[Freeipa-devel] [PATCH 0014 v3] Support multiple user and host certificates

Mon Jun 1 12:50:45 UTC 2015

On 01/06/15 06:40, Fraser Tweedale wrote:
> New version of patch; ``{host,service}-show --out=FILE`` now writes
> all certs to FILE.  Rebased on latest master.
>
> Thanks,
> Fraser
>
> On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote:
>> Updated patch attached.  Notably restores/adds revocation behaviour
>> to host-mod and service-mod.
>>
>> Thanks,
>> Fraser
>>
>> On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote:
>>> On 27/05/15 15:53, Fraser Tweedale wrote:
>>>> This patch adds supports for multiple user / host certificates.  No
>>>> schema change is needed ('usercertificate' attribute is already
>>>> multi-value).  The revoke-previous-cert behaviour of host-mod and
>>>> user-mod has been removed but revocation behaviour of -del and
>>>> -disable is preserved.
>>>>
>>>> The latest profiles/caacl patchset (0001..0013 v5) depends on this
>>>> patch for correct cert-request behaviour.
>>>>
>>>> There is one design question (or maybe more, let me know): the
>>>> `--out=FILENAME' option to {host,service} show saves ONE certificate
>>>> to the named file.  I propose to either:
>>>>
>>>> a) write all certs, suffixing suggested filename with either a
>>>>     sequential numerical index, e.g. "cert.pem" becomes
>>>>     "cert.pem.1", "cert.pem.2", and so on; or
>>>>
>>>> b) as above, but suffix with serial number and, if there are
>>>>     different issues, some issuer-identifying information.
>>>>
>>>> Let me know your thoughts.
>>>>
>>>> Thanks,
>>>> Fraser
>>>>
>>>>
>>> Is there a possible way how to store certificates into one file?
>>> I read about possibilities to have multiple certs in one .pem file, but I'm
>>> not cert guru :)
>>>
>>> I personally vote for serial number in case there are multiple certificates,
>>> if ^ is no possible.
>>>
>>>
>>> 1)
>>> +            if len(certs) > 0:
>>>
>>> please use only,
>>> if certs:
>>>
>>> 2)
>>> You need to re-generate API/ACI.txt in this patch
>>>
>>> 3)
>>> syntax error:
>>> +        for dercert in certs_der
>>>
>>>
>>> 4)
>>> command
>>> ipa user-mod ca_user --certificate=<ceritifcate>
>>>
>>> removes the current certificate from the LDAP, by design.
>>> Should be the old certificate(s) revoked? You removed that part in the code.
>>>
>>> only the --addattr='usercertificate=<cert>' appends new value there
>>>
>>> -- 
>>> Martin Basti
>>>
My objections/proposed solutions in attached patch.

* VERSION
* In the previous version normalized values was stored in LDAP, so I 
added it back.  (I dont know why there is no normalization in param 
settings, but normalization for every certificate is done in callback. I 
will file a ticket for this)
* IMO only normalized certificates should be compared in the old 
certificates detection

-- 
Martin Basti

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-review.patch
Type: text/x-patch
Size: 3309 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150601/b5c90ac5/attachment.bin>