
2b233662 by Endi S. Dewata at 2022-01-13T17:21:20-06:00
Remove unused RA::ra_get_certificates()

- - - - -
fbb47419 by Endi S. Dewata at 2022-01-13T19:53:20-06:00
Remove unused RA::ra_get_number_of_entries()

- - - - -
b81b8fce by Endi S. Dewata at 2022-01-13T19:56:13-06:00
Remove unused RA::SetGlobalSecurityLevel()

- - - - -
2d951e45 by Endi S. Dewata at 2022-01-13T19:57:19-06:00
Remove unused RA::GetGlobalSecurityLevel()

- - - - -
31267459 by Endi S. Dewata at 2022-01-13T20:03:12-06:00
Remove unused tus_authenticate()

- - - - -
c2ce9c89 by Endi S. Dewata at 2022-01-13T20:04:08-06:00
Remove unused tus_authorize()

- - - - -
d471dcd2 by Endi S. Dewata at 2022-01-13T20:05:02-06:00
Remove unused update_token_status_reason()

- - - - -
b8fca9a8 by Endi S. Dewata at 2022-01-13T20:49:49-06:00
Remove unused add_user_db_entry()

- - - - -
9ecac842 by Endi S. Dewata at 2022-01-13T20:51:12-06:00
Remove unused update_user_db_entry()

- - - - -
e6105091 by Endi S. Dewata at 2022-01-13T20:51:59-06:00
Remove unused add_user_to_role_db_entry()

- - - - -
fa337978 by Endi S. Dewata at 2022-01-13T20:52:50-06:00
Remove unused add_profile_to_user()

- - - - -
15e642b2 by Endi S. Dewata at 2022-01-13T20:55:13-06:00
Remove unused check_and_modify_tus_db_entry()

- - - - -
3ff9c296 by Endi S. Dewata at 2022-01-13T20:55:42-06:00
Remove unused modify_tus_db_entry()

- - - - -
a2b3fa96 by Endi S. Dewata at 2022-01-13T20:56:40-06:00
Remove unused update_tus_db_entry_with_mods()

- - - - -
537540f5 by Endi S. Dewata at 2022-01-13T20:57:37-06:00
Remove unused update_tus_db_entry()

- - - - -
afa2a537 by Endi S. Dewata at 2022-01-14T08:19:06-06:00
Remove unused get_authorized_profiles()

- - - - -
d51f8543 by Endi S. Dewata at 2022-01-14T08:19:57-06:00
Remove unused find_tus_user_role_entries()

- - - - -
4b04661f by Endi S. Dewata at 2022-01-14T08:19:58-06:00
Remove unused find_tus_user_entries_no_vlv()

- - - - -
c4efcfaf by Endi S. Dewata at 2022-01-14T08:19:58-06:00
Remove unused find_tus_certificate_entries()

- - - - -
93d91359 by Endi S. Dewata at 2022-01-14T08:20:59-06:00
Remove unused find_tus_activity_entries_no_vlv()

- - - - -
7d251c6c by Endi S. Dewata at 2022-01-14T08:21:45-06:00
Remove unused find_tus_activity_entries_pcontrol_1()

- - - - -
4a84643f by Endi S. Dewata at 2022-01-14T08:22:30-06:00
Remove unused find_tus_activity_entries()

- - - - -
12956583 by Endi S. Dewata at 2022-01-14T08:23:21-06:00
Remove unused find_tus_db_entries_pcontrol_1()

- - - - -
8b9e1a23 by Endi S. Dewata at 2022-01-14T08:23:58-06:00
Remove unused find_tus_db_entries()

- - - - -
05044924 by Endi S. Dewata at 2022-01-14T09:15:16-06:00
Remove unused base/tps-client/tools/tus

- - - - -
a43fb2df by Endi S. Dewata at 2022-01-14T09:15:16-06:00
Remove unused allow_token_enroll_policy()

- - - - -
e81027fd by Endi S. Dewata at 2022-01-14T09:15:16-06:00
Remove unused find_tus_db_entry()

- - - - -
1ab01402 by Endi S. Dewata at 2022-01-14T09:16:22-06:00
Remove unused add_default_tus_db_entry()

- - - - -
45e1a793 by Endi S. Dewata at 2022-01-14T09:17:34-06:00
Remove unused add_tus_db_entry()

- - - - -
8b70755e by Endi S. Dewata at 2022-01-14T09:18:16-06:00
Remove unused add_certificate()

- - - - -
596cdd0e by Endi S. Dewata at 2022-01-14T09:18:56-06:00
Remove unused add_activity()

- - - - -
70c076d9 by Endi S. Dewata at 2022-01-14T09:19:37-06:00
Remove unused add_tus_general_db_entry()

- - - - -
76cca37a by Endi S. Dewata at 2022-01-14T10:21:18-06:00
Remove unused create_modification_date_change()

- - - - -
2383e465 by Endi S. Dewata at 2022-01-14T10:22:08-06:00
Remove unused delete_all_profiles_from_user()

- - - - -
5892a9aa by Endi S. Dewata at 2022-01-14T10:22:55-06:00
Remove unused delete_profile_from_user()

- - - - -
777111d1 by Endi S. Dewata at 2022-01-14T10:23:34-06:00
Remove unused delete_user_from_role_db_entry()

- - - - -
b2b72c98 by Endi S. Dewata at 2022-01-14T10:24:56-06:00
Remove unused delete_user_db_entry()

- - - - -
2280f9a2 by Endi S. Dewata at 2022-01-14T10:25:35-06:00
Remove unused delete_tus_db_entry()

- - - - -
715c8b0e by Endi S. Dewata at 2022-01-14T10:26:17-06:00
Remove unused delete_tus_general_db_entry()

- - - - -
885a2c93 by Endi S. Dewata at 2022-01-14T10:27:21-06:00
Remove unused update_tus_general_db_entry()

- - - - -
eef5ba01 by Endi S. Dewata at 2022-01-14T11:34:30-06:00
Refactor Configurator.loadCert()

The code in Configurator.loadCert() has been moved into
CAConfigurator.loadCert() since only CA needs to import
existing system certs into the certificate repository.

- - - - -
7c2b97aa by Endi S. Dewata at 2022-01-14T11:40:32-06:00
Clean up PKIDeployer.setup_cert()

The PKIDeployer.setup_cert() has been modified to return
early for non-CA external/standalone installation since the
system certs are already provided so there is nothing more
to be done in this case.

- - - - -
487c4d0c by Endi S. Dewata at 2022-01-14T14:47:43-06:00
Add test for CA installation with CMC

- - - - -
afa6f72c by Endi S. Dewata at 2022-01-14T14:50:20-06:00
Refactor CAConfigurator.importCert()

The code in CAConfigurator.importCert() that checks whether the
cert to be imported is internal/external has been moved to the
caller.

- - - - -
6cefff4c by Endi S. Dewata at 2022-01-14T14:50:20-06:00
Add log messages in NSSDatabase.createRequest()

- - - - -
697dc5f2 by Endi S. Dewata at 2022-01-14T14:50:20-06:00
Remove references to IRegistrationAuthority in base/ca

- - - - -
1f6c71f7 by Endi S. Dewata at 2022-01-14T14:50:20-06:00
Remove references to IRegistrationAuthority in base/server

- - - - -
49e3600d by Endi S. Dewata at 2022-01-14T14:50:20-06:00
Remove unused IRegistrationAuthority

- - - - -
a8df75a5 by Endi S. Dewata at 2022-01-14T14:50:20-06:00
Remove unused IRAService

- - - - -
6f857f8c by Endi S. Dewata at 2022-01-14T18:24:52-06:00
Remove unused base/tps-client/src/test

- - - - -
60e9947d by Endi S. Dewata at 2022-01-14T18:25:34-06:00
Remove unused base/tps-client/src/include/service

- - - - -
9af6e649 by Endi S. Dewata at 2022-01-14T18:26:54-06:00
Remove unused base/tps-client/src/include/modules/tps

- - - - -
e1c7bcd3 by Endi S. Dewata at 2022-01-14T18:36:09-06:00
Remove unused RA::ra_get_attribute_values()

- - - - -
cf1d9152 by Endi S. Dewata at 2022-01-14T18:36:09-06:00
Remove unused get_number_of_*()

- - - - -
f703ea60 by Endi S. Dewata at 2022-01-14T18:45:36-06:00
Remove unused get_tus_db_config()

- - - - -
f493b486 by Endi S. Dewata at 2022-01-14T18:45:36-06:00
Remove unused set_tus_db_*()

- - - - -
15698d81 by Endi S. Dewata at 2022-01-14T18:48:06-06:00
Remove unused tus_check_conn()

- - - - -
c9382702 by Endi S. Dewata at 2022-01-14T18:48:06-06:00
Remove unused ldap_sort_entries()

- - - - -
40147470 by Endi S. Dewata at 2022-01-14T18:49:14-06:00
Remove unused base64_decode()

- - - - -
ce7edec9 by Endi S. Dewata at 2022-01-17T11:08:28-06:00
Remove unused tus_print_integer()

- - - - -
35247df5 by Endi S. Dewata at 2022-01-17T11:08:28-06:00
Remove unused tus_print_as_hex()

- - - - -
2d19c34f by Endi S. Dewata at 2022-01-17T11:30:23-06:00
Remove unused tus_db_init() and is_tus_db_initialized()

- - - - -
90528db8 by Endi S. Dewata at 2022-01-17T11:32:41-06:00
Remove unused tus_db_end() and tus_db_cleanup()

- - - - -
91800041 by Endi S. Dewata at 2022-01-17T11:39:22-06:00
Remove unused get_pwd_from_conf() and ReadLine()

- - - - -
1f05ff49 by Endi S. Dewata at 2022-01-17T11:41:31-06:00
Remove unused audit_log()

- - - - -
62a0877c by Endi S. Dewata at 2022-01-17T11:41:31-06:00
Remove unused et_cmp(), sort_cmp(), and reverse_sort_cmp()

- - - - -
784b965d by Endi S. Dewata at 2022-01-17T11:41:31-06:00
Remove unused allocate_values() and free_values()

- - - - -
9b3ce418 by Endi S. Dewata at 2022-01-17T11:41:31-06:00
Remove unused allocate_modifications() and free_modifications()

- - - - -
9b8fbdad by Endi S. Dewata at 2022-01-17T13:29:24-06:00
Remove unused token methods

- - - - -
9019a51b by Endi S. Dewata at 2022-01-17T13:30:59-06:00
Remove unused get_cert_attr_byname() and get_cert_attr_byname_int()

- - - - -
dce6c3ce by Endi S. Dewata at 2022-01-17T13:37:14-06:00
Remove unused LDAP methods

- - - - -
b62c2e9c by Endi S. Dewata at 2022-01-17T14:08:17-06:00
Remove unused valid_berval()

- - - - -
b2e53c69 by Endi S. Dewata at 2022-01-17T15:14:00-06:00
Remove unused token database

- - - - -
88b431b5 by Endi S. Dewata at 2022-01-17T16:51:29-06:00
Add PKIDeployer.create_cert_setup_request()

The code in PKIDeployer.setup_cert() that creates the request
object has been moved into create_cert_setup_request().

- - - - -
ff29e966 by Endi S. Dewata at 2022-01-17T17:57:21-06:00
Add SystemCertData.keyType

The SystemCertData.keyType has been added to pass the cert's
key type to the server.

- - - - -
c27d15f6 by Endi S. Dewata at 2022-01-17T17:57:28-06:00
Add SystemCertData.ecType

The SystemCertData.ecType has been added to pass the cert's
EC type to the server.

- - - - -
c78d594f by Endi S. Dewata at 2022-01-17T17:57:32-06:00
Add SystemCertData.keyAlgorithm

The SystemCertData.keyAlgorithm has been added to pass the
cert's key algorithm to the server.

- - - - -
84cb9380 by Endi S. Dewata at 2022-01-17T17:57:37-06:00
Refactor ConfigClient.set_ca_signing_cert_info()

The code in ConfigClient.set_ca_signing_cert_info() that
stores the extension params into SystemCertData has been
moved into PKIDeployer.create_cert_setup_request().

- - - - -
a0894e13 by Endi S. Dewata at 2022-01-17T17:57:37-06:00
Remove unused Configurator.getNickname()

- - - - -
ec9f41a9 by Endi S. Dewata at 2022-01-17T19:51:39-06:00
Add test for KRA installation with CMC

- - - - -
07ea2684 by Endi S. Dewata at 2022-01-17T19:51:55-06:00
Remove unused Configurator.deleteDir()

- - - - -
cf6b35a9 by Endi S. Dewata at 2022-01-17T19:51:55-06:00
Remove unused Configurator.getHostInfo()

- - - - -
8e242e39 by Endi S. Dewata at 2022-01-17T20:49:24-06:00
Remove unused CertEnroll

- - - - -
3526ae3e by Endi S. Dewata at 2022-01-17T21:00:00-06:00
Remove unused RA::GetCAConn() and RA::ReturnCAConn()

- - - - -
711b0d67 by Endi S. Dewata at 2022-01-17T21:00:00-06:00
Remove unused RA::GetPodIndex() and RA::SetPodIndex()

- - - - -
3fc97be6 by Endi S. Dewata at 2022-01-17T21:00:00-06:00
Remove unused RA::GetConfigLock()

- - - - -
b5e3d117 by Endi S. Dewata at 2022-01-17T21:00:00-06:00
Add SystemCertData.requestType

The SystemCertData.requestType has been added to pass the
cert's request type to the server.

- - - - -
0b5cf792 by Endi S. Dewata at 2022-01-18T13:24:32-06:00
Refactor SystemConfigService.setupAdmin() (part 1)

The SystemConfigService.setupAdmin() has been modified to
take a CertificateSetupRequest object.

- - - - -
88f1b737 by Endi S. Dewata at 2022-01-18T13:24:45-06:00
Refactor SystemConfigService.setupAdmin() (part 2)

The SystemConfigService.setupAdmin() has been modified to
return a SystemCertData object.

- - - - -
42f5a0c9 by Endi S. Dewata at 2022-01-18T13:24:55-06:00
Remove unused AdminSetupRequest and AdminSetupResponse

- - - - -
36d8406e by Endi S. Dewata at 2022-01-18T13:24:58-06:00
Remove unused CertificateSetupResponse

- - - - -
9c89ffd1 by Endi S. Dewata at 2022-01-18T13:42:51-06:00
Exclude .git folder from Eclipse project

- - - - -
e0a65081 by Endi S. Dewata at 2022-01-18T16:26:00-06:00
Refactor Configurator.createCertRequest()

The Configurator.createCertRequest() has been renamed and
changed to return a PKCS10 object.

- - - - -
df2ca173 by Endi S. Dewata at 2022-01-18T16:43:57-06:00
Refactor CryptoUtil.createX509CertInfo()

The CryptoUtil.createX509CertInfo() has been modified to take
an X500Name subject.

- - - - -
1eb25938 by Endi S. Dewata at 2022-01-18T17:39:03-06:00
Refactor Configurator.createLocalCert()

The Configurator.createLocalCert() has been modified to take
an X500Name issuer.

- - - - -
cf84de3a by Endi S. Dewata at 2022-01-19T10:10:14-06:00
Clean up log messages in Configurator

- - - - -
6a2442da by Endi S. Dewata at 2022-01-19T12:01:24-06:00
Refactor Configurator.createCert()

The Configurator.createCert() has been modified to take an
X509Key object, key algorithm, and an X500Name subject.

- - - - -
2a86d1ad by Endi S. Dewata at 2022-01-19T12:01:24-06:00
Refactor Configurator.setupCert()

The code in Configurator.setupCert() that creates a local or
self-signed cert in CA has been moved into CAConfigurator.

- - - - -
efe503d8 by Endi S. Dewata at 2022-01-19T12:10:16-06:00
Display cert request IDs in hex

- - - - -
2f2bb550 by Endi S. Dewata at 2022-01-19T12:10:16-06:00
Update CA tests to show the certs and cert requests

- - - - -
7e0937a3 by Endi S. Dewata at 2022-01-19T13:31:10-06:00
Add test for OCSP installation with CMC

- - - - -
33d89363 by Endi S. Dewata at 2022-01-19T14:07:27-06:00
Add CAConfigurator.createRequestID()

The code that creates the cert request ID has been moved
into CAConfigurator.createRequestID().

- - - - -
8c986b82 by Endi S. Dewata at 2022-01-19T14:07:31-06:00
Add CAConfigurator.createCertID()

The code that creates the cert ID has been moved into
CAConfigurator.createCertID()

- - - - -
92001b1d by Endi S. Dewata at 2022-01-19T14:07:31-06:00
Merge Repository.initCacheIfNeeded() into initCache()

- - - - -
c671227e by Endi S. Dewata at 2022-01-19T14:07:31-06:00
Remove --debug from pki-healthcheck invocations

- - - - -
7d7552ad by Endi S. Dewata at 2022-01-20T10:53:25-06:00
Add test for CA with random serial number v1

- - - - -
4055d33a by Endi S. Dewata at 2022-01-20T12:23:33-06:00
Update PyDev configuration

- - - - -
4783bd0f by Endi S. Dewata at 2022-01-20T14:46:45-06:00
Update server hostname in examples

- - - - -
80ba2ce5 by Endi S. Dewata at 2022-01-20T14:48:12-06:00
Display request IDs in hex

- - - - -
af6310e6 by Endi S. Dewata at 2022-01-20T14:58:58-06:00
Rename trust attributes to trust flags for consistency

- - - - -
d47b9d56 by Endi S. Dewata at 2022-01-20T18:57:24-06:00
Remove unused IHttpConnFactory

- - - - -
eae7b524 by Endi S. Dewata at 2022-01-20T18:57:35-06:00
Move IHttpConnection to pki-server

- - - - -
ec75480e by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move IKeyRepository to pki-server

- - - - -
a6a1226f by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move IKeyRecordList to pki-server

- - - - -
c7b82a47 by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move IKeyRecord to pki-server

- - - - -
9611e3fa by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move IRepository to pki-server

- - - - -
34a13562 by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move IRepositoryRecord to pki-server

- - - - -
923af2b2 by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move ICRLIssuingPointRecord to pki-server

- - - - -
f7f142b1 by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move IDBVirtualList to pki-server

- - - - -
4065e1a0 by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move IDBObj to pki-server

- - - - -
32069ea3 by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move IPolicy to pki-server

- - - - -
5e069b96 by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move INotify to pki-server

- - - - -
26325886 by Endi S. Dewata at 2022-01-20T18:57:44-06:00
Move IResender to pki-server

- - - - -
7fdf548b by Endi S. Dewata at 2022-01-21T10:26:05-06:00
Move Repository.mEnableRandomSerialNumbers

The Repository.mEnableRandomSerialNumbers has been moved into
CertificateRepository since it's only used by that class.

The getRangeLength(), getRandomLimit(), and getNumbersInRange()
methods have been added to encapsulate class-specific code.

- - - - -
c5192f98 by Endi S. Dewata at 2022-01-21T10:32:30-06:00
Move IHttpPKIMessage to pki-server

- - - - -
128f9e35 by Endi S. Dewata at 2022-01-21T10:32:30-06:00
Move IPKIMessage to pki-server

- - - - -
0fc4ab20 by Endi S. Dewata at 2022-01-21T10:32:30-06:00
Move IRequest to pki-server

- - - - -
ddc2ead4 by Endi S. Dewata at 2022-01-21T10:32:30-06:00
Move IConnectionFactory to pki-console

- - - - -
ba8a4409 by Endi S. Dewata at 2022-01-21T10:32:30-06:00
Move IConnection to pki-console

- - - - -
6024d5ac by Endi S. Dewata at 2022-01-21T10:32:30-06:00
Move IAuthenticator to pki-console

- - - - -
02f78907 by Endi S. Dewata at 2022-01-21T13:55:18-06:00
Add test for cert key archival

- - - - -
b6cf9e62 by Endi S. Dewata at 2022-01-21T14:40:04-06:00
Move ITransportKeyUnit to pki-server

- - - - -
d6ae1bde by Endi S. Dewata at 2022-01-21T14:40:49-06:00
Move IStorageKeyUnit to pki-server

- - - - -
0add1ee6 by Endi S. Dewata at 2022-01-21T14:41:22-06:00
Move IEncryptionUnit to pki-server

- - - - -
9913d027 by Endi S. Dewata at 2022-01-21T14:41:55-06:00
Move IToken to pki-server

- - - - -
01c078d5 by Endi S. Dewata at 2022-01-21T14:42:27-06:00
Move ICryptoSubsystem to pki-server

- - - - -
ccdbf7a0 by Endi S. Dewata at 2022-01-21T16:39:59-06:00
Move CertRequestRepository.initRequest() to CAConfigurator

- - - - -
67ac0731 by Endi S. Dewata at 2022-01-21T16:39:59-06:00
Move CertRequestRepository.updateRequest() to CAConfigurator

- - - - -
39eb4d4a by Endi S. Dewata at 2022-01-21T16:39:59-06:00
Refactor ISubsystem.init()

The ISubsystem.init() has been modified to throw generic
exceptions.

- - - - -
7b9e5eaa by Endi S. Dewata at 2022-01-21T16:39:59-06:00
Add Repository.init()

The Repository.init() has been added to encapsulate repository
initialization.

- - - - -
ddef528d by Endi S. Dewata at 2022-01-25T13:49:57-06:00
Remove unused RA::match_comma_list()

- - - - -
d0a39f7b by Endi S. Dewata at 2022-01-25T13:50:59-06:00
Remove unused RA::remove_from_comma_list()

- - - - -
5cdcc4fe by Endi S. Dewata at 2022-01-25T13:51:42-06:00
Remove unused RA::do_free()

- - - - -
57a90c18 by Endi S. Dewata at 2022-01-25T14:15:57-06:00
Remove unused RA::ComputeSessionKey()

- - - - -
22f733f4 by Endi S. Dewata at 2022-01-25T14:19:37-06:00
Remove unused RA::CreateDesKey24Byte()

- - - - -
87ea66a7 by Endi S. Dewata at 2022-01-25T14:21:45-06:00
Remove unused RA::ComputeHostCryptogram()

- - - - -
2cd44e54 by Endi S. Dewata at 2022-01-25T14:23:12-06:00
Remove unused RA::RecoverKey()

- - - - -
b5d67ccb by Endi S. Dewata at 2022-01-25T14:27:12-06:00
Remove unused RA::FindSymKeyByName()

- - - - -
6fda6975 by Endi S. Dewata at 2022-01-25T14:28:43-06:00
Remove unused RA::ServerSideKeyGen()

- - - - -
5558c5ba by Endi S. Dewata at 2022-01-25T15:59:31-06:00
Remove unused RA::Failover()

- - - - -
c24c8e75 by Endi S. Dewata at 2022-01-25T16:00:09-06:00
Remove unused RA DRM connection objects

- - - - -
38e90e36 by Endi S. Dewata at 2022-01-25T16:00:11-06:00
Remove unused RA TKS connection objects

- - - - -
21d34750 by Endi S. Dewata at 2022-01-25T16:00:29-06:00
Remove unused RA CA connection objects

- - - - -
6d510bee by Endi S. Dewata at 2022-01-25T16:00:30-06:00
Remove unused RA::GetCurrentIndex() and SetCurrentIndex()

- - - - -
8a033609 by Endi S. Dewata at 2022-01-25T16:08:21-06:00
Remove unused RA httpSend()

- - - - -
772abcec by Endi S. Dewata at 2022-01-25T16:08:24-06:00
Remove unused RA HttpConnection

- - - - -
2a580085 by Endi S. Dewata at 2022-01-26T09:50:57-06:00
Add test for CA with file-based CRL publishing

- - - - -
0d995e43 by Endi S. Dewata at 2022-01-26T12:49:14-06:00
Remove unused RA ConnectionInfo

- - - - -
7e0649bd by Endi S. Dewata at 2022-01-26T13:06:55-06:00
Remove unused RA Secure_Channel

- - - - -
7bad3af0 by Endi S. Dewata at 2022-01-26T13:06:58-06:00
Remove unused RA Channel

- - - - -
6730d890 by Endi S. Dewata at 2022-01-26T13:06:58-06:00
Remove unused RA::isAlgorithmECC()

- - - - -
b8cca887 by Endi S. Dewata at 2022-01-26T13:15:19-06:00
Remove unused RA::GetConfigStore()

- - - - -
c7a8d710 by Endi S. Dewata at 2022-01-26T13:15:19-06:00
Remove unused RA ConfigStore

- - - - -
24e7440a by Endi S. Dewata at 2022-01-26T13:15:19-06:00
Remove unused RA PKCS11Obj

- - - - -
09fe5f07 by Endi S. Dewata at 2022-01-26T13:15:19-06:00
Remove unused RA IConnector and IPublish_Data

- - - - -
f0ef4c42 by Endi S. Dewata at 2022-01-26T14:15:50-06:00
Remove unused RA ObjectSpec

- - - - -
b4e61bef by Endi S. Dewata at 2022-01-26T14:18:57-06:00
Remove unused RA AttributeSpec

- - - - -
3aeb3b22 by Endi S. Dewata at 2022-01-26T14:19:10-06:00
Remove unused RA Login

- - - - -
554d45f0 by Endi S. Dewata at 2022-01-26T14:20:51-06:00
Remove unused RA SecureId

- - - - -
e0a86dc2 by Endi S. Dewata at 2022-01-26T14:22:26-06:00
Remove unused RA_Session

- - - - -
b336a255 by Endi S. Dewata at 2022-01-26T14:23:54-06:00
Remove unused RA_pblock

- - - - -
a5187e12 by Endi S. Dewata at 2022-01-26T14:29:20-06:00
Remove unused PSHttpServer::putFile()

- - - - -
4dea5401 by Endi S. Dewata at 2022-01-26T14:33:37-06:00
Remove unused HttpEngine::makeRequest()

- - - - -
6064e633 by Endi S. Dewata at 2022-01-26T14:46:51-06:00
Remove unused PSHttpResponse

- - - - -
66ca520f by Endi S. Dewata at 2022-01-26T14:55:45-06:00
Remove unused PSHttpRequest

- - - - -
fdb366b1 by Endi S. Dewata at 2022-01-26T14:56:08-06:00
Remove unused HttpEngine

- - - - -
f6b2dac5 by Endi S. Dewata at 2022-01-26T15:01:57-06:00
Remove unused PSHttpServer

- - - - -
f59f65c0 by Endi S. Dewata at 2022-01-26T16:06:15-06:00
Remove unused RA httpClient

- - - - -
93032b9a by Endi S. Dewata at 2022-01-26T16:09:12-06:00
Remove unused RA::GetVerifyLock()

- - - - -
c61c7ab6 by Endi S. Dewata at 2022-01-26T16:13:07-06:00
Remove unused RA::Error()

- - - - -
875c6aa1 by Endi S. Dewata at 2022-01-26T16:19:52-06:00
Remove unused RA::Debug()

- - - - -
9355673f by Endi S. Dewata at 2022-01-27T08:22:44-06:00
Remove unused RA LogFile

- - - - -
011454a9 by Endi S. Dewata at 2022-01-27T08:22:46-06:00
Remove unused RA_Context

- - - - -
d497bd20 by Endi S. Dewata at 2022-01-27T08:22:47-06:00
Remove unused RA class

- - - - -
f1f42da8 by Endi S. Dewata at 2022-01-27T10:19:25-06:00
Remove unused base/tps-client/scripts

- - - - -
c10b2560 by Endi S. Dewata at 2022-01-27T10:19:47-06:00
Remove unused base/tps-client/wrappers

- - - - -
b208265b by Endi S. Dewata at 2022-01-28T12:50:47-06:00
Fix pki-healthcheck for clones

Previously the ClonesConnectivyAndDataCheck.check_kra_clones()
was trying to check KRA clone status by retrieving a key using
the subsystem cert. This operation did not work since the user
associated with the cert did not have access to the keys. The
code has been changed to get the status from GetStatus service
instead. The original code might be moved into IPA later so it
could run with IPA's RA agent credentials which would allow
access to the keys.

Previously the ClonesPlugin.contact_subsystem_using_sslget()
used sslget to call GetStatus service and returned the entire
output which was then incorrectly processed in XML format. The
method has been renamed to get_status() and changed to use
PKIConnection and process the response in either JSON or XML
format, then only return the subsystem status. All callers
have been updated accordingly.

The ClonesPlugin.contact_subsystem_using_pki() is no longer
used so it has been removed.

- - - - -
3b2850f0 by Endi S. Dewata at 2022-01-28T12:50:47-06:00
Update tests for pki-healthcheck

The clone tests have been modified to run pki-healthcheck.
All pki-healtcheck invocations have been modified to show
only the failures.

- - - - -
3cc4a73b by Endi S. Dewata at 2022-01-28T13:22:22-06:00
Clean up SecurityDomain.deregister()

The SecurityDomain.deregister() has been modified to use the
same name that was used for joining the security domain. The
list, ncsport, adminsport, agentsport params are not used so
they have been removed.

- - - - -
dfccd846 by Endi S. Dewata at 2022-01-28T15:15:13-06:00
Fix PyDev warnings

- - - - -
b9637e59 by Endi S. Dewata at 2022-02-01T09:16:33-06:00
Replace deprecated distutils.sysconfig.get_python_lib()

The distutils.sysconfig.get_python_lib() has been deprecated
so it has been replaced with sysconfig.get_path('purelib').

https://bugs.python.org/issue41282
https://www.python.org/dev/peps/pep-0632/

- - - - -
2c07f96c by Endi S. Dewata at 2022-02-01T09:29:25-06:00
Update log messages in KRAConnector.deregister()

- - - - -
45f19e8e by Endi S. Dewata at 2022-02-01T09:29:25-06:00
Update log messages in SecurityDomain.deregister()

- - - - -
c3d09f2b by Endi S. Dewata at 2022-02-02T11:34:38-06:00
Update log messages in KRAConnectorProcessor

- - - - -
aa6d6cd9 by Endi S. Dewata at 2022-02-02T11:34:39-06:00
Update log messages in SubsystemGroupUpdater

- - - - -
9e67d5c4 by Endi S. Dewata at 2022-02-02T11:38:27-06:00
Clean up variable names in PKIDeployer.finalize_subsystem()

- - - - -
22636322 by Endi S. Dewata at 2022-02-02T16:12:57-06:00
Fix typo in ClonesPlugin.get_status()

- - - - -
33cd066c by Endi S. Dewata at 2022-02-02T18:29:33-06:00
Update log messages in PKIDeployer.finalize_subsystem()

- - - - -
1b4b3aa6 by Endi S. Dewata at 2022-02-03T09:16:34-06:00
Add CAConfigurator.initSubsystem()

The code that initializes the CA subsystem after creating
or importing the signing certificate has been moved to
CAConfigurator.initSubsystem().

- - - - -
b26541c7 by Endi S. Dewata at 2022-02-03T12:25:07-06:00
Clean up tools tests

- - - - -
d99d9796 by Endi S. Dewata at 2022-02-03T12:51:26-06:00
Add tests for trust flags using pki nss-cert-show

- - - - -
221e92e1 by Endi S. Dewata at 2022-02-03T13:31:22-06:00
Remove unused scripts

- - - - -
082f113b by Endi S. Dewata at 2022-02-03T13:43:51-06:00
Update COMPONENT in Dockerfiles

- - - - -
08d7b220 by Endi S. Dewata at 2022-02-03T16:22:39-06:00
Log request IDs in hex

- - - - -
00f0ff75 by Endi S. Dewata at 2022-02-04T08:40:01-06:00
Add Dockerfile for IPA runner

The IPA tests have been modified to use a new Dockerfile which
will include IPA packages in the image so the tests do not need
to install the packages.

- - - - -
65c82c1e by Endi S. Dewata at 2022-02-04T08:40:56-06:00
Convert tpsclient man page into Markdown

- - - - -
81ee66ac by Endi S. Dewata at 2022-02-07T10:04:40-06:00
Add SystemCertData.requestID

The SystemCertData.requestID has been added to store cert's
request ID.

- - - - -
5db8b2e0 by Endi S. Dewata at 2022-02-07T10:44:44-06:00
Refactor CAConfigurator.importCert()

The CAConfigurator.importCert() has been modified to take a
request ID instead of creating a new one.

- - - - -
e2cf18ea by Endi S. Dewata at 2022-02-07T10:44:49-06:00
Refactor Configurator.loadCert()

The Configurator.loadCert() has been modified to take a
SystemCertData object which will store the request ID created
by the method.

- - - - -
bc9ca004 by Endi S. Dewata at 2022-02-07T10:44:49-06:00
Refactor SystemConfigService.loadCert()

The SystemConfigService.loadCert() has been modified to return
a SystemCertData object which might contain the request ID.

- - - - -
befa8cb0 by Endi S. Dewata at 2022-02-07T12:15:26-06:00
Update test scripts to use password authentication

The test scripts have been modified to use password instead of
client certificate to avoid intermittent authentication failures.

- - - - -
51d28ae0 by Endi S. Dewata at 2022-02-07T13:09:15-06:00
Refactor Configurator.createCert() (part 1)

The code that creates the SSL server cert for CA clone has
been moved out of Configurator.createCert().

- - - - -
86de76f2 by Endi S. Dewata at 2022-02-07T13:09:15-06:00
Refactor Configurator.createCert() (part 2)

The code that creates a remote cert has been moved out of
Configurator.createCert().

- - - - -
90f737e1 by Endi S. Dewata at 2022-02-07T13:09:15-06:00
Replace Configurator.createCert() with createLocalCert()

- - - - -
6a146db4 by Endi S. Dewata at 2022-02-07T13:09:15-06:00
Refactor Configurator.createLocalCert()

The Configurator.createLocalCert() has been modified to take
a request ID instead of creating a new one.

- - - - -
becf82ce by Endi S. Dewata at 2022-02-07T13:09:15-06:00
Refactor Configurator.setupCert()

The Configurator.setupCert() has been modified to return a
SystemCertData object which might contain a request ID.

- - - - -
9d16fcde by Endi S. Dewata at 2022-02-07T14:13:03-06:00
Refactor SystemConfigService.loadCert()

The SystemConfigService.loadCert() has been modified to get
the certificate request from the caller instead of loading
from a parameter in CS.cfg.

- - - - -
b9027ef0 by Endi S. Dewata at 2022-02-07T16:42:29-06:00
Remove unused SystemCertDataFactory

- - - - -
913f921b by Endi S. Dewata at 2022-02-07T16:42:29-06:00
Remove unused Cert

- - - - -
27d56dfa by Endi S. Dewata at 2022-02-07T16:42:29-06:00
Merge IAuditor into Auditor

- - - - -
63ea97dd by Endi S. Dewata at 2022-02-07T16:42:29-06:00
Move IJob and IJobCron to pki-server

- - - - -
0a9701c9 by Endi S. Dewata at 2022-02-07T16:42:29-06:00
Move IPluginImpl to pki-server

- - - - -
d1212a3d by Endi S. Dewata at 2022-02-07T16:42:29-06:00
Move SignedAuditEvent to pki-server

- - - - -
c2cef65b by Endi S. Dewata at 2022-02-07T16:42:29-06:00
Remove unused ISubsystemSource

- - - - -
79681774 by Endi S. Dewata at 2022-02-07T16:42:29-06:00
Move AuditEvent to pki-server

- - - - -
c4e23f3d by Endi S. Dewata at 2022-02-07T16:42:29-06:00
Remove unused IBundleLogEvent

- - - - -
34126de5 by Endi S. Dewata at 2022-02-07T16:42:58-06:00
Move LogEvent to pki-server

- - - - -
22da48f0 by Endi S. Dewata at 2022-02-07T16:43:36-06:00
Move ILogEventFactory to pki-server

- - - - -
9acf8b2e by Endi S. Dewata at 2022-02-07T16:44:48-06:00
Move AuditFormat to pki-server

- - - - -
426e1369 by Endi S. Dewata at 2022-02-07T16:45:48-06:00
Move ILogger to pki-server

- - - - -
7e0280a9 by Endi S. Dewata at 2022-02-07T16:50:43-06:00
Merge ILogQueue into LogQueue

- - - - -
7c7517a3 by Endi S. Dewata at 2022-02-07T16:52:04-06:00
Move ILogEvent and ILogEventListener to pki-server

- - - - -
e18c86bc by Chris Kelley at 2022-02-08T15:29:52+00:00
Remove CertRequestConstants

Only one of the constants is used, in a place where its use is
surprising. The surrounding code uses constants from IRequest so use the
replacement constant from that interface.
- - - - -
e2facba0 by Endi S. Dewata at 2022-02-08T13:35:02-06:00
Refactor SystemConfigService.loadCert() (part 1)

The SystemConfigService.loadCert() has been modified to load
the cert provided in the request object instead of loading
it from the NSS database directly.

- - - - -
da35114d by Endi S. Dewata at 2022-02-08T13:35:06-06:00
Refactor SystemConfigService.loadCert() (part 2)

The code in SystemConfigService.loadCert() that checks whether
the cert is external has been moved to the caller.

- - - - -
bbd3d44d by Endi S. Dewata at 2022-02-09T11:53:57-06:00
Clean up CAConfigurator.updateRequest()

The CAConfigurator.updateRequest() has been modified to get
the X509CertInfo from the X509CertImpl instead of from a
separate parameter.

- - - - -
cb19784c by Endi S. Dewata at 2022-02-09T12:20:13-06:00
Clean up log messages in CAConfigurator

- - - - -
9d659f1b by Endi S. Dewata at 2022-02-09T12:56:33-06:00
Update CAConfigurator.createLocalCert() and importCert()

The CAConfigurator.createLocalCert() and importCert() have
been modified to get the bootstrap profile params from the
configuration object instead of the profile object.

- - - - -
85a153c1 by Endi S. Dewata at 2022-02-09T14:58:57-06:00
Refactor PKIDeployer.setup_system_certs()

The PKIDeployer.setup_system_certs() has been modified to
reuse the NSSDatabase object.

- - - - -
2eb72afa by Endi S. Dewata at 2022-02-09T14:59:04-06:00
Refactor CAConfigurator.createAdminCertificate()

The CAConfigurator.createAdminCertificate() has been modified
to take an return a SystemCertData object.

- - - - -
e7ba9cac by Endi S. Dewata at 2022-02-09T17:00:15-06:00
Update NSSDatabase.add_cert()

The NSSDatabase.add_cert() has been modified to provide params
to specify the cert data and its format.

- - - - -
29488256 by Endi S. Dewata at 2022-02-09T18:11:11-06:00
Update Configurator.setupCert()

The code that imports the new cert into the NSS database
has been moved out of Configurator.setupCert().

- - - - -
139413ce by Chris Kelley at 2022-02-10T16:25:03+00:00
Remove XML parsing from ProfilePolicy

- - - - -
657bf41f by Endi S. Dewata at 2022-02-10T13:30:35-06:00
Add test for uninstalling IPA clone

- - - - -
129ee229 by Christina Fu at 2022-02-11T10:23:40-08:00
B1996141-subCA-adjustValidity

The CAValidityDefault is used by  the profile caCMCcaCert during
subCA creation when using the CMC enrollment method.
While pkispawn auto-enrollment for subCA uses non CMC methods which
allows for use of the installAdjustValidity parameter to adjust
the notAfter date to match that of the signing CA's, the CAValidityDefault
does not.

This patch reads the bypassCAnotafter parameter in the CAValidityDefault
plugin so that by default the notAfter date will not supercede that of
the signing CA's.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1996141

- - - - -
b0cfb58d by Endi S. Dewata at 2022-02-11T18:35:42-06:00
Update log messages in LDAPSession

- - - - -
335d13a0 by Endi S. Dewata at 2022-02-11T18:35:46-06:00
Update log messages in PublisherProcessor

- - - - -
b7cb5590 by Endi S. Dewata at 2022-02-14T09:32:57-06:00
Fix pkidestroy for KRA with external certs

Generally, when installing KRA pkispawn will create a subsystem
cert in the CA using a profile that will also create a subsystem
user for the KRA in the CA (see SubsystemGroupUpdater), then
pkispawn will create a KRA connector in the CA as well (see
UpdateConnector). In case the KRA is removed later pkidestroy can
use this user to remove the KRA connector from the CA.

If the KRA was installed with external certs (including CMC case),
pkispawn would create the subsystem cert using a different profile
which would not create the subsystem user, but it would still
create the KRA connector. However, that means pkidestroy would not
be able to remove the KRA connector.

To fix the problem, some of the code in SubsystemGroupUpdater has
been copied into UpdateConnector such that the subsystem user will
be created when the KRA connector is added if it does not already
exist.

Right now the SubsystemGroupUpdater might still be needed for
other things, but potentially it could be removed in the future.

- - - - -
53a064f5 by Chris Kelley at 2022-02-14T17:36:58+00:00
Update version to v11.1.0 and update dependencies

- - - - -
bb1c6169 by Chris Kelley at 2022-02-14T17:40:48+00:00
Update Requires for ldapjdk and tomcatjss

- - - - -
6b784e2f by Endi S. Dewata at 2022-02-14T14:06:53-06:00
Update version number to 11.2.0-alpha1

- - - - -
6326a0e3 by Endi S. Dewata at 2022-02-14T18:10:39-06:00
Update IPA tests to install KRA separately

The IPA tests have been updated to install KRA separately
to simplify troubleshooting.

- - - - -
eb9929d8 by Endi S. Dewata at 2022-02-14T18:39:13-06:00
Refactor CAConfigurator.importCert()

The CAConfigurator.importCert() has been modified to store the
actual cert request extensions into the cert request record.

- - - - -
0ac01221 by Endi S. Dewata at 2022-02-15T09:16:05-06:00
Move tpsclient into pki-tools

The tpsclient, libtps.so, and its man page have been moved into
pki-tools package which contains other native tools.

The pki-tps has been converted into a platform independent
package.

- - - - -
18aea0d0 by Endi S. Dewata at 2022-02-15T14:24:53-06:00
Update RequestDefaultStub

The RequestDefaultStub has been modified to extend the
Request class.

- - - - -
12a3a056 by Endi S. Dewata at 2022-02-15T15:11:00-06:00
Move IRequest constants to Request

- - - - -
e2e55f1b by Endi S. Dewata at 2022-02-15T15:11:08-06:00
Move IRequest type constants to Request

- - - - -
88270e9c by Endi S. Dewata at 2022-02-15T15:11:12-06:00
Move IRequest requestor constants to Request

- - - - -
764be10a by Endi S. Dewata at 2022-02-15T15:11:14-06:00
Move IRequest attribute constants to Request

- - - - -
d0c41296 by Endi S. Dewata at 2022-02-15T15:15:29-06:00
Move IRequest enrollment constants to Request

- - - - -
c81d0848 by Endi S. Dewata at 2022-02-15T15:15:31-06:00
Move IRequest renewal constants to Request

- - - - -
c5c86c84 by Endi S. Dewata at 2022-02-15T15:38:12-06:00
Move IRequest revocation constants to Request

- - - - -
a41d986f by Endi S. Dewata at 2022-02-15T15:38:12-06:00
Move IRequest Netkey constants to Request

- - - - -
c1e3740d by Endi S. Dewata at 2022-02-15T15:38:12-06:00
Move IRequest security data constants to Request

- - - - -
379b5bf9 by Endi S. Dewata at 2022-02-15T15:38:12-06:00
Move IRequest keygen constants to Request

- - - - -
8ff531d8 by Endi S. Dewata at 2022-02-15T15:38:12-06:00
Move IRequest server-side keygen constants to Request

- - - - -
ea3a302c by Endi S. Dewata at 2022-02-15T15:38:12-06:00
Move IRequest requestor type constants to Request

- - - - -
0d4c323a by Endi S. Dewata at 2022-02-15T15:38:12-06:00
Move IRequest internal constants to Request

- - - - -
e477f6a3 by Endi S. Dewata at 2022-02-15T15:38:12-06:00
Move IRequest policy constants to Request

- - - - -
7f97ce10 by Endi S. Dewata at 2022-02-15T15:44:52-06:00
Move remaining IRequest constants to Request

- - - - -
7dd518a0 by Endi S. Dewata at 2022-02-15T17:56:29-06:00
Update log messages in UpdateConnector

- - - - -
ac385479 by Endi S. Dewata at 2022-02-16T09:48:25-06:00
Clean up test scripts

- - - - -
1cd0a129 by Endi S. Dewata at 2022-02-16T14:54:56-06:00
Update IRequestVirtualList.getElementAt() to return Request

- - - - -
39391cf5 by Endi S. Dewata at 2022-02-16T14:54:56-06:00
Update RequestRepository.createRequest() to return Request

- - - - -
c42d4dec by Endi S. Dewata at 2022-02-16T15:41:29-06:00
Update RequestRepository.readRequest() to return Request

- - - - -
890506c0 by Endi S. Dewata at 2022-02-16T15:42:47-06:00
Update KeyRequestDAO.createRecoveryRequest() to return Request

- - - - -
8e722ea0 by Endi S. Dewata at 2022-02-16T16:32:01-06:00
Disable XML validation in Eclipse

- - - - -
3f09e51d by Endi S. Dewata at 2022-02-16T16:32:01-06:00
Update Profile.createRequests() to return Request

- - - - -
bd52baa4 by Endi S. Dewata at 2022-02-16T16:32:27-06:00
Update BootstrapProfile.populate() to accept Request

- - - - -
ed9af849 by Endi S. Dewata at 2022-02-16T16:33:23-06:00
Update ARequestQueue.processRequest() to accept Request

- - - - -
8ad0d40b by Endi S. Dewata at 2022-02-16T16:45:39-06:00
Update RenewalProcessor to use Request

- - - - -
dfa73536 by Endi S. Dewata at 2022-02-16T16:45:39-06:00
Update CertProcessor to use Request

- - - - -
fed9233b by Endi S. Dewata at 2022-02-16T16:59:35-06:00
Change CMSRequest.mRequest to Request

- - - - -
ba8c7249 by Endi S. Dewata at 2022-02-16T17:02:40-06:00
Update CAProcessor to use Request

- - - - -
d7521452 by Endi S. Dewata at 2022-02-16T17:11:57-06:00
Merge ICommandQueue into CommandQueue

- - - - -
497ce77d by Endi S. Dewata at 2022-02-16T17:16:32-06:00
Merge ICMSRequest into CMSRequest

- - - - -
b1fd8adb by Endi S. Dewata at 2022-02-16T17:25:07-06:00
Merge ICAService into CAService

- - - - -
1a5c8eda by Endi S. Dewata at 2022-02-16T17:40:23-06:00
Update IService.serviceRequest() to accept Request

- - - - -
7972002e by Endi S. Dewata at 2022-02-16T17:43:13-06:00
Update IServant.service() to accept Request

- - - - -
107c60c5 by Endi S. Dewata at 2022-02-16T17:58:20-06:00
Update IPolicy.apply() to accept Request

- - - - -
ac1123db by Endi S. Dewata at 2022-02-16T18:06:18-06:00
Update ProfileInput.populate() to accept Request

- - - - -
0dc01b7f by Endi S. Dewata at 2022-02-16T18:09:17-06:00
Update ProfileInput to use Request

- - - - -
041347f3 by Endi S. Dewata at 2022-02-16T18:27:15-06:00
Update PolicyDefault to use Request

- - - - -
e48a9922 by Endi S. Dewata at 2022-02-16T18:32:39-06:00
Update PolicyConstraint to use Request

- - - - -
e3cdf509 by Endi S. Dewata at 2022-02-16T18:46:14-06:00
Update EnrollDefault.populate() to accept Request

- - - - -
7ca8f724 by Endi S. Dewata at 2022-02-17T09:36:08-06:00
Fix pkidestroy for OCSP with external certs

Generally, when installing OCSP pkispawn will create a subsystem
cert in the CA using a profile that will also create a subsystem
user for the OCSP in the CA (see SubsystemGroupUpdater), then
pkispawn will create an OCSP publisher in the CA as well (see
UpdateOCSPConfig). In case the OCSP is removed later pkidestroy
can use this user to remove the OCSP publisher from the CA.

If the OCSP was installed with external certs (including CMC
case), pkispawn would create the subsystem cert using a different
profile which would not create the subsystem user, but it would
still create the OCSP publisher. However, that means pkidestroy
would not be able to remove the OCSP publisher.

To fix the problem, some of the code in SubsystemGroupUpdater has
been copied into UpdateOCSPConfig such that the subsystem user
will be created when the OCSP publisher is added if it does not
already exist.

Right now the SubsystemGroupUpdater might still be needed for
other things, but potentially it could be removed in the future.

- - - - -
0a9e32cb by Endi S. Dewata at 2022-02-21T19:41:08-06:00
Update OCSPClient to support hex serial numbers

The OCSPClient has been modified to accept hex serial numbers
but always display the returned serial number in hex.

- - - - -
c6ecac10 by Endi S. Dewata at 2022-02-22T09:33:48-06:00
Add test for CA profiles

- - - - -
4d989ace by Endi S. Dewata at 2022-02-23T10:49:15-06:00
Add RSNv3 for CA

The CertificateRepository, RequestRepository, and Repository
classes have been modified to support the new RSNv3 and the
legacy ID generators. pkispawn's default.cfg has been modified
to provide the configuration parameters.

- - - - -
5ebf1eee by Endi S. Dewata at 2022-02-23T10:49:15-06:00
Add test for CA with RSNv3

- - - - -
02ce6811 by Endi S. Dewata at 2022-02-23T14:31:23-06:00
Refactor CMSAdminServlet (part 1)

CA-specific code in CMSAdminServlet has been moved into
CACMSAdminServlet.

- - - - -
036d7ee8 by Endi S. Dewata at 2022-02-23T15:48:46-06:00
Refactor CMSAdminServlet (part 2)

KRA-specific code in CMSAdminServlet has been moved into
KRACMSAdminServlet.

- - - - -
4bdc061a by Endi S. Dewata at 2022-02-23T15:48:46-06:00
Fix NPE in CMSEngine.shutdownAuthSubsystem()

- - - - -
27c26006 by Endi S. Dewata at 2022-02-23T15:48:46-06:00
Clean up log messages in OCSPPublisher

- - - - -
fa628ad4 by Endi S. Dewata at 2022-02-24T08:08:25-06:00
Add tests for PKI server

A new GH workflow has been added to test basic PKI server
functionalities (e.g. create, start, stop, remove) without any
PKI subsystems. It will also test running the server as a
container. The container image later can be used to create other
PKI subsystem containers.

- - - - -
192c923a by Endi S. Dewata at 2022-02-24T09:42:25-06:00
Add RSNv3 for KRA

The KeyRepository class has been modified to support the new
RSNv3 and the legacy sequential ID generators (it doesn't
support RSNv1) for keys in KRA. pkispawn's default.cfg has been
modified to provide parameters to configure the ID generator
type and ID length.

- - - - -
616a1010 by Endi S. Dewata at 2022-02-24T09:42:25-06:00
Add test for KRA with RSNv3

- - - - -
74536e4e by Endi S. Dewata at 2022-02-24T14:56:52-06:00
Fix pki-server remove

The pki-server remove has been modified to assume that the
server has already been stopped.

- - - - -
559f46fd by Endi S. Dewata at 2022-02-24T14:56:53-06:00
Fix PKIInstance.is_available()

The PKIInstance.is_available() has been modified to use the
plain port if the secure port is not available.

- - - - -
e2f16fa1 by Endi S. Dewata at 2022-02-24T15:10:22-06:00
Fix PKIConnection constructor

The PKIConnection constructor has been modified not to include
the port number in the URL if it's not provided.

- - - - -
f6ce9ff4 by Endi S. Dewata at 2022-02-25T12:16:18-06:00
Add CAConfigurator.createCertRecord()

The code that creates the cert record in CAConfigurator has
been moved into createCertRecord().

- - - - -
737d8efa by Endi S. Dewata at 2022-02-25T12:20:24-06:00
Add CAConfigurator.updateRequestRecord()

The code that updates the request record in CAConfigurator
has been moved into updateRequestRecord().

- - - - -
46734f6a by Endi S. Dewata at 2022-02-25T12:20:24-06:00
Add CAConfigurator.createRequestRecord()

The code that creates the request record in CAConfigurator
has been moved into createRequestRecord().

- - - - -
cfa8f10a by Endi S. Dewata at 2022-02-25T12:40:04-06:00
Add CAConfigurator.createRequestExtensions()

The code that creates the request extensions in CAConfigurator
has been moved into createRequestExtensions().

- - - - -
1901ad76 by Endi S. Dewata at 2022-02-25T12:54:05-06:00
Merge Configurator.setupCert() into SystemConfigService

- - - - -
1b67d1fb by Endi S. Dewata at 2022-02-25T12:59:09-06:00
Merge Configurator.createAdminCertificate() into SystemConfigService

- - - - -
bfd4b0c4 by Endi S. Dewata at 2022-02-25T15:12:09-06:00
Move ConfigClient.process_admin_cert() into PKIDeployer

- - - - -
157b51fd by Endi S. Dewata at 2022-02-25T15:12:09-06:00
Move ConfigClient.process_admin_p12() into PKIDeployer

- - - - -
7c2037de by Endi S. Dewata at 2022-02-25T15:32:06-06:00
Merge ConfigClient.save_admin_csr() into PKIDeployer

- - - - -
d2b9a03f by Endi S. Dewata at 2022-02-25T15:32:06-06:00
Remove unused ConfigClient.save_system_csr()

- - - - -
d227d0c0 by Endi S. Dewata at 2022-02-25T15:32:06-06:00
Simplify PKIDeployer.get_admin_cert()

- - - - -
74ade6ee by Endi S. Dewata at 2022-02-25T15:32:06-06:00
Simplify PKIDeployer.setup_system_certs()

- - - - -
eb0ac702 by Endi S. Dewata at 2022-02-25T16:08:30-06:00
Simplify PKIDeployer.setup_system_cert()

- - - - -
0683763a by Endi S. Dewata at 2022-02-25T18:17:57-06:00
Refactor CryptoUtil.findPrivateKeyFromID()

The code in CryptoUtil.findPrivateKeyFromID() that finds
a private key in a specific token has been moved into a
separate method.

- - - - -
301f30c9 by Endi S. Dewata at 2022-02-25T18:38:28-06:00
Refactor NSSDatabase.createRequest()

The code in NSSDatabase.createRequest() that loads/creates
the key pair has been moved into separate methods.

- - - - -
61b32e7d by Endi S. Dewata at 2022-02-25T18:40:04-06:00
Refactor Configurator.createPKCS10Request()

The code in Configurator.createPKCS10Request() that creates
the request extensions has been moved to the caller.

- - - - -
bd49c90f by Endi S. Dewata at 2022-02-28T15:57:09-06:00
Simplify SystemConfigService.setupCert()

The code in SystemConfigService.setupCert() that calls
createRemoteCert() has been merged.

- - - - -
116a1586 by Endi S. Dewata at 2022-02-28T15:57:09-06:00
Add SystemCertData.keyID

- - - - -
048fa3be by Endi S. Dewata at 2022-02-28T15:57:09-06:00
Add SystemConfigService.setupKey()

The code in SystemConfigService.setupCert() that loads or
creates the cert key has been moved into setupKey().

- - - - -
a8908677 by Endi S. Dewata at 2022-02-28T15:57:09-06:00
Add SystemConfigService.createRequest()

The code in SystemConfigService.setupCert() that creates the
cert request has been moved into createRequest().

- - - - -
add6ab84 by Endi S. Dewata at 2022-02-28T17:13:14-06:00
Refactor PKIDeployer.request_admin_cert()

The PKIDeployer.request_admin_cert() has been converted into
a generic request_cert(). The admin-specific code has been
moved to the caller.

- - - - -
315b6c8e by Endi S. Dewata at 2022-02-28T17:13:55-06:00
Remove redundant code in CertificateAuthority.initCertSigningUnit()

- - - - -
ed58074d by Endi S. Dewata at 2022-02-28T18:18:51-06:00
Update CAConfigurator.createLocalCert()

The CAConfigurator.createLocalCert() has been modified to
create a new signing unit instead of reusing the existing
one from the subsystem to reduce dependency on subsystem
initialization.

- - - - -
c33d2302 by Endi S. Dewata at 2022-03-01T19:37:10-06:00
Update OCSP test

The OCSP test has been modified to check the OCSP responder
with no CRLs, with revoked cert, and with unrevoked cert using
OCSPClient and OpenSSL.

- - - - -
ec8fedcb by Endi S. Dewata at 2022-03-02T15:49:55-06:00
Clean up PKIDeployer.setup_system_cert()

- - - - -
bfcb0f1c by Endi S. Dewata at 2022-03-02T15:51:12-06:00
Split SystemConfigService.loadCert()

The SystemConfigService.loadCert() has been split into
importRequest() and importCert().

- - - - -
e3585e29 by Endi S. Dewata at 2022-03-02T15:51:13-06:00
Split SystemConfigService.setupCert()

The SystemConfigService.setupCert() has been split into
requestCert() and createCert().

- - - - -
3481ec05 by Endi S. Dewata at 2022-03-02T18:06:58-06:00
Replace CertificateSetupRequest.clone and masterURL

The clone and masterURL fields in CertificateSetupRequest have
been replaced with url field. The code that sets its value has
been moved into PKIDeployer.setup_system_cert().

- - - - -
c27bb2e2 by Endi S. Dewata at 2022-03-02T18:06:58-06:00
Add options for pki ca-cert-request-submit

The pki ca-cert-request-submit has been modified to provide
--dns-names and --requestor options.

- - - - -
8c342c5f by Endi S. Dewata at 2022-03-02T18:33:39-06:00
Replace SystemConfigService.requestCert()

The SystemConfigService.requestCert() has been replaced with
PKIDeployer.request_cert()

- - - - -
0a7a49b9 by Endi S. Dewata at 2022-03-02T19:10:59-06:00
Remove unused SystemConfigService.requestCert()

- - - - -
d7c10e84 by Endi S. Dewata at 2022-03-03T14:23:37-06:00
Add SystemCertData.adjustValidity

The SystemCertData.adjustValidity has been added to allow
the client provides the value.

- - - - -
b8580cff by Endi S. Dewata at 2022-03-03T14:23:40-06:00
Replace CertUtils.getAdminProfileAlgorithm()

The code in CertUtils.getAdminProfileAlgorithm() that determines
the signing algorithm for admin cert has been moved into
PKIDeployer.

- - - - -
006fe199 by Endi S. Dewata at 2022-03-03T14:42:57-06:00
Merge SystemConfigService.setupAdmin() into createCert()

The code in SystemConfigService.setupAdmin() that creates the
admin cert has been merged into createCert().

- - - - -
dc897f52 by Endi S. Dewata at 2022-03-03T14:42:57-06:00
Remove unused SystemConfigService.setupAdmin()

- - - - -
7413bddd by Endi S. Dewata at 2022-03-03T14:42:57-06:00
Remove unused SystemCertData.installToken

- - - - -
f75c20e6 by Endi S. Dewata at 2022-03-03T15:53:08-06:00
Remove obsolete Servlet 2.3 DTD

- - - - -
766d5aa3 by Endi S. Dewata at 2022-03-03T15:59:47-06:00
Update RequestProcessor to use Request

- - - - -
d1a3bb78 by Endi S. Dewata at 2022-03-03T16:00:53-06:00
Update CRSEnrollment to use Request

- - - - -
b4cf1f84 by Endi S. Dewata at 2022-03-03T16:03:07-06:00
Update Profile to use Request

- - - - -
640264e5 by Endi S. Dewata at 2022-03-03T16:14:24-06:00
Update ProfileInput and ProfileOutput to use Request

- - - - -
aa5387af by Endi S. Dewata at 2022-03-03T16:22:33-06:00
Update PolicySet and PolicyRule to use Request

- - - - -
93e74f4d by Endi S. Dewata at 2022-03-03T16:30:21-06:00
Update EnrollConstraint to use Request

- - - - -
a29c6223 by Endi S. Dewata at 2022-03-03T16:30:21-06:00
Update RequestQueue to use Request

- - - - -
c92d7dcc by Endi S. Dewata at 2022-03-03T17:52:54-06:00
Update EnrollDefault to use Request

- - - - -
3f6397f6 by Endi S. Dewata at 2022-03-03T18:36:14-06:00
Update Processor to use Request

- - - - -
b101e3d7 by Endi S. Dewata at 2022-03-03T18:36:18-06:00
Update IConnector, INotify, and IRequestListener to use Request

- - - - -
493e3811 by Endi S. Dewata at 2022-03-03T18:36:18-06:00
Update ProfileAuthenticator to use Request

- - - - -
b88fc7f0 by Endi S. Dewata at 2022-03-03T18:36:18-06:00
Update ILdapMapper to use Request

- - - - -
9570d42f by Endi S. Dewata at 2022-03-03T18:36:18-06:00
Update IExpression to use Request

- - - - -
ba3daff7 by Endi S. Dewata at 2022-03-03T18:36:18-06:00
Update Pattern to use Request

- - - - -
3f8957d6 by Endi S. Dewata at 2022-03-03T18:36:18-06:00
Update LogEvent to use Request

- - - - -
5649ad06 by Endi S. Dewata at 2022-03-04T13:53:26-06:00
Update IRequestList to use Request

- - - - -
8538ec0e by Endi S. Dewata at 2022-03-04T13:55:11-06:00
Update RequestRepository to use Request

- - - - -
81425bb2 by Endi S. Dewata at 2022-03-04T13:56:18-06:00
Update RequestAttr to use Request

- - - - -
ff309e9b by Endi S. Dewata at 2022-03-04T13:58:00-06:00
Update QueryReq to use Request

- - - - -
802196f7 by Endi S. Dewata at 2022-03-04T14:01:14-06:00
Update CertReqParser to use Request

- - - - -
b1de3248 by Endi S. Dewata at 2022-03-04T14:04:05-06:00
Update ProfileSubmitServlet to use Request

- - - - -
700ee0b2 by Endi S. Dewata at 2022-03-04T14:05:46-06:00
Update CMSRequestDAO to use Request

- - - - -
b04f2a9e by Endi S. Dewata at 2022-03-04T14:07:51-06:00
Update CMSServlet to use Request

- - - - -
8fd6b886 by Endi S. Dewata at 2022-03-04T14:10:44-06:00
Update IPKIMessage to use Request

- - - - -
e2ee02b7 by Endi S. Dewata at 2022-03-04T14:14:45-06:00
Update CertificateAuthority to use Request

- - - - -
e9ceea36 by Endi S. Dewata at 2022-03-04T14:16:00-06:00
Update KeyRecoveryAuthority to use Request

- - - - -
8338687d by Endi S. Dewata at 2022-03-04T14:19:02-06:00
Update ProfileReviewServlet to use Request

- - - - -
fe84ca25 by Endi S. Dewata at 2022-03-04T14:22:10-06:00
Update ConnectorServlet to use Request

- - - - -
444d875a by Endi S. Dewata at 2022-03-04T15:34:01-06:00
Update pki-ca to use Request

- - - - -
7a2aa6b2 by Endi S. Dewata at 2022-03-04T15:34:01-06:00
Update pki-kra to use Request

- - - - -
f4d5f030 by Endi S. Dewata at 2022-03-04T15:34:01-06:00
Update pki-server to use Request

- - - - -
aa07b730 by Endi S. Dewata at 2022-03-04T15:34:01-06:00
Remove unused IRequest

- - - - -
7d1a94e0 by Endi S. Dewata at 2022-03-07T11:04:31-06:00
Clean up PKIDeployer.setup_system_cert()

- - - - -
7670c198 by Endi S. Dewata at 2022-03-07T13:12:31-06:00
Refactor CAConfigurator.importRequest()

The code in CAConfigurator.importRequest() that updates the
request record has been moved into importCert().

- - - - -
f44a2514 by Endi S. Dewata at 2022-03-07T14:33:21-06:00
Refactor CAConfigurator.createCert()

The CAConfigurator.createCert() has been modified to load
the request record from the request repository.

- - - - -
9f354a9c by Endi S. Dewata at 2022-03-07T15:02:37-06:00
Add SystemCertData.signingAlgorithm

The SystemCertData.signingAlgorithm has been added to provide
the signing algorithm to SystemConfigService.createCert().

- - - - -
08357ced by Endi S. Dewata at 2022-03-07T15:24:53-06:00
Remove unused CertificateSetupRequest.url

- - - - -
99f1529d by Endi S. Dewata at 2022-03-07T17:42:51-06:00
Merge ARequestQueue into RequestQueue

- - - - -
d9f5d330 by Endi S. Dewata at 2022-03-07T19:30:21-06:00
Move RequestQueue.updateRequest() to RequestRepository

- - - - -
d6b49e98 by Endi S. Dewata at 2022-03-07T19:30:21-06:00
Add CASubsystem.import_cert()

The CASubsystem.import_cert() has been added to import a cert
while the server is offline. pkispawn has been modified to use
this method instead of SystemConfigService.importCert().

- - - - -
d02c5460 by Endi S. Dewata at 2022-03-07T19:30:21-06:00
Remove unused SystemConfigService.importCert()

- - - - -
af91bdbd by Endi S. Dewata at 2022-03-07T19:30:21-06:00
Add pki-server ca-cert-import

The pki-server ca-cert-import has been added to invoke
CASubsystem.import_cert() from command line.

- - - - -
24e4ef67 by Chris Kelley at 2022-03-08T16:37:14+00:00
Log keyForUSer at INFO in FlatFileAuth to ease future debugging
- - - - -
ef781a37 by Endi S. Dewata at 2022-03-09T09:16:17-06:00
Add PKIDeployer.configure_id_generators()

The PKIDeployer.configure_id_generators() has been added to
configure the ID generator parameters in CS.cfg based on the
selected type. This will ensure that the ID generator code
does depend on parameters belonging to another ID generator.

- - - - -
48bc06dd by Endi S. Dewata at 2022-03-09T11:37:24-06:00
Update ACME tests to use RSNv3

- - - - -
7ff340a5 by Endi S. Dewata at 2022-03-09T11:37:38-06:00
Fix pki-server migrate CLI

The pki-server migrate CLI has been modified to configure the
AJP connectors with either secret or requiredSecret parameter
(mutually exclusive) depending on the Tomcat version.

https://bugzilla.redhat.com/show_bug.cgi?id=2061458

- - - - -
181ac22f by Endi S. Dewata at 2022-03-09T12:40:15-06:00
Update pki-server ca-cert-import

The pki-server ca-cert-import has been modified to load the
specified profile to get the profile ID mapping.

- - - - -
27e5600b by Endi S. Dewata at 2022-03-09T13:49:13-06:00
Move CAConfigurator.createRequestExtensions() to CertUtil

- - - - -
437e9468 by Endi S. Dewata at 2022-03-09T16:02:37-06:00
Refactor CAConfigurator.createRequestRecord()

The CAConfigurator.createRequestRecord() has been split into
smaller methods and moved into CertRequestRepository.

- - - - -
762842fe by Endi S. Dewata at 2022-03-09T18:33:53-06:00
Add CMSRequestInfo.requestID

The CMSRequestInfo.requestID has been added to store the
actual request ID instead of relying on request URL.

- - - - -
221d1d5a by Endi S. Dewata at 2022-03-09T19:38:30-06:00
Split CertRequestInfoFactory.create()

- - - - -
87c09909 by Endi S. Dewata at 2022-03-10T09:11:54-06:00
Update PKISubsystem.request_ranges()

The PKISubsystem.request_ranges() has been modified to request
ID ranges from the master only for legacy ID generators and
replica ID.

- - - - -
b713c88d by Endi S. Dewata at 2022-03-10T09:11:54-06:00
Update CA clone test to use RSNv3

- - - - -
9cfd2ae6 by Endi S. Dewata at 2022-03-10T09:11:54-06:00
Update KRA clone test to use RSNv3

- - - - -
6207bd7f by Endi S. Dewata at 2022-03-10T10:26:09-06:00
Update TPS tests to use RSNv3

- - - - -
4a25e1c9 by Endi S. Dewata at 2022-03-10T16:39:14-06:00
Update default RSNv3 length

pkispawn's default.cfg has been modified to generate 128-bit numbers
for RSNv3 by default as described in the design:
https://github.com/dogtagpki/pki/wiki/Random-Certificate-Serial-Numbers-v3

All RSNv3 tests have been modified to use the default length.

The Repository.getNextSerialNumber() has been updated to no longer
call BigInteger.abs() since the BigInteger constructor will always
create a non-negative number.

- - - - -
c11c8802 by Endi S. Dewata at 2022-03-10T17:41:01-06:00
Add SystemConfigService.createRequestID()

The code in SystemConfigService.importRequest() that creates
the cert request ID has been moved to createRequestID().

- - - - -
2863990d by Endi S. Dewata at 2022-03-11T12:17:36-06:00
Update OCSP tests to use RSNv3

- - - - -
43d1c837 by Endi S. Dewata at 2022-03-14T10:10:14-05:00
Refactor CertRequestRepository.updateRequest()

The CertRequestRepository.updateRequest() has been modified
to parse the cert request to get the subject name, the public
key, and the request extensions.

- - - - -
7abf83b1 by Endi S. Dewata at 2022-03-14T11:56:29-05:00
Add PKIDeployer.pki_connect()

The code that creates the client object in configuration.py
has been moved into PKIDeployer.pki_connect().

- - - - -
9889d67e by Endi S. Dewata at 2022-03-14T13:00:03-05:00
Add PKISubsystem.import_cert_request()

The SystemConfigService.importRequest() has been converted
into PKISubsystem.import_cert_request() which runs outside
of the server.

- - - - -
d1a8f589 by Endi S. Dewata at 2022-03-14T17:53:02-05:00
Remove unused PluginRegistry.mConfig

- - - - -
a0b445fb by Endi S. Dewata at 2022-03-14T18:08:15-05:00
Rename PluginRegistry.fileConfig to registryConfig

- - - - -
9d73ad7a by Endi S. Dewata at 2022-03-14T18:08:15-05:00
Clean up PluginRegistry.loadPlugins()

- - - - -
f7937594 by Endi S. Dewata at 2022-03-14T18:08:15-05:00
Rename CMSEngine.createFileConfigStore() to loadConfigStore()

- - - - -
dc719bc6 by Endi S. Dewata at 2022-03-14T18:10:30-05:00
Rename FileConfigStore to FileConfigStorage

- - - - -
68c111a5 by Endi S. Dewata at 2022-03-14T18:10:31-05:00
Rename LDAPConfigStore to LDAPConfigStorage

- - - - -
190bb73c by Endi S. Dewata at 2022-03-14T18:30:54-05:00
Rename PropConfigStore to ConfigStore

- - - - -
297e9461 by Endi S. Dewata at 2022-03-15T13:09:15-05:00
Rename DBSubsystem.mConfig to ldapConfig

- - - - -
b9b79232 by Endi S. Dewata at 2022-03-15T13:09:15-05:00
Update DBSubsystem.init()

The DBSubsystem.init() has been modified to take an LDAPConfig
parameter.

- - - - -
b7c16089 by Endi S. Dewata at 2022-03-15T15:17:53-05:00
Update minimum connections for DBSubsystem in CLI

The CLIs that use DBSubsystem have been modified to use only
one connection to the database.

- - - - -
800f60c9 by Endi S. Dewata at 2022-03-15T18:30:14-05:00
Add DatabaseConfig.getLDAPConfig()

The DatabaseConfig.getLDAPConfig() has been added to get the
LDAP configuration object.

- - - - -
dc2cec9c by Endi S. Dewata at 2022-03-15T18:33:40-05:00
Update UGSubsystem.init()

The UGSubsystem.init() has been modified to take an LDAPConfig
parameter.

- - - - -
bb630285 by Endi S. Dewata at 2022-03-15T18:33:40-05:00
Update minimum connections for UGSubsystem in CLI

The CLIs that use UGSubsystem have been modified to use only
one connection to the database.

- - - - -
38a8d43b by Endi S. Dewata at 2022-03-16T09:14:23-05:00
Add docs for RSNv3

[skip ci]

- - - - -
ed2d687a by Endi S. Dewata at 2022-03-16T09:54:22-05:00
Update CA tests to use RSNv3

The basic CA test has been modified to switch to RSNv3 after
installing using sequential ID generator. The remaining CA
tests have been modified to install using RSNv3 except for the
RSNv1 test.

- - - - -
2071cb2d by Endi S. Dewata at 2022-03-16T09:56:31-05:00
Update KRA tests to use RSNv3

The basic KRA test has been modified to switch to RSNv3 after
installing using sequential ID generator. The remaining KRA
tests have been modified to install using RSNv3.

- - - - -
93202c23 by Chris Kelley at 2022-03-16T15:03:46+00:00
Code cleanup in CMSServlet

* Remove unnecessary Boolean literals
* Use ternary operator where appropriate
* Remove redundant jumps
* Remove unnecessary else clauses
* Remove empty if statements
* Don't create variables ust to return them
* Remove null checks prior to instanceof checks
* Don't box int just to get a String
- - - - -
7890e8dc by Chris Kelley at 2022-03-16T15:18:20+00:00
Prevent NullPointerException in DirBasedAuthentication

* It is acceptable for getLdapAttrs() to return null, so check before
deference.
- - - - -
4003e7e6 by Endi S. Dewata at 2022-03-16T13:07:25-05:00
Remove unused SystemConfigService.importRequest()

- - - - -
a46f5a96 by Endi S. Dewata at 2022-03-16T13:08:55-05:00
Update CI tests to show system certs and CSRs

- - - - -
04db0b19 by Endi S. Dewata at 2022-03-16T13:09:55-05:00
Add PKIDeployer.import_cert_request()

The code that creates the request ID and imports the CSR has
been consolidated into PKIDeployer.import_cert_request().

- - - - -
af5a31d2 by Endi S. Dewata at 2022-03-16T14:14:11-05:00
Update error messages in RequestIdMapper and RequestStateMapper

- - - - -
86a4c3ac by Endi S. Dewata at 2022-03-16T20:21:51-05:00
Remove redundant CryptoUtil.generateRSAKeyPair()

- - - - -
848a5257 by Endi S. Dewata at 2022-03-16T20:23:52-05:00
Remove redundant CryptoUtil.generateECCKeyPair()

- - - - -
7e29e4d2 by Endi S. Dewata at 2022-03-16T20:23:59-05:00
Refactor SystemConfigService.setupKey()

The code in SystemConfigService.setupKey() that creates the
key pair has been moved into createRequest().

- - - - -
4fbf70ca by Endi S. Dewata at 2022-03-16T20:23:59-05:00
Rename SystemConfigService.setupKey() to findKey()

- - - - -
8c835450 by Endi S. Dewata at 2022-03-16T20:23:59-05:00
Replace Configurator.createRSAKeyPair()

The Configurator.createRSAKeyPair() has been replaced with
CryptoUtil.generateRSAKeyPair().

- - - - -
429a3f61 by Endi S. Dewata at 2022-03-16T20:23:59-05:00
Replace Configurator.createECCKeyPair()

The Configurator.createECCKeyPair() has been replaced with
CryptoUtil.generateECCKeyPair().

- - - - -
942727a3 by Endi S. Dewata at 2022-03-17T12:56:52-05:00
Update PKIDeployer.import_cert_request()

Previously in some installation scenarios importing a cert
request into the database has to be done while the server is
running since the legacy ID generator can only work within the
server.

The PKIDeployer.import_cert_request() has been modified such
that if the server is configured with a legacy ID generator it
will continue to call the server to generate a new ID, then
import the cert request using the ID.

However, if the server is configured with RSNv3 it will let
PKISubsystem.import_cert_request() generate a new ID locally
(without the server) and import the cert request with the ID.
This will reduce the dependency on a running server during
installation.

The CACertRequestImportCLI has been modified to provide an
option to return the result in JSON format such that it can
parsed by PKISubsystem.import_cert_request().

- - - - -
dc91b85c by Endi S. Dewata at 2022-03-17T13:10:20-05:00
Fix error in SystemConfigService.createRequest()

- - - - -
d612744f by Endi S. Dewata at 2022-03-17T13:10:35-05:00
Merge IRevocationInfo into RevocationInfo

- - - - -
26f790c7 by Endi S. Dewata at 2022-03-17T13:50:14-05:00
Update CMSEngine.loadConfigStore()

The CMSEngine.loadConfigStore() has been modified to return
ConfigStore.

- - - - -
d3ec7578 by Endi S. Dewata at 2022-03-17T13:52:20-05:00
Update IConfigStore.getSubStore() in pki-server

The IConfigStore.getSubStore() in pki-server has been modified
to return ConfigStore.

- - - - -
07dc2ef1 by Endi S. Dewata at 2022-03-17T13:52:20-05:00
Update IConfigStore.getSubStore() in pki-tps

The IConfigStore.getSubStore() in pki-tps has been modified
to return ConfigStore.

- - - - -
baefcd5d by Endi S. Dewata at 2022-03-17T13:52:20-05:00
Update IConfigStore.getSubStore() in pki-ocsp

The IConfigStore.getSubStore() in pki-ocsp has been modified
to return ConfigStore.

- - - - -
0f561368 by Endi S. Dewata at 2022-03-17T13:52:20-05:00
Update IConfigStore.getSubStore() in pki-kra

The IConfigStore.getSubStore() in pki-kra has been modified
to return ConfigStore.

- - - - -
58807d0b by Endi S. Dewata at 2022-03-17T19:48:34-05:00
Update IConfigStore.getSubStore() in org.dogtagpki.legacy.server

The IConfigStore.getSubStore() in org.dogtagpki.legacy.server
has been modified to return ConfigStore.

- - - - -
468955d7 by Endi S. Dewata at 2022-03-17T19:48:34-05:00
Update IConfigStore.getSubStore() in com.netscape.cms.profile

The IConfigStore.getSubStore() in com.netscape.cms.profile
has been modified to return ConfigStore.

- - - - -
e5844811 by Endi S. Dewata at 2022-03-17T19:48:34-05:00
Update IConfigStore.getSubStore() in com.netscape.cms.servlet

The IConfigStore.getSubStore() in com.netscape.cms.servlet
has been modified to return ConfigStore.

- - - - -
6a16b10b by Endi S. Dewata at 2022-03-17T19:48:34-05:00
Update IConfigStore.getSubStore() in com.netscape.cms.jobs

The IConfigStore.getSubStore() in com.netscape.cms.jobs
has been modified to return ConfigStore.

- - - - -
16bc3012 by Endi S. Dewata at 2022-03-17T19:48:34-05:00
Update IConfigStore.getSubStore() in com.netscape.ca

The IConfigStore.getSubStore() in com.netscape.ca has been
modified to return ConfigStore.

- - - - -
7cac7672 by Endi S. Dewata at 2022-03-17T19:48:58-05:00
Update IConfigStore.getSubStore() in pki-ca

The remaining IConfigStore.getSubStore() in pki-ca has been
modified to return ConfigStore.

- - - - -
30662536 by Chris Kelley at 2022-03-18T17:32:41+00:00
Remove ICertAuthority interface

* CertificateAuthority implements both ICertAuthority and
ICertificateAuthority which is confusing.

* ICertAuthority is basically a stub of ICertificateAuthority - only
containing one unique method not found in ICertificateAuthority. This
method is moved into ICertificateInterface.

* ICertAuthority extended IAuthority, which extends ISubsystem.
ICertificateAuthority extended ISubsystem directly.
ICertificateAuthority has been modified to extend IAuthority.
- - - - -
c3fe45b3 by Endi S. Dewata at 2022-03-18T13:33:23-05:00
Merge IConfigStore.makeSubStore() into ConfigStore

- - - - -
6569fda8 by Endi S. Dewata at 2022-03-18T13:33:23-05:00
Update PolicyConstraint to use ConfigStore

- - - - -
f9da052e by Endi S. Dewata at 2022-03-18T13:33:23-05:00
Update PolicyDefault to use ConfigStore

- - - - -
f5467e0e by Endi S. Dewata at 2022-03-18T13:33:23-05:00
Update ProfileInput to use ConfigStore

- - - - -
4a63c7a6 by Endi S. Dewata at 2022-03-18T13:33:23-05:00
Update IProfileUpdater to use ConfigStore

- - - - -
31d014eb by Endi S. Dewata at 2022-03-18T13:33:23-05:00
Update FeatureService to use ConfigStore

- - - - -
e35cd87e by Endi S. Dewata at 2022-03-18T17:53:34-05:00
Update generate_rpm_spec() in build.sh

The generate_rpm_spec() in build.sh has been modified
to edit the spec file in place.

- - - - -
7d30d653 by Endi S. Dewata at 2022-03-18T19:09:00-05:00
Move ISubsystem to pki-server

- - - - -
c183f9f8 by Endi S. Dewata at 2022-03-18T20:03:20-05:00
Move ILdapConnModule to pki-server

- - - - -
3e60b44a by Endi S. Dewata at 2022-03-18T20:10:15-05:00
Update ISubsystem to use ConfigStore

- - - - -
65d6aa47 by Endi S. Dewata at 2022-03-18T20:14:23-05:00
Update CertificateAuthority.getConfigStore() to return CAConfig

- - - - -
be7f49a7 by Endi S. Dewata at 2022-03-18T20:14:39-05:00
Update IPolicyRule to use ConfigStore

- - - - -
6f9c4feb by Endi S. Dewata at 2022-03-18T20:57:29-05:00
Update ISelfTest to use ConfigStore

- - - - -
d65f47a7 by Endi S. Dewata at 2022-03-18T20:57:29-05:00
Update IRequestListener to use ConfigStore

- - - - -
e6e248fe by Endi S. Dewata at 2022-03-18T20:57:29-05:00
Update IJob to use ConfigStore

- - - - -
0948011d by Endi S. Dewata at 2022-03-18T20:57:29-05:00
Update ILdapConnModule to use ConfigStore

- - - - -
05723338 by Chris Kelley at 2022-03-21T10:37:14+00:00
Use enhanced instanceof where there is a check-and-cast

* From Java 14 instanceof allows assignment to a variable of the checked
type without having to explicitly create one and cast it to the correct
type.
- - - - -
806ccb62 by Chris Kelley at 2022-03-21T10:40:14+00:00
Tidy up in CAEngine

* Access static members statically
* Remove unnecessary else clauses
* Remove unused local variables
* Combine identical execution paths
- - - - -
9e08c978 by Chris Kelley at 2022-03-21T15:05:49+00:00
Convert switch statements to switch expressions

* New in Java 13, they allow more concise case statements (among other
benefits).
- - - - -
5343f7cd by Endi S. Dewata at 2022-03-21T10:38:28-05:00
Remove unused IRequestListenerPlugin

- - - - -
4c3a864f by Endi S. Dewata at 2022-03-21T10:38:31-05:00
Move KeyCertData to pki-server

- - - - -
6f0828ed by Endi S. Dewata at 2022-03-21T10:38:32-05:00
Move ICRLIssuingPoint to pki-ca

- - - - -
7be94277 by Endi S. Dewata at 2022-03-21T10:38:34-05:00
Update ProfileAuthenticator to use ConfigStore

- - - - -
144f5fc1 by Endi S. Dewata at 2022-03-21T10:38:36-05:00
Update ICMSCRLExtension to use ConfigStore

- - - - -
a95124ec by Endi S. Dewata at 2022-03-21T10:38:38-05:00
Update ILdapPlugin to use ConfigStore

- - - - -
9e9f6ff6 by Endi S. Dewata at 2022-03-21T13:33:34-05:00
Update ProfileOutput to use ConfigStore

- - - - -
a0e74f7f by Endi S. Dewata at 2022-03-21T13:33:35-05:00
Update IOCSPStore to use ConfigStore

- - - - -
62de98d2 by Endi S. Dewata at 2022-03-21T13:33:36-05:00
Update ConfigStorage to use ConfigStore

- - - - -
06edbf0e by Endi S. Dewata at 2022-03-21T13:33:37-05:00
Update SigningUnit to use ConfigStore

- - - - -
14f8bfd8 by Endi S. Dewata at 2022-03-21T13:33:39-05:00
Update LdapRule to use ConfigStore

- - - - -
0366f2bc by Endi S. Dewata at 2022-03-21T14:15:48-05:00
Update ILogEventListener to use ConfigStore

- - - - -
6a7be2ca by Endi S. Dewata at 2022-03-21T14:15:50-05:00
Update CRLIssuingPoint to use ConfigStore

- - - - -
6660d3d1 by Endi S. Dewata at 2022-03-21T14:15:52-05:00
Update ICertificateAuthority to use ConfigStore

- - - - -
69c2cffe by Endi S. Dewata at 2022-03-21T14:20:17-05:00
Update KRAPolicy to use ConfigStore

- - - - -
d3689bf5 by Endi S. Dewata at 2022-03-21T14:23:16-05:00
Update org.dogtagpki.legacy to use ConfigStore

- - - - -
7351535f by Endi S. Dewata at 2022-03-21T15:30:17-05:00
Update com.netscape.cms.servlet to use ConfigStore

- - - - -
171e037a by Endi S. Dewata at 2022-03-21T15:33:03-05:00
Update com.netscape.cms.profile to use ConfigStore

- - - - -
412e2480 by Endi S. Dewata at 2022-03-21T15:33:05-05:00
Update com.netscape.cms.servlet to use ConfigStore

- - - - -
2a681aca by Endi S. Dewata at 2022-03-21T15:33:08-05:00
Update pki-tps to use ConfigStore

- - - - -
c205be74 by Endi S. Dewata at 2022-03-21T15:33:11-05:00
Update pki-tks to use ConfigStore

- - - - -
b233ce6d by Endi S. Dewata at 2022-03-21T16:22:55-05:00
Update pki-ocsp to use ConfigStore

- - - - -
e175fdd6 by Endi S. Dewata at 2022-03-21T16:23:01-05:00
Update pki-kra to use ConfigStore

- - - - -
7ad14c6f by Endi S. Dewata at 2022-03-21T16:23:04-05:00
Update pki-ca to use ConfigStore

- - - - -
157ad4a2 by Endi S. Dewata at 2022-03-21T16:23:08-05:00
Update pki-server to use ConfigStore

- - - - -
3fdaff45 by Endi S. Dewata at 2022-03-22T09:30:44-05:00
Fix JAVA_HOME for container

Previously when creating a new instance for a container the
PKIServer.create() would copy the default tomcat.conf which
might contain the wrong JAVA_HOME. The code has been changed
to update the tomcat.conf with the proper JAVA_HOME.

The pki-acme-run script has also been modified to run the
server using the pki-server run command which will load the
environment variables properly.

- - - - -
6fd21278 by Endi S. Dewata at 2022-03-22T12:47:34-05:00
Rename acme-wait.sh to pki-start-wait.sh

The acme-wait.sh has been renamed to pki-start-wait.sh since
it can be used in general to wait for PKI server to start.

- - - - -
dc9a75ce by Endi S. Dewata at 2022-03-22T12:50:39-05:00
Update server test

The server test has been modified to set up a client container
to verify that the server has started.

The Dockerfile has been modified to add the missing the
instance name.

- - - - -
ce8896d2 by Endi S. Dewata at 2022-03-22T17:49:10-05:00
Capture server test logs

- - - - -
800432ff by Endi S. Dewata at 2022-03-23T09:20:24-05:00
Split basic server installation doc

[skip ci]

- - - - -
ca2731e1 by Endi S. Dewata at 2022-03-23T11:15:09-05:00
Add pki-server-run

The code in pki-acme-run that imports/generates the CA signing
cert and SSL server cert and also runs the server has been moved
into pki-server-run such that it can be used by pki-server image.

- - - - -
f6432b33 by Endi S. Dewata at 2022-03-23T11:15:09-05:00
Refactor pki-acme image

The pki-acme image has been modified to extend pki-server image.
The code that configures the HTTPS connector for pki-acme image
has been moved into pki-server image.

- - - - -
a246e2e8 by Endi S. Dewata at 2022-03-23T20:52:27-05:00
Move HTTPS connector doc into admin guide

[skip ci]

- - - - -
17757403 by Chris Kelley at 2022-03-24T06:36:49+00:00
Remove unnecessary Boolean literals and returns in PublisherAdminServlet
- - - - -
049f4dd9 by Chris Kelley at 2022-03-24T13:22:58+00:00
Prevent NPE in ACMEEngine.checkOrder()

* Added CheckOrderResult.ORDER_NULL, return this if the order is null.
* Also does some minor cosmetic work.
- - - - -
e48c7f55 by Endi S. Dewata at 2022-03-24T09:49:06-05:00
Add tests for HTTPS connector

The basic server test has been modified to create a client
container to verify that the server is running.

A new job has been added to test HTTPS connector using NSS
database. Tests for HTTPS connector using other methods can
be added later.

The container test has been modified to use HTTPS protocol
to verify that the server is running.

The pki-start-wait.sh script has been modified to ignore
self-signed cert.

- - - - -
640299d9 by Endi S. Dewata at 2022-03-24T14:47:46-05:00
Update NSSDatabase.createRSAKeyPair() and createECKeyPair()

The NSSDatabase.createRSAKeyPair() and createECKeyPair() methods
have been modified to provide optional usages and usages mask
parameters.

- - - - -
1cf64df3 by Endi S. Dewata at 2022-03-24T16:17:05-05:00
Merge IConfigStore into ConfigStore

- - - - -
eca934ea by Endi S. Dewata at 2022-03-24T16:17:05-05:00
Remove unused IConfigStoreEventListener

- - - - -
fdef7548 by Endi S. Dewata at 2022-03-24T19:29:51-05:00
Add KeyInfo.keyId

The KeyInfo.keyId has been added to store the actual key ID
instead of relying on key URL.

- - - - -
af760c72 by Endi S. Dewata at 2022-03-25T10:37:42-05:00
Fix PKIServer.export_ca_cert()

Previously the PKIServer.export_ca_cert() would always export
the CA cert from NSS database in all cases. The code has been
modified to do the export only if the server has an HTTPS
connector with NSS database. The support for other types of
HTTPS connector will be added later.

- - - - -
f30bed2b by Endi S. Dewata at 2022-03-25T10:37:42-05:00
Add test for HTTPS connector with PKCS #12 file

A new test has been added to test HTTPS connector with
PKCS #12 file.

- - - - -
fdcfe5ea by Endi S. Dewata at 2022-03-25T10:37:42-05:00
Add test for HTTPS connector with JKS file

A new test has been added to test HTTPS connector with
JKS file.

- - - - -
ae520f57 by Endi S. Dewata at 2022-03-25T10:37:42-05:00
Add test for HTTPS connector with PEM files

A new test has been added to test HTTPS connector with
PEM files.

- - - - -
cdac531a by Endi S. Dewata at 2022-03-25T10:38:40-05:00
Update SystemConfigService.createRequest()

The SystemConfigService.createRequest() has been modified to
load/create the key pair, create the request extensions, and
create the CSR using the NSSDatabase class which is also used
by pki nss-cert-request CLI. The unused code in Configurator
class has been removed.

- - - - -
58979b5f by Endi S. Dewata at 2022-03-25T16:39:54-05:00
Update logging level for NSSDatabase

The NSSDatabase class has been modified to set the logging
level for pki commands according to the current setting.

- - - - -
0162bbc5 by Endi S. Dewata at 2022-03-25T18:19:34-05:00
Add NSSDatabase.run()

The code that calls external commands has been consolidated
into NSSDatabase.run().

- - - - -
8b5c91c4 by Endi S. Dewata at 2022-03-28T10:48:36-05:00
Clean up pki nss-cert-export

- - - - -
ef473f9e by Endi S. Dewata at 2022-03-28T15:55:03-05:00
Redirect banner prompt to standard error

Previously if PKI server was configured with access banner pki
CLI would display the access banner on the standard output.
This could cause a problem if pki CLI was used in automation
because the output might change.

To fix the problem pki CLI has been modified to dispaly the
access banner on the standard error instead.

- - - - -
7d80a22b by Christina Fu at 2022-03-29T14:26:50-07:00
Bug 2069813-Up default CA and OCSP signing cert key size to 3072

Up the default values for the following two pkispawn parameters to 3072
for RSA:
 pki_ca_signing_key_size=3072
 pki_ocsp_signing_key_size=3072

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2069813

- - - - -
b9811cee by Christina Fu at 2022-03-29T14:26:58-07:00
Bug 2069813- Up default CA and OCSP signing cert key size to 3072 (OCSP)

The earlier fix was only for under [CA];
This fix adds the missed pki_ocsp_signing_key_size=3072 change under [OCSP]

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2069813

- - - - -
88b6c198 by Endi S. Dewata at 2022-03-29T20:52:36-05:00
Add pki nss-key-find

The pki nss-key-find has been added to list all keys in the
NSS database.

- - - - -
e3ecbf52 by Endi S. Dewata at 2022-03-29T20:52:36-05:00
Add pki nss-key-find --output-format option

The pki nss-key-find has been modified to provide an option
to return the result in JSON format.

- - - - -
4c0d6a46 by Endi S. Dewata at 2022-03-30T09:32:17-05:00
Add pki nss-cert-export --output-file option

The pki nss-cert-export CLI has been modified to provide a
--output-file option for consistency with other CLIs. The
optional positional path argument has been deprecated.

- - - - -
175c75aa by Endi S. Dewata at 2022-03-30T18:27:38-05:00
Clean up CAEnrollProfile.execute()

- - - - -
6fcfa8e1 by Endi S. Dewata at 2022-03-30T19:08:21-05:00
Add pki nss-key-find --nickname option

The pki nss-key-find CLI has been modified to provide an
option to find the keys belonging a cert.

- - - - -
17be27de by Endi S. Dewata at 2022-03-30T19:08:21-05:00
Add tests for pki nss-key-find

- - - - -
c5e6b20f by Endi S. Dewata at 2022-03-31T10:20:06-05:00
Fix key ID handling in SystemConfigService

The SystemConfigService has been modified to support key IDs
in hexadecimal with 0x prefix.

- - - - -
556cdd88 by Endi S. Dewata at 2022-03-31T19:49:55-05:00
Fix key ID handling in SystemConfigService (part 2)

The SystemConfigService has been modified to support key IDs
with odd number of characters.

- - - - -
6b7ad7de by Endi S. Dewata at 2022-03-31T19:50:38-05:00
Add NSSDatabase.find_cert_keys()

The NSSDatabase.find_cert_keys() to get the keys belonging
to a certificate.

- - - - -
f92ea033 by Endi S. Dewata at 2022-03-31T19:50:38-05:00
Add PKIDeployer.find_cert_key()

The PKIDeployer.find_cert_key() has been added to get the
key of an existing system certificate (if any) using the
NSSDatabase.find_cert_keys().

- - - - -
dba97c12 by Endi S. Dewata at 2022-03-31T19:50:59-05:00
Remove unused SystemConfigService.findKey()

- - - - -
1d0682b4 by Endi S. Dewata at 2022-04-01T13:29:08-05:00
Add SystemCertData.sslECDH

- - - - -
ae82a5c2 by Endi S. Dewata at 2022-04-01T13:29:10-05:00
Add SystemCertData.keyWrap

- - - - -
f74d8585 by Endi S. Dewata at 2022-04-01T16:25:46-05:00
Update PKIDeployer.create_cert_setup_request() (part 1)

The PKIDeployer.create_cert_setup_request() has been modified
to set the SystemCertData.keySize and keyCurveName fields.

- - - - -
7a38601e by Endi S. Dewata at 2022-04-01T16:29:19-05:00
Update PKIDeployer.create_cert_setup_request() (part 2)

The PKIDeployer.create_cert_setup_request() has been modified
to set the SystemCertData.sslECDH field.

- - - - -
f430c16e by Endi S. Dewata at 2022-04-01T16:29:22-05:00
Update PKIDeployer.create_cert_setup_request() (part 3)

The PKIDeployer.create_cert_setup_request() has been modified
to set the SystemCertData.keyWrap field.

- - - - -
9adc8030 by Endi S. Dewata at 2022-04-01T16:29:48-05:00
Remove unused SystemCertData.ecType

- - - - -
8c4c419d by Endi S. Dewata at 2022-04-04T09:06:40-05:00
Consolidate RSA keypair usage constants

- - - - -
14c5c702 by Endi S. Dewata at 2022-04-04T09:06:40-05:00
Add pki nss-cert-request --key-wrap

The pki nss-cert-request --key-wrap option has been added to
generate an RSA key for wrapping/unwrapping. This is similar to
PKCS10Client -w option. There are no corresponding options in
CRMFPopClient and pki client-cert-request. In the future these
tools could be consolidated for simplicity & consistency.

- - - - -
352654b5 by Endi S. Dewata at 2022-04-04T09:06:40-05:00
Add pki nss-cert-request --ssl-ecdh

The pki nss-cert-request --ssl-ecdh option has been added to
generate an EC key for SSL with ECDH ECDSA. This is similar to
PKCS10Client -x, CRMFPopClient -x, and pki client-cert-request
--ssl-ecdh options. In the future these tools could be
consolidated for simplicity & consistency.

- - - - -
e754c7d3 by Endi S. Dewata at 2022-04-04T09:10:39-05:00
Ignore banner prompts during installation

pkispawn has been modified to ignore banner prompts during
installation.

- - - - -
dd40ce3d by Endi S. Dewata at 2022-04-04T09:10:39-05:00
Add tests for installation with banners

The tests for installing sub CA and installing KRA, OCSP, TKS,
and TPS on separate instances have been modified to use banners.

- - - - -
7552d500 by Endi S. Dewata at 2022-04-04T10:42:42-05:00
Update TKS tests to use RSNv3

- - - - -
488f5317 by Endi S. Dewata at 2022-04-04T16:43:04-05:00
Update pki nss-cert-request

The pki nss-cert-request has been modified to support
hexadecimal key IDs with 0x prefix. A default value has
been added for the --curve parameter.

- - - - -
df33951b by Endi S. Dewata at 2022-04-04T17:03:31-05:00
Update NSSDatabase.find_cert_keys()

The NSSDatabase.find_cert_keys() has been modified such that
the cert nickname param is optional. It has also be renamed
to find_keys().

- - - - -
85852884 by Endi S. Dewata at 2022-04-04T18:05:26-05:00
Normalize key types in pkispawn

- - - - -
77583f04 by Endi S. Dewata at 2022-04-05T08:59:49-05:00
Clean up RSNv1 params

pkispawn has been modified to add RSNv1 params only if RSNv1 is
enabled. The RSNv1 test has been modified to perform migration
to RSNv3.

- - - - -
e653dfdd by Endi S. Dewata at 2022-04-05T14:12:26-05:00
Update CI tests to cache build artifacts

The CI tests have been modified to use cache action to
distribute build artifcats among the jobs which should
be faster than using upload/download actions.

- - - - -
c736cb0b by Endi S. Dewata at 2022-04-05T15:39:51-05:00
Add test_PKICertImport.bash into pki-tests

- - - - -
01ab075c by Endi S. Dewata at 2022-04-05T18:32:33-05:00
Update tools tests to run in containers

- - - - -
90f2361e by Endi S. Dewata at 2022-04-06T15:48:31-05:00
Fix cert/key ID encoding

Most of the code that generates hexadecimal cert/key IDs using
Hex.encodeHexString() or CryptoUtil.encodeKeyID() has been updated
to use Utils.HexEncode() for consistency except in legacy tools
for backward compatibility.

- - - - -
856f0ac4 by Endi S. Dewata at 2022-04-06T18:51:41-05:00
Update log messages in HttpConnection

- - - - -
507fe31f by Endi S. Dewata at 2022-04-06T18:58:34-05:00
Add null check for CryptoUtil.findPrivateKey()

- - - - -
21f4e83b by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.wizard package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
802d0f6a by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.ug package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
8d0f7686 by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.task package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
6f1c53b3 by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.status package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
b4716961 by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.security
package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
a4d78eb2 by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.notification
package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
e27c4169 by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.misc package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
b8d9796c by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.menu package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
5c5d0bdf by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate PKI console com.netscape.admin.certsrv.{key,managecert}

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
bd9d972a by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.images package

* Add package-info.java to warn about removal at the package level.
- - - - -
66e50992 by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.connection package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
5148593d by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.config.install
package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
d083fa65 by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv.config package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
2639b969 by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.admin.certsrv package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
afd1b477 by Chris Kelley at 2022-04-07T17:54:14+01:00
Deprecate the PKI console com.netscape.certsrv.client.connection package

* Add package-info.java to warn about removal at the package level.
* Add deprecation annotations and javadoc to each class.
- - - - -
cf7490f7 by Endi S. Dewata at 2022-04-07T12:27:14-05:00
Fix pylint issue

pki/server/deployment/__init__.py:873:19: E1101: Instance of
'SystemCertData' has no 'keyCurveName' member (no-member)

- - - - -
18a1d0c4 by Endi S. Dewata at 2022-04-08T08:14:42-05:00
Fix KeyId to preserve leading zeros

Previously KeyId was implemented using a BigInteger which
does not preserve leading zeros. This could cause a problem
when searching for a key in NSS database by its ID.

To fix the problem the KeyId has been modified to store the
ID as a byte array so it will preserve the leading zeros.

The KeyIdTest has been updated to test this scenario.

- - - - -
8052fae0 by Endi S. Dewata at 2022-04-08T16:35:19-05:00
Add pki-server http-connector-host-show

The pki-server http-connector-host-show has been added to
display the <SSLHostConfig> element in server.xml.

- - - - -
030b094a by Endi S. Dewata at 2022-04-08T16:35:19-05:00
Add pki-server http-connector-host-mod

The pki-server http-connector-host-mod has been added to
modify the <SSLHostConfig> element in server.xml.

- - - - -
684fb64b by Endi S. Dewata at 2022-04-08T17:07:44-05:00
Update log messages in ConnectorServlet.service()

- - - - -
97b20923 by Chris Kelley at 2022-04-11T15:07:28+01:00
Use "if connector is None" instead of "if not connector"

* Restarting tomcat I noticed a FutureWarning around the use of the "if
not <object>" syntax - so it would appear that behaviour is to change in
a future version of Python.
- - - - -
23b7afb0 by Christina Fu at 2022-04-11T10:48:41-07:00
Bug2071081 p12 passwd in debug

this patch comment the debug line out.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2071081

- - - - -
616b3d20 by Endi S. Dewata at 2022-04-11T14:17:54-05:00
Replace deprecated LDAPv2 with LDAPv3

- - - - -
0f059bda by Endi S. Dewata at 2022-04-11T16:31:08-05:00
Clean up log message in TokenService.changeTokenStatus()

- - - - -
81e31447 by Endi S. Dewata at 2022-04-11T16:48:02-05:00
Replace deprecated X509CertImpl.getSubjectDN() with getSubjectName()

- - - - -
5a8c0eb6 by Endi S. Dewata at 2022-04-11T16:54:52-05:00
Replace deprecate X509CertImpl.getIssuerDN() with getIssuerName()

- - - - -
fa549d98 by Endi S. Dewata at 2022-04-12T09:46:06-05:00
Fix cert/key ID handling in pki pkcs12 CLIs

The pki pkcs12-key-remove has been modified to use the KeyId
class which can handle hexadecimal key IDs with 0x prefix.

The pki pkcs12-cert-export/mod have been modified to strip the
0x prefix from cert IDs. In the future this code may be replaced
with CertId class that can handle hexadecimal cert IDs properly.

Resolves: https://github.com/dogtagpki/pki/issues/3974

- - - - -
f57c9fb5 by Christina Fu at 2022-04-12T11:51:27-07:00
Bug2072185 p12 password

this patch comments out 2 more locations of possible exposure.

bug ref: bugzilla.redhat.com/show_bug.cgi?id=2072185

- - - - -
5e9e1e7f by Endi S. Dewata at 2022-04-12T22:05:58-05:00
Remove redundant code

- - - - -
172c0b1d by Endi S. Dewata at 2022-04-12T22:14:48-05:00
Update version number to 11.2.0-beta1

- - - - -
9f353d72 by Chris Kelley at 2022-04-14T15:38:40+01:00
Fix login to TPS UI (and other /<subsystem>/ui pages)

Some accidental renaming occurred when mapping from XML to JSON; change
the JSON property names to match the original XML version.
- - - - -
eda1e598 by Chris Kelley at 2022-04-14T15:47:49+01:00
Remove com.netscape.certsrv.base.Link
- - - - -
34b3367f by Chris Kelley at 2022-04-14T16:11:10+01:00
Remove Locale from IExtendedPluginInfo.getExtendedPluginInfo signature

* The interface forces ~85 classes to needlessly carry around a Locale
object - it is only actually used in 2 places.
* Those 2 exceptions keep their Locales, with a no-arg implementation
that utilises the default Locale.
* One class doesn't actually implement the interface at all, now it does
* There are various classes that have identical method names but with
different signatures - I removed the unused args from those too.
* This could all be tidied up a bit better with more work on the
interface but this change is already sufficiently large.

* Also some clean up in AAclAuthz - which is how I started pulling on
this thread in the first place

- - - - -
5cd91977 by Endi S. Dewata at 2022-04-14T12:43:50-05:00
Fix build.sh --work-dir option

The build.sh --work-dir option has been updated to use the
provided package name by default.

- - - - -
41e26042 by Endi S. Dewata at 2022-04-14T13:56:17-05:00
Drop obsolete conditionals in pki.spec

- - - - -
16ad44df by Endi S. Dewata at 2022-04-14T14:26:44-05:00
Add base/meta

The code in pki.spec that creates the README for the meta
package has been converted into CMake script in base/meta.

- - - - -
7840247b by Endi S. Dewata at 2022-04-14T14:44:03-05:00
Remove redundant BUILD_PKI_CORE option

- - - - -
8efeeac3 by Endi S. Dewata at 2022-04-14T15:04:59-05:00
Rename BUILD_PKI_CONSOLE to WITH_CONSOLE

- - - - -
38d7caa2 by Endi S. Dewata at 2022-04-14T15:54:03-05:00
Move jboss-logging.jar link creation into CMake

- - - - -
a3b76b63 by Endi S. Dewata at 2022-04-14T15:54:46-05:00
Move javax.annotations-api.jar link creation into CMake

- - - - -
b23c4201 by Endi S. Dewata at 2022-04-14T16:22:07-05:00
Remove redundant JAVA_VERSION parameter

- - - - -
3e0ba124 by Endi S. Dewata at 2022-04-14T17:20:02-05:00
Fix Javadoc warnings

- - - - -
f444154c by Endi S. Dewata at 2022-04-18T09:33:47-05:00
Rename WITH_TEST to RUN_TESTS

The WITH_TEST option for CMake has been renamed into RUN_TESTS
for clarity.

- - - - -
2e547178 by Endi S. Dewata at 2022-04-18T09:33:51-05:00
Add WITH_TESTS option for CMake

The WITH_TESTS option for CMake has been added for creating the
tests package.

- - - - -
eec86850 by Endi S. Dewata at 2022-04-18T13:09:37-05:00
Clean up WITH_SERVER option

The spec file and the CMake script have been modified to
require the server package to build subsystem packages.

- - - - -
594ea8ca by Chris Kelley at 2022-04-19T13:31:25+01:00
Make CertificateAuthority implement IAuthority directly

* This gives CertificateAuthority a similar inheritance hierarchy to the
other subsystem authorities
* It was necessary to move RequestInQListener into base/ca once this
class directly referenced CeritificateAuthority.
- - - - -
bff754ed by Endi S. Dewata at 2022-04-19T15:33:20-05:00
Bump Tomcat JSS dependency

- - - - -
fbcefb25 by Endi S. Dewata at 2022-04-19T16:47:14-05:00
Clean up usages and usages masks

- - - - -
da895b41 by Endi S. Dewata at 2022-04-19T19:49:58-05:00
Add pki nss-key-create

The pki nss-key-create has been added to create a key pair
in NSS database just like pki nss-cert-request but without
creating a CSR.

- - - - -
60c057b2 by Endi S. Dewata at 2022-04-19T19:49:58-05:00
Add NSSDatabase.create_key()

The NSSDatabase.create_key() has been added to create a key
pair in NSS database using pki nss-key-create.

- - - - -
273f2f59 by Endi S. Dewata at 2022-04-19T19:49:58-05:00
Add PKIDeployer.create_cert_key()

The PKIDeployer.create_cert_key() has been added to create
the cert key locally instead of remotely on the server (i.e.
in SystemConfigService.createRequest()).

- - - - -
88bd351a by Endi S. Dewata at 2022-04-19T19:49:58-05:00
Clean up SystemConfigService.createRequest()

The code in SystemConfigService.createRequest() that creates
a new key pair has been removed since it has become redundant.

- - - - -
3e6b1ac0 by Chris Kelley at 2022-04-20T17:46:51+01:00
Make dates displayed in /ca/ui page human readable.
- - - - -
6ddfa23a by Chris Kelley at 2022-04-20T17:46:51+01:00
Fix display of token parameters in web UI
- - - - -
dafd1238 by Chris Kelley at 2022-04-20T17:46:51+01:00
Make timestamps human readable in /tps/ui/tokens
- - - - -
0877d9dc by Endi S. Dewata at 2022-04-20T15:14:12-05:00
Add PKIDeployment.create_cert_request()

The code that calls the server to create the cert request
has been moved into PKIDeployment.create_cert_request().

- - - - -
9b92e682 by Endi S. Dewata at 2022-04-20T15:16:33-05:00
Add PKIDeployment.create_cert()

The code that calls the server to create the cert has been
moved into PKIDeployment.create_cert().

- - - - -
5432438d by Chris Kelley at 2022-04-21T14:55:19+01:00
Fix Activity data in TPS UI

- - - - -
050aef1d by Chris Kelley at 2022-04-21T18:10:06+01:00
Split ca-tests.yml into two runs.

The runner is getting memory-stressed which is causing intermittent test
failures. Breaking up the number of jobs should reduce the burden on the
runner and prevent this from happening.

- - - - -
ffa401d2 by Endi S. Dewata at 2022-04-25T12:20:52-05:00
Move get_key_params() into PKIDeployer

- - - - -
fc2f5a10 by Endi S. Dewata at 2022-04-25T12:20:52-05:00
Update configuration.py to use PKIDeployer.get_key_params()

- - - - -
97daf9a3 by Endi S. Dewata at 2022-04-25T12:20:52-05:00
Add curve and hash_alg to NSSDatabase.__create_request()

- - - - -
cc1a5df9 by Endi S. Dewata at 2022-04-25T12:20:52-05:00
Add key_id and cka_id to NSSDatabase.__create_request()

- - - - -
d4f1889d by Endi S. Dewata at 2022-04-25T12:20:52-05:00
Add basic_constraints_ext to NSSDatabase.__create_request()

- - - - -
63b80272 by Endi S. Dewata at 2022-04-25T12:20:52-05:00
Add key_usage_ext to NSSDatabase.__create_request()

- - - - -
be2cfe42 by Endi S. Dewata at 2022-04-25T12:20:52-05:00
Add extended_key_usage_ext to NSSDatabase.__create_request()

- - - - -
d4f7da2d by Endi S. Dewata at 2022-04-25T12:20:52-05:00
Add subject_key_id to NSSDatabase.__create_request()

- - - - -
01155ca8 by Endi S. Dewata at 2022-04-25T12:20:52-05:00
Add generic_exts to NSSDatabase.__create_request()

- - - - -
8bd4c943 by Endi S. Dewata at 2022-04-25T14:01:23-05:00
Move generate_csr() into PKIDeployer

- - - - -
1bfd8f93 by Endi S. Dewata at 2022-04-25T14:01:23-05:00
Update PKIDeployer.generate_csr() to use JSS

- - - - -
a32b0bf7 by Endi S. Dewata at 2022-04-25T14:01:23-05:00
Refactor SystemConfigService.createRequest()

The code in SystemConfigService.createRequest() that generates a
cert request has been moved into PKIDeployer.create_cert_request().

- - - - -
3ec129da by Endi S. Dewata at 2022-04-25T14:01:23-05:00
Remove unused SystemConfigService.createRequest()

- - - - -
5545aa75 by Endi S. Dewata at 2022-04-25T16:34:00-05:00
Move create_temp_sslserver_cert() into PKIDeployer

- - - - -
3797c13a by Endi S. Dewata at 2022-04-25T16:39:02-05:00
Move remove_temp_sslserver_cert() into PKIDeployer

- - - - -
80f759c7 by Endi S. Dewata at 2022-04-25T16:43:17-05:00
Move import_perm_sslserver_cert() into PKIDeployer

- - - - -
b4ea92cc by Endi S. Dewata at 2022-04-25T17:18:19-05:00
Update log messages in CryptoUtil

- - - - -
95bd10f0 by Endi S. Dewata at 2022-04-25T17:18:19-05:00
Update log messages in NSSDatabase

- - - - -
bf2277e1 by Endi S. Dewata at 2022-04-25T17:19:06-05:00
Update log messages in RequestRepository

- - - - -
df20db20 by Endi S. Dewata at 2022-04-25T17:19:06-05:00
Update log messages in CertRequestRepository

- - - - -
87d724a0 by Endi S. Dewata at 2022-04-25T17:22:25-05:00
Update log messages in CertificateRepository

- - - - -
9868b6b4 by Endi S. Dewata at 2022-04-25T17:46:05-05:00
Update log messages in LDAPConfigurator

- - - - -
1d1b7385 by Endi S. Dewata at 2022-04-25T17:46:05-05:00
Update log messages in CACertClient

- - - - -
a5460310 by Endi S. Dewata at 2022-04-25T17:46:05-05:00
Update log messages in SubsystemCLI

- - - - -
471689b4 by Endi S. Dewata at 2022-04-26T14:06:04-05:00
Clean up PKIDeployer.setup_system_certs()

The PKIDeployer.setup_system_certs() has been modified to
set up the system certs one by one.

- - - - -
6547155c by Endi S. Dewata at 2022-04-26T14:10:31-05:00
Clean up PKIDeployer.setup_system_cert()

The PKIDeployer.setup_system_cert() has been modified to
search for cert keys only if the cert exists.

- - - - -
9c5f63cb by Endi S. Dewata at 2022-04-26T14:13:05-05:00
Update log messages in pki-server ca-cert-import

- - - - -
223c88f3 by Endi S. Dewata at 2022-04-26T15:21:36-05:00
Refactor CAConfigurator.createCert()

The code in CAConfigurator.createCert() that imports the cert
into database has been moved into PKIDeployer.import_cert().

- - - - -
e7bf143f by Endi S. Dewata at 2022-04-26T15:21:36-05:00
Remove unused CAConfigurator.createCertRecord()

- - - - -
00300fb1 by Endi S. Dewata at 2022-04-26T16:15:55-05:00
Move ConfigClient.set_system_cert_info() to PKIDeployer

- - - - -
2253aace by Endi S. Dewata at 2022-04-26T16:15:58-05:00
Merge ConfigClient.set_ca_signing_cert_info() into PKIDeployer

- - - - -
08ae564e by Endi S. Dewata at 2022-04-26T16:16:02-05:00
Merge ConfigClient.set_ocsp_signing_cert_info() into PKIDeployer

- - - - -
f1e647c2 by Endi S. Dewata at 2022-04-26T16:16:06-05:00
Merge ConfigClient.set_storage_cert_info() into PKIDeployer

- - - - -
044fc9ba by Endi S. Dewata at 2022-04-26T16:17:40-05:00
Merge ConfigClient.set_transport_cert_info() into PKIDeployer

- - - - -
1d357d72 by Endi S. Dewata at 2022-04-26T16:18:57-05:00
Merge ConfigClient.set_audit_signing_cert_info() into PKIDeployer

- - - - -
488f8aba by Endi S. Dewata at 2022-04-26T16:26:54-05:00
Merge ConfigClient.set_sslserver_cert_info() into PKIDeployer

- - - - -
1fee8425 by Endi S. Dewata at 2022-04-26T16:27:42-05:00
Merge ConfigClient.set_subsystem_cert_info() into PKIDeployer

- - - - -
9830b66a by Endi S. Dewata at 2022-04-26T17:04:36-05:00
Merge ConfigClient.create_system_cert() into PKIDeployer

- - - - -
a072dd26 by Endi S. Dewata at 2022-04-26T17:06:11-05:00
Remove unused ConfigClient

- - - - -
45791fef by Endi S. Dewata at 2022-04-26T19:01:47-05:00
Clean up PKISubsystem.get_cert_info()

- - - - -
c86f7257 by Endi S. Dewata at 2022-04-26T19:07:58-05:00
Clean up PKISubsystem.get_nssdb_cert_info()

- - - - -
5d563b7c by Endi S. Dewata at 2022-04-26T21:45:31-05:00
Clean up PKISubsystem.get_subsystem_cert()

- - - - -
94f31922 by Endi S. Dewata at 2022-04-26T21:46:36-05:00
Add SystemCertData.certID

- - - - -
b1e27202 by Endi S. Dewata at 2022-04-26T21:46:36-05:00
Refactor CAConfigurator.createCert()

The CAConfigurator.createCert() has been modified to take
a cert ID.

- - - - -
6d4993f8 by Endi S. Dewata at 2022-04-26T21:46:36-05:00
Move CAConfigurator.createRequestID() into CAInstallerService

- - - - -
b71edf6d by Endi S. Dewata at 2022-04-26T21:46:36-05:00
Move CAConfigurator.createCertID() into CAInstallerService

- - - - -
68791a31 by Endi S. Dewata at 2022-04-26T21:46:36-05:00
Move CAConfigurator.createCert() into CAInstallerService

- - - - -
1b710d74 by Endi S. Dewata at 2022-04-26T21:51:27-05:00
Move CAConfigurator.initSubsystem() into CAInstallerService

- - - - -
999facff by Endi S. Dewata at 2022-04-26T21:53:47-05:00
Move SystemConfigService.validatePin() into CAInstallerService

- - - - -
ac58c79d by Endi S. Dewata at 2022-04-26T21:53:47-05:00
Remove unused SystemCertData.tag

- - - - -
646f8ee8 by Chris Kelley at 2022-04-28T07:22:04+01:00
Remove unused parameters from process methods.
- - - - -
e3f7e845 by Chris Kelley at 2022-04-29T17:37:49+01:00
Fix TPS /ui/certs/ dates to be human readable.
- - - - -
f646ff66 by Endi S. Dewata at 2022-04-29T13:31:25-05:00
Add RPM macros for timestamp and commit ID

- - - - -
f2bdbf24 by Endi S. Dewata at 2022-04-29T13:31:25-05:00
Add RPM macro for development phase

- - - - -
6db542f0 by Endi S. Dewata at 2022-04-29T13:31:25-05:00
Add RPM macros for version and release numbers

- - - - -
ae9556d7 by Endi S. Dewata at 2022-05-02T11:09:10-05:00
Update version number to 11.2.0-beta2

- - - - -
8563b013 by Chris Kelley at 2022-05-03T08:01:18+01:00
Remove unnecessary Locale parameter from CertUtils.parseKeyGen()
- - - - -
5ced1079 by Chris Kelley at 2022-05-03T08:01:18+01:00
Remove unused methods from Profile.
- - - - -
0c70167e by Christina Fu at 2022-05-03T14:41:19-07:00
Bug2072185-p12-passwd-http-GET-params

This patch handles the p12 passwd missed in GET

fixes https://bugzilla.redhat.com/show_bug.cgi?id=2072185

- - - - -
00bb6c3a by Chris Kelley at 2022-05-04T13:55:15+01:00
Tidy up in CertificateVersionDefault

* Remove unnecessary else clauses
* Introduce CMS_INVALID_PROPERTY static constant
* Combine identical catch blocks
* Use Integer.parseInt()
* Prefer blocks to statements
* Fill an empty catch where we subsequently check for null
* Tidy up formatting/whitespace
* Put array designator on the type
- - - - -
537b10b9 by Chris Kelley at 2022-05-05T07:25:55+01:00
Use SHA-256 for authentication methods
- - - - -
d778e96a by Chris Kelley at 2022-05-05T07:28:21+01:00
Add code field to TPSStatus enum

* There is an epic switch statement that sets an integer value based on
the TPSStatus. Instead have the integer as a field in the enum to save
the unnecessary boilerplate.

* At first glance it appears that the new field is also unnecessary and
we can just use the status.ordinal() value but we can't as two of the
enum entries have the same code value
- - - - -
73b18627 by Chris Kelley at 2022-05-05T14:40:37+01:00
Fix typo bug in KeyService.auditKeyInfoSuccess()

The current implementation ignores the KeyId parameter passed in and
uses an internal field of KeyService instead. It seems unlikely this was
the intention, it is likely that this is a typo that was missed because
the erroneous variable happened to exist and the code compiled. The
implementation was changed to use the parameter instead.
- - - - -
e5a4e4aa by Chris Kelley at 2022-05-05T17:27:03+01:00
Replace Assert.assert* methods with assert* static imports

In JUnit 5 org.junit.Assert is replaced with
org.junit.jupiter.api.Assertions. Migrating seems like it could be a big
diff but we can make it a bit smaller by using static imports now. That
way when we migrate the method signature in the calling code is the
same, it is only the import which needs to change.
- - - - -
cce88875 by Chris Kelley at 2022-05-05T17:37:01+01:00
Tidy up ACLEntry

* Replace for loops that are actually while loops with while loops
* Remove unnecessary Boolean literal comparison
* Rename Type enum entries to match the JLS
* Make empty class constructor private to prevent instantiation
* Simplify checkPermission by not returning Boolean literals

- - - - -
0136904c by Chris Kelley at 2022-05-06T12:59:35+01:00
Tidy up AAclAuthz

* Make logger final
* Rename EvalutionOrder enum entries to match JLS
* Remove unnecessary semicolon
* Make empty constructor protected
* Remove overridden shutdown method to simply inherit it
* Put array designator on type not the variable
* Drastically simplify evaluateExp by stripping it of Boolean literals
* Use while loop for for loops that are actually while loops
* Prefer isEmpty() to checking size()

- - - - -
1a06cbe2 by Endi S. Dewata at 2022-05-10T19:15:29-05:00
Fix COPR build failure

The .copr/Makefile has been updated to fix COPR build failure
caused by changes in Git 2.35.2:
fatal: unsafe repository (<current dir> is owned by someone else)

https://stackoverflow.com/questions/71901632/fatal-unsafe-repository-home-repon-is-owned-by-someone-else

- - - - -
a6697aca by Chris Kelley at 2022-05-10T20:04:46-05:00
Update version to 11.2.0-0.4.beta3

- - - - -
76a69455 by Endi S. Dewata at 2022-05-12T16:40:43-05:00
Add issuer param for NSSDatabase.__create_cert()

- - - - -
ed5781e8 by Endi S. Dewata at 2022-05-12T16:40:43-05:00
Update NSSDatabase.__create_cert()

The NSSDatabase.__create_cert() has been updated to create
a temporary file to store the cert extension config.

- - - - -
4d9ab3a4 by Endi S. Dewata at 2022-05-17T20:18:43+01:00
Add NSSDatabase.__create_basic_constraints_ext()

The code that creates the basic constraints extension config has
been moved into NSSDatabase.__create_basic_constraints_ext() such
that it can be reused by __create_cert().

- - - - -
b50aa325 by Endi S. Dewata at 2022-05-17T20:18:43+01:00
Add NSSDatabase.__create_key_usage_ext()

The code that creates the key usage extension config has been
moved into NSSDatabase.__create_key_usage_ext() such that it can
be reused by __create_cert().

- - - - -
2927d4fe by Endi S. Dewata at 2022-05-17T20:18:43+01:00
Add NSSDatabase.__create_extended_key_usage_ext()

The code that creates the extended key usage extension config has
been moved into NSSDatabase.__create_extended_key_usage_ext() such
that it can be reused by __create_cert().

- - - - -
fa492e1f by Endi S. Dewata at 2022-05-17T20:18:43+01:00
Add NSSDatabase.__create_ski_ext()

The code that generates the subject key ID extension config has
been moved into NSSDatabase.__create_ski_ext() such that it can
be reused by __create_cert().

- - - - -
f67eefa7 by Endi S. Dewata at 2022-05-18T15:36:34+01:00
Add NSSDatabase.__create_aki_ext()

The NSSDatabase.__create_aki_ext() has been added to generate
the authority key ID extension config for __create_cert().

- - - - -
8cb01a92 by Endi S. Dewata at 2022-05-18T15:36:34+01:00
Add NSSDatabase.__create_aia_ext()

The NSSDatabase.__create_aia_ext() has been added to generate the
authority info access extension config for __create_cert().

- - - - -
73cecf9b by Endi S. Dewata at 2022-05-18T15:36:34+01:00
Update PKISubsystem.temp_cert_create()

The PKISubsystem.temp_cert_create() has been modified to use JSS
(i.e. pki nss-cert-create) instead of NSS (i.e. certutil) to
generate a temporary SSL server cert since certutil is unable to
handle large serial numbers.

Resolves: https://github.com/dogtagpki/pki/issues/3996

- - - - -
f9ba9006 by Endi S. Dewata at 2022-05-18T18:48:23+01:00
Fix installation with RSA/PSS

The pki ca-cert-import and pki nss-cert-import CLIs have been
modified to parse the cert data after initializing JSS to ensure
that it works with RSA/PSS.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083575

- - - - -
9a1be7c2 by Endi S. Dewata at 2022-05-18T18:48:23+01:00
Add test for installing CA with RSA/PSS

- - - - -
4b165d90 by Endi S. Dewata at 2022-05-18T18:48:23+01:00
Add doc for installing CA with RSA/PSS

- - - - -
3b5319a9 by Chris Kelley at 2022-06-09T15:41:49+01:00
Fix serial type in nss-cert-issue request in nssdb.py

The command expects a str input but we were providing numerical input.
We didn't notice before as this code path had no coverage but now we use
JSS instead of NSS for issuing temporary certs we now have coverage of
this method, unearthing this issue.
- - - - -
44182da1 by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pki-lint script

Previously the pki-lint script relied on sysconfig.get_path()
to get the RPM installation path of PKI module. In Fedora 36
the method no longer returns the RPM installation path so the
Python test has failed.

To fix the problem the pki-lint script has been modified to
go through sys.path entries to find the PKI module installed
on the system.

https://docs.fedoraproject.org/en-US/fedora/f36/release-notes/developers/Development_Python/

- - - - -
6516145a by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki module

- - - - -
b04a896b by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.cli.pkcs12 module

- - - - -
14aa546b by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.nssdb module

- - - - -
f48d811b by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.pkcs12 module

- - - - -
890be1b2 by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.profile module

- - - - -
566ae017 by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.server module

- - - - -
50e30beb by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.server.cli.audit module

- - - - -
42320ad9 by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.server.cli.banner module

- - - - -
e8e55915 by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.server.cli.cert module

- - - - -
cfa7272c by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.server.cli.nss module

- - - - -
8c7f1519 by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.server.cli.nuxwdog module

- - - - -
3aed2e33 by Endi S. Dewata at 2022-06-09T16:49:37+01:00
Fix pylint warnings in pki.server.cli.subsystem module

- - - - -
a771a3f9 by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.server.deployment module

- - - - -
096405cf by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.server.deployment.pkihelper module

- - - - -
b9d3923b by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.server.deployment.pkimanifest module

- - - - -
cacfbeaf by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.server.deployment.pkiparser module

- - - - -
9ebd4524 by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.server.deployment.scriptlets module

- - - - -
615cb9d0 by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.server.instance module

- - - - -
67a4fd1b by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.server.pkidestroy module

- - - - -
dd86f825 by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.server.subsystem module

- - - - -
12e37d78 by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.upgrade module

- - - - -
6b422915 by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in pki.util module

- - - - -
4ddf0e71 by Endi S. Dewata at 2022-06-09T16:49:38+01:00
Fix pylint warnings in upgrade scripts

- - - - -
ac24623d by Endi S. Dewata at 2022-06-09T17:20:20+01:00
Update OCSP test

The latest OpenSSL OCSP client generates additional error
messages when it talks to an OCSP responder that does not
have any CRLs. The OCSP test has been updated to expect the
extra messages.

- - - - -
dc5dec3a by Endi S. Dewata at 2022-06-15T08:38:44-05:00
Update IPA test

The IPA test has been updated to check the certs for DS, PKI,
and HTTPD.

- - - - -
b6cd80e3 by Chris Kelley at 2022-06-16T18:01:20+01:00
Fix incorrect record parsing in EnrollDefault

Some refactoring to improve the code caused a regression.
The original code is restored, with the exception of the unnecessary else clause.

- - - - -
08af82c8 by Endi S. Dewata at 2022-06-21T12:09:03-05:00
Fix missing SKI in CSR

The NSSCertRequestCLI has been modified to provide a public key
to the NSSExtensionGenerator such that it can be used to generate
an SKI extension for the CSR.

The NSSExtensionGenerator.createExtensions() has been extended
to support CSR (with subject key) and cert (with issuer and
request).

The NSSExtensionGenerator.createSKIDExtension() has been modified
to take a subject key instead of PKCS10 object.

The preop.cert.signing.subject_key_id config param is no longer
needed since the value is only used within the same process (i.e.
pkispawn) so it has been removed.

The CA test has been updated to validate pki_req_ski=DEFAULT. The
support for pki_req_ski=<hex> will be restored separately later.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2099312

- - - - -
58a397a0 by Endi S. Dewata at 2022-06-23T14:53:25-05:00
Restore support for custom SKI in CSR

The NSSExtensionGenerator.createSKIDExtension() has been updated
to support custom (user-provided) SKI.

The Python code has been updated to transform the hex value from
pki_req_ski into the format required by NSSExtensionGenerator.

The CA test has been updated to use pki_req_ski=<hex>, but for
now the result will need to be validated manually in the CI.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2099312

- - - - -
9a3e9e59 by Endi S. Dewata at 2022-06-28T11:17:01-05:00
Add error message for pki ca-profile-add

The pki ca-profile-add has been modified to display an error
message instead of generating an exception if the input file
does not exist.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2015151

- - - - -
d0d9cd91 by Endi S. Dewata at 2022-06-29T19:38:33-05:00
Update version number to 11.2.0

- - - - -
1d983970 by Chris Kelley at 2022-07-14T15:51:14+01:00
Disable access to external entities when parsing XML

This reduces the vulnerability of XML parsers to XXE (XML external
entity) injection.

The best way to prevent XXE is to stop using XML altogether, which we do
plan to do. Until that happens I consider it worthwhile to tighten the
security here though.
- - - - -
6beb1bd2 by Chris Kelley at 2022-08-04T06:48:51+01:00
Update version to 11.2.1

- - - - -


6 changed files:

- .classpath
- .copr/Makefile
- + .github/workflows/acme-tests.yml
- + .github/workflows/ca-tests.yml
- + .github/workflows/ca-tests2.yml
- + .github/workflows/ipa-tests.yml


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/f4b72edb5c703c0a8aae64ae07970407c83f656c...6beb1bd260c14868f6c5b761185016d0d6826e1a

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/f4b72edb5c703c0a8aae64ae07970407c83f656c...6beb1bd260c14868f6c5b761185016d0d6826e1a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230112/64e154d0/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list