[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta
jcholast at redhat.com
Tue Jul 29 08:21:44 UTC 2014
Dne 28.7.2014 v 21:39 Rob Crittenden napsal(a):
> This is oh-so close. AFAICT it generally does what it should, I think it
> is ready for a wider audience. Just a few more things:
>
> 306: A while True loop is used for something which AFAICT can only ever
> execute once. I'd think something like this is more readable:
>
> for ca_nick, ca_flags in db.list_certs():
> if db.has_nickname(ca_cert):
> try:
> db.delete_cert(ca_nick)
> except ipautil.CalledProcessError:
> syslog.syslog(
> syslog.LOG_ERR,
> "Failed to remove certificate %s" % ca_nick)
Actually the while loop is necessary, because certutil -D (and in turn
CertDB.delete_cert) deletes just a single cert with the nickname, but
there may be more versions of it and we need to delete them all.
>
> +1 on the additional syslogs. It will help figure out what's going on if
> things go sideways.
>
> Otherwise things seem to be working. I think that fixing the above is
> enough for a +57 with the promise of unit tests to back up some of these
> new functions.
I'm working on that.
>
> rob
> rob
>
I have made a slight adjustment to patch 246 because of
<https://fedorahosted.org/freeipa/ticket/4039>, see
<http://www.redhat.com/archives/freeipa-devel/2014-July/msg00369.html>.
Updated rebased patches attached.
(once again, the correct order to apply them is 241-253, 262-294,
303-305, 295-299, 306-307)
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-241.8-Add-function-for-checking-if-certificate-is-self-sig.patch
Type: text/x-patch
Size: 895 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-242.8-Support-CA-certificate-renewal-in-dogtag-ipa-ca-rene.patch
Type: text/x-patch
Size: 3126 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-243.8-Allow-IPA-master-hosts-to-update-CA-certificate-in-L.patch
Type: text/x-patch
Size: 1077 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-244.8-Automatically-update-CA-certificate-in-LDAP-on-renew.patch
Type: text/x-patch
Size: 2383 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-245.8-Track-CA-certificate-using-dogtag-ipa-ca-renew-agent.patch
Type: text/x-patch
Size: 5097 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-246.8-Add-method-for-setting-CA-renewal-master-in-LDAP-to-.patch
Type: text/x-patch
Size: 2739 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-247.8-Provide-additional-functions-to-ipapython.certmonger.patch
Type: text/x-patch
Size: 2097 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-248.8-Move-external-cert-validation-from-ipa-server-instal.patch
Type: text/x-patch
Size: 5954 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-249.8-Add-method-for-verifying-CA-certificates-to-NSSDatab.patch
Type: text/x-patch
Size: 1824 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-250.8-Add-permissions-for-CA-certificate-renewal.patch
Type: text/x-patch
Size: 3887 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-251.8-Add-CA-certificate-management-tool-ipa-cacert-manage.patch
Type: text/x-patch
Size: 17294 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-252.8-Alert-user-when-externally-signed-CA-is-about-to-exp.patch
Type: text/x-patch
Size: 1670 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-253.8-Load-sysupgrade.state-on-demand.patch
Type: text/x-patch
Size: 1341 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-262.7-Pick-new-CA-renewal-master-when-deleting-a-replica.patch
Type: text/x-patch
Size: 3778 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-263.6-Remove-master-ACIs-when-deleting-a-replica.patch
Type: text/x-patch
Size: 2614 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0014.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-264.6-Do-not-use-ldapi-in-certificate-renewal-scripts.patch
Type: text/x-patch
Size: 12315 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0015.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-265.6-Check-that-renewed-certificates-coming-from-LDAP-are.patch
Type: text/x-patch
Size: 2898 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0016.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-266.5-Allow-IPA-master-hosts-to-read-and-update-IPA-master.patch
Type: text/x-patch
Size: 3191 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0017.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-267.5-Do-not-treat-the-IPA-RA-cert-as-CA-cert-in-DS-NSS-da.patch
Type: text/x-patch
Size: 3574 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0018.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-268.5-Remove-certificate-External-CA-cert-from-etc-pki-nss.patch
Type: text/x-patch
Size: 1511 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0019.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-269.5-Allow-specifying-trust-flags-in-NSSDatabase-and-Cert.patch
Type: text/x-patch
Size: 1986 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0020.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-270.5-Fix-trust-flags-in-HTTP-and-DS-NSS-databases.patch
Type: text/x-patch
Size: 8975 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0021.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-271.5-Add-LDAP-schema-for-wrapped-cryptographic-keys.patch
Type: text/x-patch
Size: 3979 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0022.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-272.5-Add-LDAP-schema-for-certificate-store.patch
Type: text/x-patch
Size: 3439 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0023.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-273.5-Add-container-for-certificate-store.patch
Type: text/x-patch
Size: 1852 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0024.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-274.5-Configure-attribute-uniqueness-for-certificate-store.patch
Type: text/x-patch
Size: 2379 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0025.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-275.5-Add-permissions-for-certificate-store.patch
Type: text/x-patch
Size: 12821 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0026.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-276.5-Add-functions-for-extracting-certificates-fields-in-.patch
Type: text/x-patch
Size: 3376 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0027.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-277.5-Add-function-for-extracting-extended-key-usage-from-.patch
Type: text/x-patch
Size: 1752 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0028.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-278.5-Add-certificate-store-module-ipalib.certstore.patch
Type: text/x-patch
Size: 15471 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0029.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-279.5-Upload-CA-chain-from-DS-NSS-database-to-certificate-.patch
Type: text/x-patch
Size: 3206 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0030.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-280.5-Upload-CA-chain-from-DS-NSS-database-to-certificate-.patch
Type: text/x-patch
Size: 4282 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0031.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-281.5-Rename-CertDB-method-add_cert-to-import_cert.patch
Type: text/x-patch
Size: 1684 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0032.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-282.5-Add-new-add_cert-method-for-adding-certificates-to-N.patch
Type: text/x-patch
Size: 3843 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0033.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-283.5-Import-CA-certs-from-certificate-store-to-DS-NSS-dat.patch
Type: text/x-patch
Size: 3020 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0034.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-284.5-Import-CA-certs-from-certificate-store-to-HTTP-NSS-d.patch
Type: text/x-patch
Size: 1599 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0035.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-285.5-Upload-renewed-CA-cert-to-certificate-store-on-renew.patch
Type: text/x-patch
Size: 1674 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0036.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-286.5-Refactor-CA-certificate-fetching-code-in-ipa-client-.patch
Type: text/x-patch
Size: 7364 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0037.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-287.5-Support-multiple-CA-certificates-in-etc-ipa-ca.crt-i.patch
Type: text/x-patch
Size: 11021 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0038.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-288.5-Add-function-for-writing-list-of-certificates-to-a-P.patch
Type: text/x-patch
Size: 4357 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0039.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-289.5-Get-CA-certs-for-etc-ipa-ca.crt-from-certificate-sto.patch
Type: text/x-patch
Size: 4372 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0040.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-290.5-Allow-overriding-NSS-database-path-in-RPCClient.patch
Type: text/x-patch
Size: 1705 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0041.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-291.5-Get-CA-certs-for-etc-pki-nssdb-from-certificate-stor.patch
Type: text/x-patch
Size: 10849 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0042.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-292.5-Add-functions-for-DER-encoding-certificate-extension.patch
Type: text/x-patch
Size: 1790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0043.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-293.5-Get-CA-certs-for-system-wide-store-from-cert-store-i.patch
Type: text/x-patch
Size: 10220 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0044.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-294.5-Get-up-to-date-CA-certificates-from-certificate-stor.patch
Type: text/x-patch
Size: 3398 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0045.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-295.5-Add-new-NSSDatabase-method-get_cert-for-getting-cert.patch
Type: text/x-patch
Size: 1467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0046.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-296.5-Allow-changing-chaining-of-the-IPA-CA-certificate-in.patch
Type: text/x-patch
Size: 4556 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0047.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-297.5-Update-CS.cfg-on-IPA-CA-certificate-chaining-change-.patch
Type: text/x-patch
Size: 3345 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0048.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-298.5-Allow-adding-CA-certificates-to-certificate-store-in.patch
Type: text/x-patch
Size: 5873 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0049.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-299.5-Allow-upgrading-CA-less-to-CA-full-using-ipa-ca-inst.patch
Type: text/x-patch
Size: 15881 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0050.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-303.3-Add-client-certificate-update-tool-ipa-certupdate.patch
Type: text/x-patch
Size: 12141 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0051.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-304.2-Export-full-CA-chain-to-etc-ipa-ca.crt-in-ipa-server.patch
Type: text/x-patch
Size: 1110 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0052.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-305.2-Allow-multiple-CA-certificates-in-replica-info-files.patch
Type: text/x-patch
Size: 1478 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0053.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-306.1-Update-external-CA-cert-in-Dogtag-NSS-DB-on-IPA-CA-c.patch
Type: text/x-patch
Size: 4211 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0054.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-307.1-Enable-NSS-PKIX-certificate-path-discovery-and-valid.patch
Type: text/x-patch
Size: 4267 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140729/c08cc556/attachment-0055.bin>
More information about the Freeipa-devel
mailing list