From alee at redhat.com  Tue Sep  4 14:00:31 2012
From: alee at redhat.com (Ade Lee)
Date: Tue, 04 Sep 2012 10:00:31 -0400
Subject: [Pki-devel] [PATCH] 107 Added proxy realm.
In-Reply-To: <503FB2CE.4070703@redhat.com>
References: <503573E0.7030007@redhat.com>
	<1346160812.2539.135.camel@aleeredhat.laptop>
	<503E9245.8050403@redhat.com> <503FB2CE.4070703@redhat.com>
Message-ID: <1346767231.24731.3.camel@aleeredhat.laptop>

ack
On Thu, 2012-08-30 at 13:37 -0500, Endi Sukma Dewata wrote:
> On 8/29/2012 5:05 PM, Endi Sukma Dewata wrote:
> > On 8/28/2012 8:33 AM, Ade Lee wrote:
> >> The changes look ok, although due to the issue in one of the previous
> >> patches, I cannot build yet using the compose scripts.
> >
> > New patch attached. I added allowLinking=true so now it can use links in
> > the WEB-INF/lib.
> >
> >> What effect does this patch have on the patch that mharmsen is currently
> >> working on?  At the very least, you will need to modify where it is
> >> checking for links for the dogtag 10 instance.
> >
> > I modified the operations and functions to check the pki-*.jars at the
> > new location.
> >
> >> And how does this affect a dogtag 9 instance running under dogtag 10
> >> code?
> >
> > I tried upgrading Dogtag 9 instance and it seems to be working fine. The
> > pki-tomcat.jar link will be added into common/lib so the code in
> > CMSStartServlet will still work although it's not used.
> 
> Rebased. No code change.
> 




From alee at redhat.com  Tue Sep  4 14:04:09 2012
From: alee at redhat.com (Ade Lee)
Date: Tue, 04 Sep 2012 10:04:09 -0400
Subject: [Pki-devel] [PATCH] 108 Fixed conflicting LDIF files.
In-Reply-To: <503FB2D9.3040505@redhat.com>
References: <503FB2D9.3040505@redhat.com>
Message-ID: <1346767449.24731.4.camel@aleeredhat.laptop>

ack

On Thu, 2012-08-30 at 13:37 -0500, Endi Sukma Dewata wrote:
> During subsystem configuration the ConfigurationUtils.importLDIFS()
> would generate LDIF files in <instance>/conf folder which may conflict
> with files belonging to other subsystems. The code has been modified
> to generate the files in <instance>/<subsystem>/conf folder.
> 
> Ticket #89
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From alee at redhat.com  Tue Sep  4 14:26:28 2012
From: alee at redhat.com (Ade Lee)
Date: Tue, 04 Sep 2012 10:26:28 -0400
Subject: [Pki-devel] [PATCH] 109 Merged Javadoc packages.
In-Reply-To: <503FD6E4.5090309@redhat.com>
References: <503FD6E4.5090309@redhat.com>
Message-ID: <1346768788.24731.5.camel@aleeredhat.laptop>

ack

On Thu, 2012-08-30 at 16:11 -0500, Endi Sukma Dewata wrote:
> The Javadocs for pki-util, pki-java-tools and pki-common have been
> merged and packaged into pki-javadoc RPM.
> 
> Ticket #295
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From alee at redhat.com  Tue Sep  4 14:26:41 2012
From: alee at redhat.com (Ade Lee)
Date: Tue, 04 Sep 2012 10:26:41 -0400
Subject: [Pki-devel] [PATCH] 110 Removed duplicate common classes in
 pki-console.jar.
In-Reply-To: <503FFA63.60601@redhat.com>
References: <503FFA63.60601@redhat.com>
Message-ID: <1346768804.24731.6.camel@aleeredhat.laptop>

ack
On Thu, 2012-08-30 at 18:42 -0500, Endi Sukma Dewata wrote:
> The pki-console has been modified to depend on pki-base. This way
> it's no longer necessary to include duplicate common classes in
> pki-console.
> 
> Ticket #113
> 
> I verified installing pki-base, dogtag-pki-console-theme, and 
> pki-console and running pkiconsole to connect to a remote CA.
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From edewata at redhat.com  Tue Sep  4 14:49:21 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 04 Sep 2012 09:49:21 -0500
Subject: [Pki-devel] [PATCH] 108 Fixed conflicting LDIF files.
In-Reply-To: <1346767449.24731.4.camel@aleeredhat.laptop>
References: <503FB2D9.3040505@redhat.com>
	<1346767449.24731.4.camel@aleeredhat.laptop>
Message-ID: <504614F1.8080600@redhat.com>

On 9/4/2012 9:04 AM, Ade Lee wrote:
> ack

Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Tue Sep  4 14:49:29 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 04 Sep 2012 09:49:29 -0500
Subject: [Pki-devel] [PATCH] 110 Removed duplicate common classes in
	pki-console.jar.
In-Reply-To: <1346768804.24731.6.camel@aleeredhat.laptop>
References: <503FFA63.60601@redhat.com>
	<1346768804.24731.6.camel@aleeredhat.laptop>
Message-ID: <504614F9.7060000@redhat.com>

On 9/4/2012 9:26 AM, Ade Lee wrote:
> ack

Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Tue Sep  4 21:46:05 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 04 Sep 2012 16:46:05 -0500
Subject: [Pki-devel] [PATCH] 111 Added common theme webapp.
Message-ID: <5046769D.5060507@redhat.com>

A new theme webapp has been added to store the theme files for
all PKI webapps. In the future the subsystem webapps can be
modified to use the theme files provided by this common webapp
instead of having to include duplicate files in each webapp.

Ticket #89

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0111-Added-common-theme-webapp.patch
Type: text/x-patch
Size: 3774 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120904/2303d27b/attachment.bin>

From edewata at redhat.com  Tue Sep  4 21:46:24 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 04 Sep 2012 16:46:24 -0500
Subject: [Pki-devel] [PATCH] 112 Added common ROOT webapp.
Message-ID: <504676B0.3050209@redhat.com>

The current ROOT webapp will redirect users coming to the root
URL path to the proper path of the subsystem's webapp.

Since now a single Tomcat instance may have multiple subsystems,
a new ROOT webapp has been added to present the user with a menu
of all available webapps from all subsystems in the instance.

Ticket #89

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0112-Added-common-ROOT-webapp.patch
Type: text/x-patch
Size: 21644 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120904/b636558e/attachment.bin>

From edewata at redhat.com  Tue Sep  4 21:46:29 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 04 Sep 2012 16:46:29 -0500
Subject: [Pki-devel] [PATCH] 113 Fixed SELinux error during pkidestroy.
Message-ID: <504676B5.8040501@redhat.com>

When removing a subsystem the pkidestroy would also remove the SELinux
contexts for the instance regardless of whether there are still other
subsystems in the instance. The code has been fixed such that it's
removing the SELinux contexts when deleting the last subsystem only.

Ticket #89

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0113-Fixed-SELinux-error-during-pkidestroy.patch
Type: text/x-patch
Size: 5042 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120904/94fd215f/attachment.bin>

From cfu at redhat.com  Tue Sep  4 22:27:57 2012
From: cfu at redhat.com (Christina Fu)
Date: Tue, 04 Sep 2012 15:27:57 -0700
Subject: [Pki-devel] [PATCH] spec file version adjustment
Message-ID: <5046806D.3090807@redhat.com>

when code is changed in a package, the version number in each 
corresponding spec file needs to be bumped up by one.
This patch adjusts what had been missed for the code
*Bug 745278* <https://bugzilla.redhat.com/show_bug.cgi?id=745278> -[RFE] 
ECC encryption keys cannot be archived

Please review.
thanks,
Christina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120904/087d4517/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-version-number-adjustment.patch
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120904/087d4517/attachment.ksh>

From mharmsen at redhat.com  Tue Sep  4 22:30:24 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Tue, 04 Sep 2012 15:30:24 -0700
Subject: [Pki-devel] [PATCH] spec file version adjustment
In-Reply-To: <5046806D.3090807@redhat.com>
References: <5046806D.3090807@redhat.com>
Message-ID: <50468100.2040702@redhat.com>

On 09/04/12 15:27, Christina Fu wrote:
> when code is changed in a package, the version number in each 
> corresponding spec file needs to be bumped up by one.
> This patch adjusts what had been missed for the code
> *Bug 745278* <https://bugzilla.redhat.com/show_bug.cgi?id=745278> 
> -[RFE] ECC encryption keys cannot be archived
>
> Please review.
> thanks,
> Christina
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
ACK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120904/84ea5060/attachment.htm>

From edewata at redhat.com  Tue Sep  4 22:43:52 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 04 Sep 2012 17:43:52 -0500
Subject: [Pki-devel] [PATCH] 106 Moved WAR creation code into CMake
	scripts.
In-Reply-To: <503FB2C2.6000306@redhat.com>
References: <503573D6.30006@redhat.com>
	<1346125966.2539.98.camel@aleeredhat.laptop>
	<503FB2C2.6000306@redhat.com>
Message-ID: <50468428.4070906@redhat.com>

On 8/30/2012 1:36 PM, Endi Sukma Dewata wrote:
> New patch attached. The code is now moved into pkispawn so it will use
> the correct theme files.

New patch attached. The war_explosion.py has been renamed into 
webapp_deployment.py.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0106-2-Moved-webapp-deployment-code-into-pkispawn.patch
Type: text/x-patch
Size: 15233 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120904/d35effea/attachment.bin>

From edewata at redhat.com  Tue Sep  4 22:44:19 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 04 Sep 2012 17:44:19 -0500
Subject: [Pki-devel] [PATCH] 107 Added proxy realm.
In-Reply-To: <503FB2CE.4070703@redhat.com>
References: <503573E0.7030007@redhat.com>
	<1346160812.2539.135.camel@aleeredhat.laptop>
	<503E9245.8050403@redhat.com> <503FB2CE.4070703@redhat.com>
Message-ID: <50468443.5080109@redhat.com>

On 8/30/2012 1:37 PM, Endi Sukma Dewata wrote:
> Rebased. No code change.

Rebased again, no code change.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0107-3-Added-proxy-realm.patch
Type: text/x-patch
Size: 34880 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120904/6e85c822/attachment.bin>

From mharmsen at redhat.com  Wed Sep  5 02:41:41 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Tue, 04 Sep 2012 19:41:41 -0700
Subject: [Pki-devel] [PATCH] 106 Moved WAR creation code into CMake
	scripts.
In-Reply-To: <50468428.4070906@redhat.com>
References: <503573D6.30006@redhat.com>
	<1346125966.2539.98.camel@aleeredhat.laptop>
	<503FB2C2.6000306@redhat.com> <50468428.4070906@redhat.com>
Message-ID: <5046BBE5.60405@redhat.com>

On 09/04/12 15:43, Endi Sukma Dewata wrote:
> On 8/30/2012 1:36 PM, Endi Sukma Dewata wrote:
>> New patch attached. The code is now moved into pkispawn so it will use
>> the correct theme files.
>
> New patch attached. The war_explosion.py has been renamed into 
> webapp_deployment.py.
>
Successfully built, installed, deployed, and tested on 64-bit Fedora 17 
machine.

ACK



From edewata at redhat.com  Wed Sep  5 15:14:59 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 05 Sep 2012 10:14:59 -0500
Subject: [Pki-devel] [PATCH] 106 Moved WAR creation code into CMake
	scripts.
In-Reply-To: <5046BBE5.60405@redhat.com>
References: <503573D6.30006@redhat.com>
	<1346125966.2539.98.camel@aleeredhat.laptop>
	<503FB2C2.6000306@redhat.com> <50468428.4070906@redhat.com>
	<5046BBE5.60405@redhat.com>
Message-ID: <50476C73.4020007@redhat.com>

On 9/4/2012 9:41 PM, Matthew Harmsen wrote:
> ACK

Pushed to master. Thanks.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Sep  5 15:15:03 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 05 Sep 2012 10:15:03 -0500
Subject: [Pki-devel] [PATCH] 107 Added proxy realm.
In-Reply-To: <1346767231.24731.3.camel@aleeredhat.laptop>
References: <503573E0.7030007@redhat.com>
	<1346160812.2539.135.camel@aleeredhat.laptop>
	<503E9245.8050403@redhat.com> <503FB2CE.4070703@redhat.com>
	<1346767231.24731.3.camel@aleeredhat.laptop>
Message-ID: <50476C77.60608@redhat.com>

On 9/4/2012 9:00 AM, Ade Lee wrote:
> ack

Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Sep  5 15:15:08 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 05 Sep 2012 10:15:08 -0500
Subject: [Pki-devel] [PATCH] 109 Merged Javadoc packages.
In-Reply-To: <1346768788.24731.5.camel@aleeredhat.laptop>
References: <503FD6E4.5090309@redhat.com>
	<1346768788.24731.5.camel@aleeredhat.laptop>
Message-ID: <50476C7C.2030603@redhat.com>

On 9/4/2012 9:26 AM, Ade Lee wrote:
> ack

Pushed to master. Thanks.

-- 
Endi S. Dewata



From mharmsen at redhat.com  Sat Sep  8 02:02:38 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Fri, 07 Sep 2012 19:02:38 -0700
Subject: [Pki-devel] [PATCH] Verify Symbolic Links (Dogtag 9)
Message-ID: <504AA73E.3070802@redhat.com>

The following patch fixes the problem of being unable to install an 
instance that does not contain the default name described in the 
following TRAC ticket:

  * TRAC Ticket #301 -Need to modify init scripts to verify needed
    symlinks in an instance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120907/58ace9d2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120907-Verify-symbolic-links-Dogtag-9.patch
Type: text/x-patch
Size: 1163 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120907/58ace9d2/attachment.bin>

From mharmsen at redhat.com  Sat Sep  8 02:02:43 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Fri, 07 Sep 2012 19:02:43 -0700
Subject: [Pki-devel] [PATCH] Verify Symbolic Links (Dogtag 10)
Message-ID: <504AA743.6040409@redhat.com>

The following patch fixes the problem of being unable to install an 
instance that does not contain the default name described in the 
following TRAC ticket:

  * TRAC Ticket #301 -Need to modify init scripts to verify needed
    symlinks in an instance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120907/b08d24e3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120907-Verify-symbolic-links-Dogtag-10.patch
Type: text/x-patch
Size: 1165 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120907/b08d24e3/attachment.bin>

From jmagne at redhat.com  Sat Sep  8 02:07:43 2012
From: jmagne at redhat.com (John Magne)
Date: Fri, 7 Sep 2012 22:07:43 -0400 (EDT)
Subject: [Pki-devel] [PATCH] Verify Symbolic Links (Dogtag 10)
In-Reply-To: <504AA743.6040409@redhat.com>
Message-ID: <1038798.31640156.1347070063554.JavaMail.root@redhat.com>

Looks like simple change:

ACK

----- Original Message -----
From: "Matthew Harmsen" <mharmsen at redhat.com>
To: "pki-devel" <pki-devel at redhat.com>
Sent: Friday, September 7, 2012 7:02:43 PM
Subject: [Pki-devel] [PATCH] Verify Symbolic Links (Dogtag 10)


The following patch fixes the problem of being unable to install an instance that does not contain the default name described in the following TRAC ticket: 


    * TRAC Ticket #301 - Need to modify init scripts to verify needed symlinks in an instance 

_______________________________________________
Pki-devel mailing list
Pki-devel at redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel



From jmagne at redhat.com  Sat Sep  8 02:11:07 2012
From: jmagne at redhat.com (John Magne)
Date: Fri, 7 Sep 2012 22:11:07 -0400 (EDT)
Subject: [Pki-devel] [PATCH] Verify Symbolic Links (Dogtag 9)
In-Reply-To: <504AA73E.3070802@redhat.com>
Message-ID: <1152178241.31640216.1347070267986.JavaMail.root@redhat.com>

ACK

----- Original Message -----
From: "Matthew Harmsen" <mharmsen at redhat.com>
To: "pki-devel" <pki-devel at redhat.com>
Sent: Friday, September 7, 2012 7:02:38 PM
Subject: [Pki-devel] [PATCH] Verify Symbolic Links (Dogtag 9)


The following patch fixes the problem of being unable to install an instance that does not contain the default name described in the following TRAC ticket: 


    * TRAC Ticket #301 - Need to modify init scripts to verify needed symlinks in an instance 

_______________________________________________
Pki-devel mailing list
Pki-devel at redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel



From mharmsen at redhat.com  Sat Sep  8 03:20:27 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Fri, 07 Sep 2012 20:20:27 -0700
Subject: [Pki-devel] Request to rebuild pki-core-9.0.23-1 for Dogtag 9 on
 Fedora 16 and Fedora 17 in Koji
Message-ID: <504AB97B.2090705@redhat.com>

Andrew,

I have fixed 'TRAC Ticket #301 -Need to modify init scripts to verify 
needed symlinks in an instance' to be able to create non-default named 
instances, and have republished the source tarball.

Please rebuild the Dogtag 9 versions of pki-core-9.0.23-1 for Fedora 16 
and Fedora 17 in Koji.

Thanks,
-- Matt



From jmagne at redhat.com  Tue Sep 11 01:33:25 2012
From: jmagne at redhat.com (John Magne)
Date: Mon, 10 Sep 2012 21:33:25 -0400 (EDT)
Subject: [Pki-devel] GD Errata Status
Message-ID: <1270393823.32693808.1347327205992.JavaMail.root@redhat.com>


Code checked in, builds have been submitted for all packages.

The build system is bogging down apparently, will finish off the errata tomorrow.



From edewata at redhat.com  Tue Sep 11 20:32:05 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 11 Sep 2012 15:32:05 -0500
Subject: [Pki-devel] [PATCH] 114 Added dependency on redhat-rpm-config.
Message-ID: <504F9FC5.3080206@redhat.com>

To avoid multilib conflicts the spec file has been modified to
depend on redhat-rpm-config. This way the brp-java-repack-jars
will run to repack the JAR files to generate identical files
across architectures.

Ticket: #296

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0114-Added-dependency-on-redhat-rpm-config.patch
Type: text/x-patch
Size: 1751 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120911/4d147410/attachment.bin>

From alee at redhat.com  Tue Sep 11 21:47:22 2012
From: alee at redhat.com (Ade Lee)
Date: Tue, 11 Sep 2012 17:47:22 -0400
Subject: [Pki-devel] [PATCH] various fixes to pki-deploy
Message-ID: <1347400042.24731.127.camel@aleeredhat.laptop>

Please review.

Thanks, 
Ade

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0054-Various-fixes-to-installation-servlet-and-pki-deploy.patch
Type: text/x-patch
Size: 32605 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120911/b1869306/attachment.bin>

From cfu at redhat.com  Wed Sep 12 01:19:16 2012
From: cfu at redhat.com (Christina Fu)
Date: Tue, 11 Sep 2012 18:19:16 -0700
Subject: [Pki-devel] Review Request: Token Management System ECC
	infrastructure
Message-ID: <504FE314.5070506@redhat.com>

https://fedorahosted.org/pki/attachment/ticket/304/TPS-ECC.patch2

This patch provides TMS ECC infrastructure as described in task #304: 
https://fedorahosted.org/pki/ticket/304

I have merged/sanitized the code from two sources:
* Token ECC enrollment with client-side key generation support (provided 
by jmagne at redhat.com)
* TMS ECC enrollment with server-side key generation and key archival 
support (provided by myself - cfu at redhat.com)

The following tests have been conducted:
* ECC enrollment via tpsclient
* RSA enrollment via tpsclient
* RSA server-side key generation via tpsclient
* ECC server-side key generation via tpsclient
* ECC enrollment via smart card token (Safenet 330j)
* RSA enrollment via smart card token (Safenet sc650)

note 1: For ECC enrollments, you will need a newer java applet, which is 
not yet ready for checkin.

note 2: server-side key generation is currently not yet supported by the 
smart card token because of the lack of the key injection code, which 
will be covered by task #235 (https://fedorahosted.org/pki/ticket/235)

thanks,
Christina





From mharmsen at redhat.com  Wed Sep 12 02:20:17 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Tue, 11 Sep 2012 19:20:17 -0700
Subject: [Pki-devel] [PATCH] Restart existing instances upon package update
Message-ID: <504FF161.7020208@redhat.com>

The attached patch addresses the following two PKI TRAC tickets:

  * TRAC Ticket #312 - Dogtag 10: Automatically restart any running
    instances upon RPM "update" . . .
  * TRAC Ticket #317 - Dogtag 10: Move "pkispawn"/"pkidestroy" from
    /usr/bin to /usr/sbin . . .

Please review this patch.

Thanks in advance,
-- Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120911/1a5e0092/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120911-Restart-existing-instances-upon-package-update.patch
Type: text/x-patch
Size: 6400 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120911/1a5e0092/attachment.bin>

From alee at redhat.com  Wed Sep 12 14:31:25 2012
From: alee at redhat.com (Ade Lee)
Date: Wed, 12 Sep 2012 10:31:25 -0400
Subject: [Pki-devel] [PATCH] 114 Added dependency on redhat-rpm-config.
In-Reply-To: <504F9FC5.3080206@redhat.com>
References: <504F9FC5.3080206@redhat.com>
Message-ID: <1347460286.24731.137.camel@aleeredhat.laptop>

ack
On Tue, 2012-09-11 at 15:32 -0500, Endi Sukma Dewata wrote:
> To avoid multilib conflicts the spec file has been modified to
> depend on redhat-rpm-config. This way the brp-java-repack-jars
> will run to repack the JAR files to generate identical files
> across architectures.
> 
> Ticket: #296
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From edewata at redhat.com  Wed Sep 12 14:43:13 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 12 Sep 2012 09:43:13 -0500
Subject: [Pki-devel] [PATCH] 112 Added common ROOT webapp.
In-Reply-To: <504676B0.3050209@redhat.com>
References: <504676B0.3050209@redhat.com>
Message-ID: <50509F81.1060603@redhat.com>

On 9/4/2012 4:46 PM, Endi Sukma Dewata wrote:
> The current ROOT webapp will redirect users coming to the root
> URL path to the proper path of the subsystem's webapp.
>
> Since now a single Tomcat instance may have multiple subsystems,
> a new ROOT webapp has been added to present the user with a menu
> of all available webapps from all subsystems in the instance.
>
> Ticket #89

Rebased.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0112-1-Added-common-ROOT-webapp.patch
Type: text/x-patch
Size: 21664 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120912/01e28483/attachment.bin>

From edewata at redhat.com  Wed Sep 12 14:43:53 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 12 Sep 2012 09:43:53 -0500
Subject: [Pki-devel] [PATCH] 113 Fixed SELinux error during pkidestroy.
In-Reply-To: <504676B5.8040501@redhat.com>
References: <504676B5.8040501@redhat.com>
Message-ID: <50509FA9.6010301@redhat.com>

On 9/4/2012 4:46 PM, Endi Sukma Dewata wrote:
> When removing a subsystem the pkidestroy would also remove the SELinux
> contexts for the instance regardless of whether there are still other
> subsystems in the instance. The code has been fixed such that it's
> removing the SELinux contexts when deleting the last subsystem only.
>
> Ticket #89

New patch attached. Added log messages.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0113-1-Fixed-SELinux-error-during-pkidestroy.patch
Type: text/x-patch
Size: 6567 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120912/e7134131/attachment.bin>

From edewata at redhat.com  Wed Sep 12 14:45:15 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 12 Sep 2012 09:45:15 -0500
Subject: [Pki-devel] [PATCH] 114 Added dependency on redhat-rpm-config.
In-Reply-To: <1347460286.24731.137.camel@aleeredhat.laptop>
References: <504F9FC5.3080206@redhat.com>
	<1347460286.24731.137.camel@aleeredhat.laptop>
Message-ID: <50509FFB.40207@redhat.com>

On 9/12/2012 9:31 AM, Ade Lee wrote:
> ack

Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Sep 12 17:51:21 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 12 Sep 2012 12:51:21 -0500
Subject: [Pki-devel] [PATCH] 111 Added common theme webapp.
In-Reply-To: <5046769D.5060507@redhat.com>
References: <5046769D.5060507@redhat.com>
Message-ID: <5050CB99.1000401@redhat.com>

On 9/4/2012 4:46 PM, Endi Sukma Dewata wrote:
> A new theme webapp has been added to store the theme files for
> all PKI webapps. In the future the subsystem webapps can be
> modified to use the theme files provided by this common webapp
> instead of having to include duplicate files in each webapp.
>
> Ticket #89

ACKed by Ade. Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Sep 12 17:51:32 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 12 Sep 2012 12:51:32 -0500
Subject: [Pki-devel] [PATCH] 112 Added common ROOT webapp.
In-Reply-To: <50509F81.1060603@redhat.com>
References: <504676B0.3050209@redhat.com> <50509F81.1060603@redhat.com>
Message-ID: <5050CBA4.3020502@redhat.com>

On 9/12/2012 9:43 AM, Endi Sukma Dewata wrote:
> On 9/4/2012 4:46 PM, Endi Sukma Dewata wrote:
>> The current ROOT webapp will redirect users coming to the root
>> URL path to the proper path of the subsystem's webapp.
>>
>> Since now a single Tomcat instance may have multiple subsystems,
>> a new ROOT webapp has been added to present the user with a menu
>> of all available webapps from all subsystems in the instance.
>>
>> Ticket #89
>
> Rebased.

ACKed by Ade. Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Sep 12 17:51:41 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 12 Sep 2012 12:51:41 -0500
Subject: [Pki-devel] [PATCH] 113 Fixed SELinux error during pkidestroy.
In-Reply-To: <50509FA9.6010301@redhat.com>
References: <504676B5.8040501@redhat.com> <50509FA9.6010301@redhat.com>
Message-ID: <5050CBAD.7030703@redhat.com>

On 9/12/2012 9:43 AM, Endi Sukma Dewata wrote:
> On 9/4/2012 4:46 PM, Endi Sukma Dewata wrote:
>> When removing a subsystem the pkidestroy would also remove the SELinux
>> contexts for the instance regardless of whether there are still other
>> subsystems in the instance. The code has been fixed such that it's
>> removing the SELinux contexts when deleting the last subsystem only.
>>
>> Ticket #89
>
> New patch attached. Added log messages.

ACKed by Ade. Pushed to master.

-- 
Endi S. Dewata



From jmagne at redhat.com  Thu Sep 13 00:41:19 2012
From: jmagne at redhat.com (John Magne)
Date: Wed, 12 Sep 2012 20:41:19 -0400 (EDT)
Subject: [Pki-devel] Review Request: Token Management System
	ECC	infrastructure
In-Reply-To: <504FE314.5070506@redhat.com>
Message-ID: <461841660.34169062.1347496879140.JavaMail.root@redhat.com>

Just a few Comments/Questions ...

GenerateKeyPairServlet.java



Apparently StringTokenizer is discouraged in new code in favor of String.split. 

Could the following code be made a bit more efficient using some built in container? :


// is the specified curve supported?
61	+            boolean isSupportedCurve = false;
62	+            for (int i=0; i<supportedECCurves.length; i++) {
63	+                if (rKeycurve.equals(supportedECCurves[i])) {
64	+                    isSupportedCurve = true;
65	+                }
66	+            }


RA_Enroll_Processor.cpp



In this code:

rv = ATOB_ConvertAsciiToItem (&der, pKey_ascii);
293	       if (rv != SECSuccess){
294	-       RA::Debug(LL_PER_CONNECTION,FN,
295	-               "failed to convert b64 private key to binary");
296	-       SECITEM_FreeItem(&der, PR_FALSE);
297	-         status = STATUS_ERROR_MAC_ENROLL_PDU;
298	-        PR_snprintf(audit_msg, 512, "ServerSideKeyGen: failed to convert b64 private key to binary");
299	-       goto loser;
300	-      }else {


If the call to ATOB_ConvertAsciiToItem fails, will there be a "der" variable to free with SECITEM_FreeItem ?

Also, I'm curious why the change of the original code? Looks like we've added an extra step of processing as here:

+      Buffer *decodePubKey = Util::URLDecode(pKey);
287	+      char *pKey_ascii =
288	+        BTOA_DataToAscii(decodePubKey->getBuf(), decodePubKey->getLen());


How are we freeing the eccParams? I see the commented out section. Does it happen later or automatically somewhere?

Buffer.cpp/Buffer.h

Looks like we've added functions to the buffer that are already present.
The length is gotten with the method "size()".   TPS_PUBLIC unsigned int size() const { return len; }
The raw buffer is obtainable with the operator "()". TPS_PUBLIC operator BYTE*() { return buf; }


SecureChannel.cpp

Looks like debug buffer calls like the following were previously commented out:

          RA::DebugBuffer("Secure_Channel::ComputeAPDUMac", "Data To MAC'ed",
1387	+                       &data);

Was this done for a reason? I ask because we are actually now issuing these debug commands.


----- Original Message -----
From: "Christina Fu" <cfu at redhat.com>
To: "pki-devel" <pki-devel at redhat.com>
Sent: Tuesday, September 11, 2012 6:19:16 PM
Subject: [Pki-devel] Review Request: Token Management System ECC	infrastructure

https://fedorahosted.org/pki/attachment/ticket/304/TPS-ECC.patch2

This patch provides TMS ECC infrastructure as described in task #304: 
https://fedorahosted.org/pki/ticket/304

I have merged/sanitized the code from two sources:
* Token ECC enrollment with client-side key generation support (provided 
by jmagne at redhat.com)
* TMS ECC enrollment with server-side key generation and key archival 
support (provided by myself - cfu at redhat.com)

The following tests have been conducted:
* ECC enrollment via tpsclient
* RSA enrollment via tpsclient
* RSA server-side key generation via tpsclient
* ECC server-side key generation via tpsclient
* ECC enrollment via smart card token (Safenet 330j)
* RSA enrollment via smart card token (Safenet sc650)

note 1: For ECC enrollments, you will need a newer java applet, which is 
not yet ready for checkin.

note 2: server-side key generation is currently not yet supported by the 
smart card token because of the lack of the key injection code, which 
will be covered by task #235 (https://fedorahosted.org/pki/ticket/235)

thanks,
Christina



_______________________________________________
Pki-devel mailing list
Pki-devel at redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel



From alee at redhat.com  Thu Sep 13 01:25:50 2012
From: alee at redhat.com (Ade Lee)
Date: Wed, 12 Sep 2012 21:25:50 -0400
Subject: [Pki-devel] [PATCH] Restart existing instances upon package
 update
In-Reply-To: <504FF161.7020208@redhat.com>
References: <504FF161.7020208@redhat.com>
Message-ID: <1347499551.24731.143.camel@aleeredhat.laptop>

ack
On Tue, 2012-09-11 at 19:20 -0700, Matthew Harmsen wrote:
> The attached patch addresses the following two PKI TRAC tickets:
>       * TRAC Ticket #312 - Dogtag 10: Automatically restart any
>         running instances upon RPM "update" . . .
>       * TRAC Ticket #317 - Dogtag 10: Move "pkispawn"/"pkidestroy"
>         from /usr/bin to /usr/sbin . . .
> Please review this patch.
> 
> Thanks in advance,
> -- Matt
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From mharmsen at redhat.com  Thu Sep 13 01:35:51 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Wed, 12 Sep 2012 18:35:51 -0700
Subject: [Pki-devel] [PATCH] various fixes to pki-deploy
In-Reply-To: <1347400042.24731.127.camel@aleeredhat.laptop>
References: <1347400042.24731.127.camel@aleeredhat.laptop>
Message-ID: <50513877.3090402@redhat.com>

On 09/11/12 14:47, Ade Lee wrote:
> Please review.
>
> Thanks,
> Ade
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
ACK

Caveats:

  * The first time that I attempted to install a cloned CA, I failed
    with a Permissions error on the '/tmp/ca_backup_keys.p12' file that
    was copied from the master CA.  After discussions with Ade, we
    believe that this was due to SELinux being set to 'Enforcing', and
    since the '/tmp/ca_backup_keys.p12' file did not contain the
    appropriate SELinux permissions, the failure occurred.
  * Filed TRAC Ticket #326 - Dogtag 10:  KRA connectors not
    automatically setup in CA clones


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120912/9e1a2c0b/attachment.htm>

From alee at redhat.com  Thu Sep 13 01:47:57 2012
From: alee at redhat.com (Ade Lee)
Date: Wed, 12 Sep 2012 21:47:57 -0400
Subject: [Pki-devel] [PATCH] dbuser for cloning
Message-ID: <1347500877.24731.145.camel@aleeredhat.laptop>

Please review.

Thanks, 
Ade
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0055-Modifications-for-dbuser-for-cloning.patch
Type: text/x-patch
Size: 6804 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120912/15688014/attachment.bin>

From alee at redhat.com  Thu Sep 13 17:16:27 2012
From: alee at redhat.com (Ade Lee)
Date: Thu, 13 Sep 2012 13:16:27 -0400
Subject: [Pki-devel] [PATCH] selinux file paths
Message-ID: <1347556587.24731.150.camel@aleeredhat.laptop>

default file fcontext definitions were wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0056-Correct-incorrect-file-paths-in-default-file-context.patch
Type: text/x-patch
Size: 1317 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120913/d503456e/attachment.bin>

From alee at redhat.com  Thu Sep 13 17:24:09 2012
From: alee at redhat.com (Ade Lee)
Date: Thu, 13 Sep 2012 13:24:09 -0400
Subject: [Pki-devel] [PATCH] selinux file paths
In-Reply-To: <1347556587.24731.150.camel@aleeredhat.laptop>
References: <1347556587.24731.150.camel@aleeredhat.laptop>
Message-ID: <1347557050.24731.151.camel@aleeredhat.laptop>

acked by Endi. Pushed to master.

On Thu, 2012-09-13 at 13:16 -0400, Ade Lee wrote:
> default file fcontext definitions were wrong.
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From mharmsen at redhat.com  Fri Sep 14 00:26:35 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Thu, 13 Sep 2012 17:26:35 -0700
Subject: [Pki-devel] [PATCH] De-register subsystem from merged instance
Message-ID: <505279BB.1080706@redhat.com>

The attached patch addresses the following PKI TRAC ticket:

  * TRAC Ticket #311 - Unable to deregister subsystem in merged instance

Please review this patch.

Thanks,
-- Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120913/f1d93add/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120913-Deregister-subsystem-in-merged-instance.patch
Type: text/x-patch
Size: 2216 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120913/f1d93add/attachment.bin>

From alee at redhat.com  Fri Sep 14 00:49:06 2012
From: alee at redhat.com (Ade Lee)
Date: Thu, 13 Sep 2012 20:49:06 -0400
Subject: [Pki-devel] [PATCH] De-register subsystem from merged instance
In-Reply-To: <505279BB.1080706@redhat.com>
References: <505279BB.1080706@redhat.com>
Message-ID: <1347583746.24731.152.camel@aleeredhat.laptop>

ack
On Thu, 2012-09-13 at 17:26 -0700, Matthew Harmsen wrote:
> The attached patch addresses the following PKI TRAC ticket:
>       * TRAC Ticket #311 - Unable to deregister subsystem in merged
>         instance
> Please review this patch. 
> 
> Thanks,
> -- Matt
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From cfu at redhat.com  Fri Sep 14 07:21:17 2012
From: cfu at redhat.com (Christina Fu)
Date: Fri, 14 Sep 2012 00:21:17 -0700
Subject: [Pki-devel] Review Request: Token Management System
	ECC	infrastructure
In-Reply-To: <461841660.34169062.1347496879140.JavaMail.root@redhat.com>
References: <461841660.34169062.1347496879140.JavaMail.root@redhat.com>
Message-ID: <5052DAED.3030708@redhat.com>

https://fedorahosted.org/pki/attachment/ticket/304/TPS-ECC.forReview2

Thanks for the comments.  A new patch has been uploaded.  Please see 
in-line response for some of your other comments/questions.

On 09/12/2012 05:41 PM, John Magne wrote:
> Just a few Comments/Questions ...
>
> GenerateKeyPairServlet.java
>
>
>
> Apparently StringTokenizer is discouraged in new code in favor of String.split.
>
> Could the following code be made a bit more efficient using some built in container? :
>
>
> // is the specified curve supported?
> 61	+            boolean isSupportedCurve = false;
> 62	+            for (int i=0; i<supportedECCurves.length; i++) {
> 63	+                if (rKeycurve.equals(supportedECCurves[i])) {
> 64	+                    isSupportedCurve = true;
> 65	+                }
> 66	+            }
>
>
> RA_Enroll_Processor.cpp
Yes, that was the result of copying and pasting existing code.  Switched 
to using String.split()and Hashtable in the new patch.
>
>
> In this code:
>
> rv = ATOB_ConvertAsciiToItem (&der, pKey_ascii);
> 293	       if (rv != SECSuccess){
> 294	-       RA::Debug(LL_PER_CONNECTION,FN,
> 295	-               "failed to convert b64 private key to binary");
> 296	-       SECITEM_FreeItem(&der, PR_FALSE);
> 297	-         status = STATUS_ERROR_MAC_ENROLL_PDU;
> 298	-        PR_snprintf(audit_msg, 512, "ServerSideKeyGen: failed to convert b64 private key to binary");
> 299	-       goto loser;
> 300	-      }else {
>
>
> If the call to ATOB_ConvertAsciiToItem fails, will there be a "der" variable to free with SECITEM_FreeItem ?

The NSS call checks to see if &der exists.  Also, in this case, der was 
actually declared as
  SECItem der.

> Also, I'm curious why the change of the original code? Looks like we've added an extra step of processing as here:
>
> +      Buffer *decodePubKey = Util::URLDecode(pKey);
> 287	+      char *pKey_ascii =
> 288	+        BTOA_DataToAscii(decodePubKey->getBuf(), decodePubKey->getLen());

I actually found this bug.  We missed doing URL encoding/decoding 
before, and that happened to work.  However, in case of ECC, I ran into 
issues.  Doing URL Decoding and encoding is the right thing.
>
> How are we freeing the eccParams? I see the commented out section. Does it happen later or automatically somewhere?
The commented out section should be removed (I removed it in the updated 
patch) as it causes confusion.
The eccParams was assigned to point to part of the pk_p:
     eccParams  = &pk_p->u.ec.DEREncodedParams;
where pk_p was gotten from  SECKEY_ExtractPublicKey if it's server side 
key generation.

  The code in the patch states that in case of serverKeygen, 
SECKEY_DestroyPublicKey to free pk_p, where the eccParams would be freed 
automatically; while in the case of client side key generation, free() 
is used on pk_p, as the memory was allocated with an arena.

> Buffer.cpp/Buffer.h
>
> Looks like we've added functions to the buffer that are already present.
> The length is gotten with the method "size()".   TPS_PUBLIC unsigned int size() const { return len; }
> The raw buffer is obtainable with the operator "()". TPS_PUBLIC operator BYTE*() { return buf; }

I'm not sure I understand... I do not see such existing functions in my 
tree.  Did I miss something?

>
> SecureChannel.cpp
>
> Looks like debug buffer calls like the following were previously commented out:
>
>            RA::DebugBuffer("Secure_Channel::ComputeAPDUMac", "Data To MAC'ed",
> 1387	+&data);
>
> Was this done for a reason? I ask because we are actually now issuing these debug commands.
Could you have uncommented it for debugging?  I can comment it out again 
(done so in this updated patch)
>
> ----- Original Message -----
> From: "Christina Fu"<cfu at redhat.com>
> To: "pki-devel"<pki-devel at redhat.com>
> Sent: Tuesday, September 11, 2012 6:19:16 PM
> Subject: [Pki-devel] Review Request: Token Management System ECC	infrastructure
>
> https://fedorahosted.org/pki/attachment/ticket/304/TPS-ECC.patch2
>
> This patch provides TMS ECC infrastructure as described in task #304:
> https://fedorahosted.org/pki/ticket/304
>
> I have merged/sanitized the code from two sources:
> * Token ECC enrollment with client-side key generation support (provided
> by jmagne at redhat.com)
> * TMS ECC enrollment with server-side key generation and key archival
> support (provided by myself - cfu at redhat.com)
>
> The following tests have been conducted:
> * ECC enrollment via tpsclient
> * RSA enrollment via tpsclient
> * RSA server-side key generation via tpsclient
> * ECC server-side key generation via tpsclient
> * ECC enrollment via smart card token (Safenet 330j)
> * RSA enrollment via smart card token (Safenet sc650)
>
> note 1: For ECC enrollments, you will need a newer java applet, which is
> not yet ready for checkin.
>
> note 2: server-side key generation is currently not yet supported by the
> smart card token because of the lack of the key injection code, which
> will be covered by task #235 (https://fedorahosted.org/pki/ticket/235)
>
> thanks,
> Christina
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel



From jmagne at redhat.com  Fri Sep 14 18:20:37 2012
From: jmagne at redhat.com (John Magne)
Date: Fri, 14 Sep 2012 14:20:37 -0400 (EDT)
Subject: [Pki-devel] Review Request: Token Management System
	ECC	infrastructure
In-Reply-To: <5052DAED.3030708@redhat.com>
Message-ID: <1211543147.35211573.1347646837082.JavaMail.root@redhat.com>

Conditional ACK:

Just a couple of things.

Look in Buffer.h for the existing buffer functions in favor of your new ones?

And make the new HashTable private to the class. I wouldn't imagine anyone on the outside would want it.

----- Original Message -----
From: "Christina Fu" <cfu at redhat.com>
To: "John Magne" <jmagne at redhat.com>
Cc: "pki-devel" <pki-devel at redhat.com>
Sent: Friday, September 14, 2012 12:21:17 AM
Subject: Re: [Pki-devel] Review Request: Token Management System ECC	infrastructure

https://fedorahosted.org/pki/attachment/ticket/304/TPS-ECC.forReview2

Thanks for the comments.  A new patch has been uploaded.  Please see 
in-line response for some of your other comments/questions.

On 09/12/2012 05:41 PM, John Magne wrote:
> Just a few Comments/Questions ...
>
> GenerateKeyPairServlet.java
>
>
>
> Apparently StringTokenizer is discouraged in new code in favor of String.split.
>
> Could the following code be made a bit more efficient using some built in container? :
>
>
> // is the specified curve supported?
> 61	+            boolean isSupportedCurve = false;
> 62	+            for (int i=0; i<supportedECCurves.length; i++) {
> 63	+                if (rKeycurve.equals(supportedECCurves[i])) {
> 64	+                    isSupportedCurve = true;
> 65	+                }
> 66	+            }
>
>
> RA_Enroll_Processor.cpp
Yes, that was the result of copying and pasting existing code.  Switched 
to using String.split()and Hashtable in the new patch.
>
>
> In this code:
>
> rv = ATOB_ConvertAsciiToItem (&der, pKey_ascii);
> 293	       if (rv != SECSuccess){
> 294	-       RA::Debug(LL_PER_CONNECTION,FN,
> 295	-               "failed to convert b64 private key to binary");
> 296	-       SECITEM_FreeItem(&der, PR_FALSE);
> 297	-         status = STATUS_ERROR_MAC_ENROLL_PDU;
> 298	-        PR_snprintf(audit_msg, 512, "ServerSideKeyGen: failed to convert b64 private key to binary");
> 299	-       goto loser;
> 300	-      }else {
>
>
> If the call to ATOB_ConvertAsciiToItem fails, will there be a "der" variable to free with SECITEM_FreeItem ?

The NSS call checks to see if &der exists.  Also, in this case, der was 
actually declared as
  SECItem der.

> Also, I'm curious why the change of the original code? Looks like we've added an extra step of processing as here:
>
> +      Buffer *decodePubKey = Util::URLDecode(pKey);
> 287	+      char *pKey_ascii =
> 288	+        BTOA_DataToAscii(decodePubKey->getBuf(), decodePubKey->getLen());

I actually found this bug.  We missed doing URL encoding/decoding 
before, and that happened to work.  However, in case of ECC, I ran into 
issues.  Doing URL Decoding and encoding is the right thing.
>
> How are we freeing the eccParams? I see the commented out section. Does it happen later or automatically somewhere?
The commented out section should be removed (I removed it in the updated 
patch) as it causes confusion.
The eccParams was assigned to point to part of the pk_p:
     eccParams  = &pk_p->u.ec.DEREncodedParams;
where pk_p was gotten from  SECKEY_ExtractPublicKey if it's server side 
key generation.

  The code in the patch states that in case of serverKeygen, 
SECKEY_DestroyPublicKey to free pk_p, where the eccParams would be freed 
automatically; while in the case of client side key generation, free() 
is used on pk_p, as the memory was allocated with an arena.

> Buffer.cpp/Buffer.h
>
> Looks like we've added functions to the buffer that are already present.
> The length is gotten with the method "size()".   TPS_PUBLIC unsigned int size() const { return len; }
> The raw buffer is obtainable with the operator "()". TPS_PUBLIC operator BYTE*() { return buf; }

I'm not sure I understand... I do not see such existing functions in my 
tree.  Did I miss something?

>
> SecureChannel.cpp
>
> Looks like debug buffer calls like the following were previously commented out:
>
>            RA::DebugBuffer("Secure_Channel::ComputeAPDUMac", "Data To MAC'ed",
> 1387	+&data);
>
> Was this done for a reason? I ask because we are actually now issuing these debug commands.
Could you have uncommented it for debugging?  I can comment it out again 
(done so in this updated patch)
>
> ----- Original Message -----
> From: "Christina Fu"<cfu at redhat.com>
> To: "pki-devel"<pki-devel at redhat.com>
> Sent: Tuesday, September 11, 2012 6:19:16 PM
> Subject: [Pki-devel] Review Request: Token Management System ECC	infrastructure
>
> https://fedorahosted.org/pki/attachment/ticket/304/TPS-ECC.patch2
>
> This patch provides TMS ECC infrastructure as described in task #304:
> https://fedorahosted.org/pki/ticket/304
>
> I have merged/sanitized the code from two sources:
> * Token ECC enrollment with client-side key generation support (provided
> by jmagne at redhat.com)
> * TMS ECC enrollment with server-side key generation and key archival
> support (provided by myself - cfu at redhat.com)
>
> The following tests have been conducted:
> * ECC enrollment via tpsclient
> * RSA enrollment via tpsclient
> * RSA server-side key generation via tpsclient
> * ECC server-side key generation via tpsclient
> * ECC enrollment via smart card token (Safenet 330j)
> * RSA enrollment via smart card token (Safenet sc650)
>
> note 1: For ECC enrollments, you will need a newer java applet, which is
> not yet ready for checkin.
>
> note 2: server-side key generation is currently not yet supported by the
> smart card token because of the lack of the key injection code, which
> will be covered by task #235 (https://fedorahosted.org/pki/ticket/235)
>
> thanks,
> Christina
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel



From edewata at redhat.com  Mon Sep 17 18:49:20 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 17 Sep 2012 13:49:20 -0500
Subject: [Pki-devel] [PATCH] Fixed problems with optional pki-symkey.
Message-ID: <505770B0.9050403@redhat.com>

The deployment and init scripts have been fixed to create and check
the links to symkey.jar only if the pki-symkey is installed.

Ticket #331

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0115-Fixed-problems-with-optional-pki-symkey.patch
Type: text/x-patch
Size: 4354 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120917/e7e65b7b/attachment.bin>

From alee at redhat.com  Mon Sep 17 21:24:36 2012
From: alee at redhat.com (Ade Lee)
Date: Mon, 17 Sep 2012 17:24:36 -0400
Subject: [Pki-devel] [PATCH] Fixed problems with optional pki-symkey.
In-Reply-To: <505770B0.9050403@redhat.com>
References: <505770B0.9050403@redhat.com>
Message-ID: <1347917077.2624.20.camel@aleeredhat.laptop>

I'm wondering if we can be a little more precise here.  We know after
all that pki-symkey is required for a tks instance only.

So, for the init scripts, perhaps we need to require the link
if /var/lib/pki/{foo}/tks exists (for dogtag 10) - and a similar check
for dogtag 9.

And for the pkispawn code, maybe we only need to include the link if we
know we are installing a TKS?

Ade

On Mon, 2012-09-17 at 13:49 -0500, Endi Sukma Dewata wrote:
> The deployment and init scripts have been fixed to create and check
> the links to symkey.jar only if the pki-symkey is installed.
> 
> Ticket #331
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From edewata at redhat.com  Tue Sep 18 03:55:03 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 17 Sep 2012 22:55:03 -0500
Subject: [Pki-devel] [PATCH] 115 Fixed problems with optional pki-symkey.
In-Reply-To: <1347917077.2624.20.camel@aleeredhat.laptop>
References: <505770B0.9050403@redhat.com>
	<1347917077.2624.20.camel@aleeredhat.laptop>
Message-ID: <5057F097.1040309@redhat.com>

On 9/17/2012 4:24 PM, Ade Lee wrote:
> I'm wondering if we can be a little more precise here.  We know after
> all that pki-symkey is required for a tks instance only.
>
> So, for the init scripts, perhaps we need to require the link
> if /var/lib/pki/{foo}/tks exists (for dogtag 10) - and a similar check
> for dogtag 9.
>
> And for the pkispawn code, maybe we only need to include the link if we
> know we are installing a TKS?

Fixed. New patch attached. In a merged instance it will add the symkey 
link if TKS is added, and remove the link if TKS is removed.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0115-1-Fixed-problems-with-optional-pki-symkey.patch
Type: text/x-patch
Size: 6280 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120917/2679c593/attachment.bin>

From edewata at redhat.com  Tue Sep 18 03:55:49 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 17 Sep 2012 22:55:49 -0500
Subject: [Pki-devel] [PATCH] 116 Fixed conflicting log4j.properties.
Message-ID: <5057F0C5.3010408@redhat.com>

The <instance>/lib link has been replaced with a real folder
which contains links to the files in /usr/share/tomcat/lib. This
way the log4j.properties can be placed in this folder without
causing conflicts with other instances.

Ticket: #284

Note: This patch only addresses the conflict. Further modification might 
be needed to get log4j working properly.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0116-Fixed-conflicting-log4j.properties.patch
Type: text/x-patch
Size: 8558 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120917/740208c6/attachment.bin>

From edewata at redhat.com  Tue Sep 18 16:29:40 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 18 Sep 2012 11:29:40 -0500
Subject: [Pki-devel] [PATCH] 117 Added DN and filter escaping in UGSubsystem.
Message-ID: <5058A174.4050903@redhat.com>

The UGSubsystem has been modified to escape values used in DN or
filter according to LDAP standard.

Ticket #193

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0117-Added-DN-and-filter-escaping-in-UGSubsystem.patch
Type: text/x-patch
Size: 12742 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120918/490db8cf/attachment.bin>

From edewata at redhat.com  Tue Sep 18 16:29:43 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 18 Sep 2012 11:29:43 -0500
Subject: [Pki-devel] [PATCH] 118 Removed duplicate DN escaping methods.
Message-ID: <5058A177.90409@redhat.com>

The duplicate methods to escape DN value have been removed. The
codes that used the duplicate methods have been modified to use
LDAPUtil.escapeDN().

Ticket #193

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0118-Removed-duplicate-DN-escaping-methods.patch
Type: text/x-patch
Size: 13590 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120918/37608df1/attachment.bin>

From edewata at redhat.com  Tue Sep 18 17:00:16 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 18 Sep 2012 12:00:16 -0500
Subject: [Pki-devel] [PATCH] 118 Removed duplicate DN escaping methods.
In-Reply-To: <5058A177.90409@redhat.com>
References: <5058A177.90409@redhat.com>
Message-ID: <5058A8A0.30600@redhat.com>

On 9/18/2012 11:29 AM, Endi Sukma Dewata wrote:
> The duplicate methods to escape DN value have been removed. The
> codes that used the duplicate methods have been modified to use
> LDAPUtil.escapeDN().
>
> Ticket #193

New patch attached. Missed a few changes.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0118-1-Removed-duplicate-DN-escaping-methods.patch
Type: text/x-patch
Size: 15154 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120918/c33cd6c0/attachment.bin>

From edewata at redhat.com  Tue Sep 18 17:50:59 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 18 Sep 2012 12:50:59 -0500
Subject: [Pki-devel] [PATCH] 119 Added DN and filter escaping in
	ConfigurationUtils.
Message-ID: <5058B483.3050305@redhat.com>

The ConfigurationUtils has been modified to escape values used in
DN or filter according to LDAP standard.

Ticket #193

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0119-Added-DN-and-filter-escaping-in-ConfigurationUtils.patch
Type: text/x-patch
Size: 9718 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120918/b1681883/attachment.bin>

From alee at redhat.com  Tue Sep 18 18:04:46 2012
From: alee at redhat.com (Ade Lee)
Date: Tue, 18 Sep 2012 14:04:46 -0400
Subject: [Pki-devel] [PATCH] 115 Fixed problems with optional pki-symkey.
In-Reply-To: <5057F097.1040309@redhat.com>
References: <505770B0.9050403@redhat.com>
	<1347917077.2624.20.camel@aleeredhat.laptop>
	<5057F097.1040309@redhat.com>
Message-ID: <1347991487.2624.21.camel@aleeredhat.laptop>

ack
On Mon, 2012-09-17 at 22:55 -0500, Endi Sukma Dewata wrote:
> On 9/17/2012 4:24 PM, Ade Lee wrote:
> > I'm wondering if we can be a little more precise here.  We know after
> > all that pki-symkey is required for a tks instance only.
> >
> > So, for the init scripts, perhaps we need to require the link
> > if /var/lib/pki/{foo}/tks exists (for dogtag 10) - and a similar check
> > for dogtag 9.
> >
> > And for the pkispawn code, maybe we only need to include the link if we
> > know we are installing a TKS?
> 
> Fixed. New patch attached. In a merged instance it will add the symkey 
> link if TKS is added, and remove the link if TKS is removed.
> 




From edewata at redhat.com  Tue Sep 18 18:27:09 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 18 Sep 2012 13:27:09 -0500
Subject: [Pki-devel] [PATCH] 115 Fixed problems with optional pki-symkey.
In-Reply-To: <1347991487.2624.21.camel@aleeredhat.laptop>
References: <505770B0.9050403@redhat.com>
	<1347917077.2624.20.camel@aleeredhat.laptop>
	<5057F097.1040309@redhat.com>
	<1347991487.2624.21.camel@aleeredhat.laptop>
Message-ID: <5058BCFD.6090100@redhat.com>

On 9/18/2012 1:04 PM, Ade Lee wrote:
> ack

Pushed to master.

-- 
Endi S. Dewata



From mharmsen at redhat.com  Tue Sep 18 22:13:40 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Tue, 18 Sep 2012 15:13:40 -0700
Subject: [Pki-devel] [PATCH] 116 Fixed conflicting log4j.properties.
In-Reply-To: <5057F0C5.3010408@redhat.com>
References: <5057F0C5.3010408@redhat.com>
Message-ID: <5058F214.3050301@redhat.com>

On 09/17/12 20:55, Endi Sukma Dewata wrote:
> The <instance>/lib link has been replaced with a real folder
> which contains links to the files in /usr/share/tomcat/lib. This
> way the log4j.properties can be placed in this folder without
> causing conflicts with other instances.
>
> Ticket: #284
>
> Note: This patch only addresses the conflict. Further modification 
> might be needed to get log4j working properly.
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
ACK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120918/f891295c/attachment.htm>

From awnuk at redhat.com  Wed Sep 19 00:47:00 2012
From: awnuk at redhat.com (Andrew Wnuk)
Date: Tue, 18 Sep 2012 17:47:00 -0700
Subject: [Pki-devel] [PATCH] time based searches
Message-ID: <50591604.6040200@redhat.com>

This patch removes "fixed" year from time based searches for agent and 
EE interfaces.
It also unifies time selection between search and revocation templates.

Bug 854420.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120918/1257c35a/attachment.htm>
-------------- next part --------------
Index: pki/redhat/ca-ui/shared/webapps/ca/ee/ca/reasonToRevoke.template
===================================================================
--- pki/redhat/ca-ui/shared/webapps/ca/ee/ca/reasonToRevoke.template	(revision 16054)
+++ pki/redhat/ca-ui/shared/webapps/ca/ee/ca/reasonToRevoke.template	(working copy)
@@ -33,7 +33,7 @@
     var filter = "(|";
     var n = 0;
 
-    if (!dateIsEmpty(document.forms[0])) {
+    if (document.forms[0].invalidityEnabled.checked) {
         var d = convertDate(document.forms[0], "Invalidity Date");
         if (d == null) return false;
         document.forms[0].invalidityDate.value = d;
@@ -77,6 +77,26 @@
     return true;
 }
 
+function clickedOnInvalidityEnabled()
+{
+    if (document.forms[0].invalidityEnabled.checked) {
+        var date = new Date();
+        if (document.forms[0].day.options[document.forms[0].day.selectedIndex].value == 0) {
+            document.forms[0].day.selectedIndex = date.getDate();
+        }
+        if (document.forms[0].month.options[document.forms[0].month.selectedIndex].value == 13) {
+            document.forms[0].month.selectedIndex = date.getMonth() +1;
+        }
+        if (document.forms[0].year.options[document.forms[0].year.selectedIndex].value == 0) {
+            for (var i = 0; i < document.forms[0].year.options.length; i++) {
+                if (document.forms[0].year.options[i].value == date.getFullYear()) {
+                    document.forms[0].year.selectedIndex = i;
+                }
+            }
+        }
+    }
+}
+
 function toHex1(number)
 {
     var absValue = "", sign = "";
@@ -283,6 +303,7 @@
     </tr>
     <tr>
       <td valign="TOP" colspan="2">
+        <INPUT TYPE="CHECKBOX" NAME="invalidityEnabled" onClick="clickedOnInvalidityEnabled();">
         <font face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif" size="-1">
         Invalidity date:&nbsp;
         <SELECT NAME="day">
@@ -335,20 +356,9 @@
           <OPTION VALUE=11>December
         </SELECT>
         <SELECT NAME="year">
-          <OPTION VALUE=0>
-<SCRIPT LANGUAGE="JavaScript">
+<SCRIPT type="text/javascript">
 //<!--
-    var today = new Date();
-    var year = today.getYear();
-    if (year < 100) {
-        year += 1900;
-    } else {
-        year %= 100;
-        year += 2000;
-    }
-    for (var i = year-7; i < year+5; i++) {
-        document.writeln("<OPTION VALUE="+i+">"+i);
-    }
+generateYearOptions(10, 2);
 //-->
 </SCRIPT>
         </SELECT>
Index: pki/redhat/ca-ui/shared/webapps/ca/ee/ca/srchCert.html
===================================================================
--- pki/redhat/ca-ui/shared/webapps/ca/ee/ca/srchCert.html	(revision 16054)
+++ pki/redhat/ca-ui/shared/webapps/ca/ee/ca/srchCert.html	(working copy)
@@ -345,7 +345,7 @@
 <tr>
 <FORM NAME="revokedOnCritForm">
 <td>
-<INPUT TYPE="CHECKBOX" NAME="inUse">
+<INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.revokedOnCritForm.inUse, document.revokedOnFrom, document.revokedOnTo);">
 </td>
 <td align="left" colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
@@ -411,23 +411,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -490,23 +478,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -667,7 +643,7 @@
 
 <tr>
 <FORM NAME="issuedOnCritForm">
-<td><INPUT TYPE="CHECKBOX" NAME="inUse"></td>
+<td><INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.issuedOnCritForm.inUse, document.issuedOnFrom, document.issuedOnTo);"></td>
 <td colspan="2"><font size=-1 face="PrimaSans BT, Verdana, sans-serif">
 Show certificates issued during the period:</font></td>
 </FORM>
@@ -730,23 +706,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -809,23 +773,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -912,7 +864,7 @@
 <table border="0" cellspacing="2" cellpadding="2">
 <tr>
 <FORM NAME="validNotBeforeCritForm">
-<td><INPUT TYPE="CHECKBOX" NAME="inUse"></td>
+<td><INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.validNotBeforeCritForm.inUse, document.validNotBeforeFrom, document.validNotBeforeTo);"></td>
 <td align="left" colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
 Show certificates effective during the period: 
@@ -977,23 +929,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -1056,23 +996,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -1132,7 +1060,7 @@
 <table border="0" cellspacing="2" cellpadding="2">
 <tr>
 <FORM NAME="validNotAfterCritForm">
-<td><INPUT TYPE="CHECKBOX" NAME="inUse"></td>
+<td><INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.validNotAfterCritForm.inUse, document.validNotAfterFrom, document.validNotAfterTo);"></td>
 <td align="left" colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
 Show certificates expired during the period: </font></td>
@@ -1196,23 +1124,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -1275,23 +1191,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
Index: pki/redhat/ca-ui/shared/webapps/ca/ee/cms-funcs.js
===================================================================
--- pki/redhat/ca-ui/shared/webapps/ca/ee/cms-funcs.js	(revision 16054)
+++ pki/redhat/ca-ui/shared/webapps/ca/ee/cms-funcs.js	(working copy)
@@ -337,6 +337,49 @@
     return 3600 * 24 * days;
 }
  
+function clickedOnTimeRangeCheckBox(inUse, start, end)
+{
+    if (inUse.checked) {
+        var date = new Date();
+        if (start.day.options[start.day.selectedIndex].value == 0) {
+            start.day.selectedIndex = date.getDate();
+        }
+        if (end.day.options[end.day.selectedIndex].value == 0) {
+            end.day.selectedIndex = date.getDate();
+        }
+        if (start.month.options[start.month.selectedIndex].value == 13) {
+            start.month.selectedIndex = date.getMonth() + 1;
+        }
+        if (end.month.options[end.month.selectedIndex].value == 13) {
+            end.month.selectedIndex = date.getMonth() + 1;
+        }
+        if (start.year.options[start.year.selectedIndex].value == 0) {
+            for (var i = 0; i < start.year.options.length; i++) {
+                if (start.year.options[i].value == date.getFullYear()) {
+                    start.year.selectedIndex = i;
+                }
+            }
+        }
+        if (end.year.options[end.year.selectedIndex].value == 0) {
+            for (var i = 0; i < end.year.options.length; i++) {
+                if (end.year.options[i].value == date.getFullYear()) {
+                    end.year.selectedIndex = i;
+                }
+            }
+        }
+    }
+}
+
+function generateYearOptions(before, after)
+{
+    var now = new Date();
+    var year = now.getFullYear();
+    document.writeln("<OPTION VALUE=0>");
+    for (var i = year-before-1; i < year+after+1; i++) {
+        document.writeln("<OPTION VALUE="+i+">"+i);
+    }
+}
+
 // encloses value in double quotes preceding all embedded double quotes with \
 function escapeValue(value)
 {
Index: pki/redhat/ca-ui/shared/webapps/ca/agent/ca/SrchCert.html
===================================================================
--- pki/redhat/ca-ui/shared/webapps/ca/agent/ca/SrchCert.html	(revision 16054)
+++ pki/redhat/ca-ui/shared/webapps/ca/agent/ca/SrchCert.html	(working copy)
@@ -367,7 +367,7 @@
 <tr>
 <FORM NAME="revokedOnCritForm">
 <td>
-<INPUT TYPE="CHECKBOX" NAME="inUse">
+<INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.revokedOnCritForm.inUse, document.revokedOnFrom, document.revokedOnTo);">
 </td>
 <td align="left" colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
@@ -433,23 +433,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -512,23 +500,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -697,7 +673,7 @@
 
 <tr>
 <FORM NAME="issuedOnCritForm">
-<td><INPUT TYPE="CHECKBOX" NAME="inUse"></td>
+<td><INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.issuedOnCritForm.inUse, document.issuedOnFrom, document.issuedOnTo);"></td>
 <td colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
 Show certificates issued during the period:</font></td>
@@ -761,23 +737,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -840,23 +804,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -961,7 +913,7 @@
 <table border="0" cellspacing="2" cellpadding="2">
 <tr>
 <FORM NAME="validNotBeforeCritForm">
-<td><INPUT TYPE="CHECKBOX" NAME="inUse"></td>
+<td><INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.validNotBeforeCritForm.inUse, document.validNotBeforeFrom, document.validNotBeforeTo);"></td>
 <td align="left" colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
 Show certificates effective during the period:</font></td>
@@ -1025,23 +977,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -1104,23 +1044,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -1180,7 +1108,7 @@
 <table border="0" cellspacing="2" cellpadding="2">
 <tr>
 <FORM NAME="validNotAfterCritForm">
-<td><INPUT TYPE="CHECKBOX" NAME="inUse"></td>
+<td><INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.validNotAfterCritForm.inUse, document.validNotAfterFrom, document.validNotAfterTo);"></td>
 <td align="left" colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
 Show certificates expired during the period:</font></td>
@@ -1244,23 +1172,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -1323,23 +1239,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
Index: pki/redhat/ca-ui/shared/webapps/ca/agent/ca/SrchRevokeCert.html
===================================================================
--- pki/redhat/ca-ui/shared/webapps/ca/agent/ca/SrchRevokeCert.html	(revision 16054)
+++ pki/redhat/ca-ui/shared/webapps/ca/agent/ca/SrchRevokeCert.html	(working copy)
@@ -334,7 +334,7 @@
 
 <tr>
 <FORM NAME="issuedOnCritForm">
-<td><INPUT TYPE="CHECKBOX" NAME="inUse"></td>
+<td><INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.issuedOnCritForm.inUse, document.issuedOnFrom, document.issuedOnTo);"></td>
 <td colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
 Revoke certificates issued during the period:</font>
@@ -399,23 +399,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -478,23 +466,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 1);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -579,7 +555,7 @@
 <table border="0" cellspacing="2" cellpadding="2">
 <tr>
 <FORM NAME="validNotBeforeCritForm">
-<td><INPUT TYPE="CHECKBOX" NAME="inUse"></td>
+<td><INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.validNotBeforeCritForm.inUse, document.validNotBeforeFrom, document.validNotBeforeTo);"></td>
 <td align="left" colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
 Revoke certificates effective during the period:</font>
@@ -644,23 +620,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -723,23 +687,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -798,7 +750,7 @@
 <table border="0" cellspacing="2" cellpadding="2">
 <tr>
 <FORM NAME="validNotAfterCritForm">
-<td><INPUT TYPE="CHECKBOX" NAME="inUse"></td>
+<td><INPUT TYPE="CHECKBOX" NAME="inUse" onClick="clickedOnTimeRangeCheckBox(document.validNotAfterCritForm.inUse, document.validNotAfterFrom, document.validNotAfterTo);"></td>
 <td align="left" colspan="2">
 <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
 Revoke certificates expire during the period:</font>
@@ -863,23 +815,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
@@ -942,23 +882,11 @@
 <OPTION VALUE=11>December
 </SELECT>
 <SELECT NAME="year">
-<OPTION VALUE=0>
-<OPTION VALUE=1997>1997
-<OPTION VALUE=1998>1998
-<OPTION VALUE=1999>1999
-<OPTION VALUE=2000>2000
-<OPTION VALUE=2001>2001
-<OPTION VALUE=2002>2002
-<OPTION VALUE=2003>2003
-<OPTION VALUE=2004>2004
-<OPTION VALUE=2005>2005
-<OPTION VALUE=2006>2006
-<OPTION VALUE=2007>2007
-<OPTION VALUE=2008>2008
-<OPTION VALUE=2009>2009
-<OPTION VALUE=2010>2010
-<OPTION VALUE=2011>2011
-<OPTION VALUE=2012>2012
+<SCRIPT type="text/javascript">
+//<!--
+generateYearOptions(10, 10);
+//-->
+</SCRIPT>
 </SELECT>
 </FORM>
 </td>
Index: pki/redhat/ca-ui/shared/webapps/ca/agent/ca/reasonToRevoke.template
===================================================================
--- pki/redhat/ca-ui/shared/webapps/ca/agent/ca/reasonToRevoke.template	(revision 16054)
+++ pki/redhat/ca-ui/shared/webapps/ca/agent/ca/reasonToRevoke.template	(working copy)
@@ -32,7 +32,7 @@
     var filter = "(|";
     var n = 0;
 
-    if (!dateIsEmpty(document.forms[0])) {
+    if (document.forms[0].invalidityEnabled.checked) {
         var d = convertDate(document.forms[0], "Invalidity Date");
         if (d == null) return false;
         document.forms[0].invalidityDate.value = d;
@@ -76,6 +76,26 @@
     return true;
 }
 
+function clickedOnInvalidityEnabled()
+{
+    if (document.forms[0].invalidityEnabled.checked) {
+        var date = new Date();
+        if (document.forms[0].day.options[document.forms[0].day.selectedIndex].value == 0) {
+            document.forms[0].day.selectedIndex = date.getDate();
+        }
+        if (document.forms[0].month.options[document.forms[0].month.selectedIndex].value == 13) {
+            document.forms[0].month.selectedIndex = date.getMonth() +1;
+        }
+        if (document.forms[0].year.options[document.forms[0].year.selectedIndex].value == 0) {
+            for (var i = 0; i < document.forms[0].year.options.length; i++) {
+                if (document.forms[0].year.options[i].value == date.getFullYear()) {
+                    document.forms[0].year.selectedIndex = i;
+                }
+            }
+        }
+    }
+}
+
 function toHex1(number)
 {
     var absValue = "", sign = "";
@@ -287,6 +307,7 @@
     </tr>
     <tr>
       <td valign="TOP" colspan="2">
+        <INPUT TYPE="CHECKBOX" NAME="invalidityEnabled" onClick="clickedOnInvalidityEnabled();">
         <font face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif" size="-1">
         Invalidity date:&nbsp;
         <SELECT NAME="day">
@@ -339,20 +360,9 @@
           <OPTION VALUE=11>December
         </SELECT>
         <SELECT NAME="year">
-          <OPTION VALUE=0>
 <SCRIPT type="text/javascript">
 //<!--
-    var today = new Date();
-    var year = today.getYear();
-    if (year < 100) {
-        year += 1900;
-    } else {
-        year %= 100;
-        year += 2000;
-    }
-    for (var i = year-7; i < year+5; i++) {
-        document.writeln("<OPTION VALUE="+i+">"+i);
-    }
+generateYearOptions(10, 2);
 //-->
 </SCRIPT>
         </SELECT>
Index: pki/redhat/ca-ui/shared/webapps/ca/agent/funcs.js
===================================================================
--- pki/redhat/ca-ui/shared/webapps/ca/agent/funcs.js	(revision 16054)
+++ pki/redhat/ca-ui/shared/webapps/ca/agent/funcs.js	(working copy)
@@ -403,6 +403,49 @@
     return 3600 * 24 * days;
 }
  
+function clickedOnTimeRangeCheckBox(inUse, start, end)
+{
+    if (inUse.checked) {
+        var date = new Date();
+        if (start.day.options[start.day.selectedIndex].value == 0) {
+            start.day.selectedIndex = date.getDate();
+        }
+        if (end.day.options[end.day.selectedIndex].value == 0) {
+            end.day.selectedIndex = date.getDate();
+        }
+        if (start.month.options[start.month.selectedIndex].value == 13) {
+            start.month.selectedIndex = date.getMonth() + 1;
+        }
+        if (end.month.options[end.month.selectedIndex].value == 13) {
+            end.month.selectedIndex = date.getMonth() + 1;
+        }
+        if (start.year.options[start.year.selectedIndex].value == 0) {
+            for (var i = 0; i < start.year.options.length; i++) {
+                if (start.year.options[i].value == date.getFullYear()) {
+                    start.year.selectedIndex = i;
+                }
+            }
+        }
+        if (end.year.options[end.year.selectedIndex].value == 0) {
+            for (var i = 0; i < end.year.options.length; i++) {
+                if (end.year.options[i].value == date.getFullYear()) {
+                    end.year.selectedIndex = i;
+                }
+            }
+        }
+    }
+}
+
+function generateYearOptions(before, after)
+{
+    var now = new Date();
+    var year = now.getFullYear();
+    document.writeln("<OPTION VALUE=0>");
+    for (var i = year-before-1; i < year+after+1; i++) {
+        document.writeln("<OPTION VALUE="+i+">"+i);
+    }
+}
+
 // encloses value in double quotes preceding all embedded double quotes with \
 function escapeValue(value)
 {

From edewata at redhat.com  Wed Sep 19 15:37:44 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 19 Sep 2012 10:37:44 -0500
Subject: [Pki-devel] [PATCH] 116 Fixed conflicting log4j.properties.
In-Reply-To: <5058F214.3050301@redhat.com>
References: <5057F0C5.3010408@redhat.com> <5058F214.3050301@redhat.com>
Message-ID: <5059E6C8.6000104@redhat.com>

On 9/18/2012 5:13 PM, Matthew Harmsen wrote:
> ACK

Pushed to master. Thanks.

-- 
Endi S. Dewata



From mharmsen at redhat.com  Wed Sep 19 17:00:25 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Wed, 19 Sep 2012 10:00:25 -0700
Subject: [Pki-devel] [PATCH] time based searches
In-Reply-To: <50591604.6040200@redhat.com>
References: <50591604.6040200@redhat.com>
Message-ID: <5059FA29.7030604@redhat.com>

On 09/18/12 17:47, Andrew Wnuk wrote:
> This patch removes "fixed" year from time based searches for agent and 
> EE interfaces.
> It also unifies time selection between search and revocation templates.
>
> Bug 854420.
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
ACK

I received a demo of these changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120919/9a3e6129/attachment.htm>

From edewata at redhat.com  Wed Sep 19 17:19:18 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 19 Sep 2012 12:19:18 -0500
Subject: [Pki-devel] [PATCH] 117 Added DN and filter escaping in
	UGSubsystem.
In-Reply-To: <5058A174.4050903@redhat.com>
References: <5058A174.4050903@redhat.com>
Message-ID: <5059FE96.5040607@redhat.com>

On 9/18/2012 11:29 AM, Endi Sukma Dewata wrote:
> The UGSubsystem has been modified to escape values used in DN or
> filter according to LDAP standard.
>
> Ticket #193

Acked by Ade. Pushed to master.

-- 
Endi S. Dewata



From alee at redhat.com  Wed Sep 19 17:19:21 2012
From: alee at redhat.com (Ade Lee)
Date: Wed, 19 Sep 2012 13:19:21 -0400
Subject: [Pki-devel] [PATCH] 0057-Changes-to-use-standard-dbuser
Message-ID: <1348075161.2575.4.camel@aleeredhat.laptop>

 Changes to use standard dbuser
    
    We create a user that can be used to connect to the database using the
    subsystem cert for client auth.  We identified this user, using the seeAlso
    attribute and provided certmap rules to this effect.
    
    For this user, we used to reuse the uid = user CA-hostname-port, which is already
    created for inter-system communication.  But this is problematic if more than one
    dbuser exists, as the directory server may bind as the incorrect user.  In any
    replication topology, there must be only one dbuser using the subsystem cert.
    
    To simplify things, we create a new user specifically for this purpose
    (pkidbuser), and we remove the seeAlso attribute from the older dbusers.
    
    A script is needed to convert existing dogtag 9 istances to use the new user,
    and set the relevant acls.  This will be done in a separate commit.

Please review.

Ade

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0057-Changes-to-use-standard-dbuser.patch
Type: text/x-patch
Size: 14849 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120919/70e8d544/attachment.bin>

From edewata at redhat.com  Wed Sep 19 17:19:53 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 19 Sep 2012 12:19:53 -0500
Subject: [Pki-devel] [PATCH] 118 Removed duplicate DN escaping methods.
In-Reply-To: <5058A8A0.30600@redhat.com>
References: <5058A177.90409@redhat.com> <5058A8A0.30600@redhat.com>
Message-ID: <5059FEB9.5010707@redhat.com>

On 9/18/2012 12:00 PM, Endi Sukma Dewata wrote:
> On 9/18/2012 11:29 AM, Endi Sukma Dewata wrote:
>> The duplicate methods to escape DN value have been removed. The
>> codes that used the duplicate methods have been modified to use
>> LDAPUtil.escapeDN().
>>
>> Ticket #193
>
> New patch attached. Missed a few changes.

ACKed by Ade. Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Sep 19 17:20:31 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 19 Sep 2012 12:20:31 -0500
Subject: [Pki-devel] [PATCH] 119 Added DN and filter escaping in
	ConfigurationUtils.
In-Reply-To: <5058B483.3050305@redhat.com>
References: <5058B483.3050305@redhat.com>
Message-ID: <5059FEDF.1050409@redhat.com>

On 9/18/2012 12:50 PM, Endi Sukma Dewata wrote:
> The ConfigurationUtils has been modified to escape values used in
> DN or filter according to LDAP standard.
>
> Ticket #193

ACKed by Ade. Pushed to master. Thanks.

-- 
Endi S. Dewata



From alee at redhat.com  Thu Sep 20 02:24:00 2012
From: alee at redhat.com (Ade Lee)
Date: Wed, 19 Sep 2012 22:24:00 -0400
Subject: [Pki-devel] [PATCH] 0057-Changes-to-use-standard-dbuser
In-Reply-To: <1348075161.2575.4.camel@aleeredhat.laptop>
References: <1348075161.2575.4.camel@aleeredhat.laptop>
Message-ID: <1348107840.2575.7.camel@aleeredhat.laptop>

Made changes as suggested on #irc.
Specifically , 
- use escapeFilter() instead of escapeDN()
- log if user is null
- rename addCert to delAttr
- throw exception if cannot get subsystem cert.

Acked by Jack and pushed to master.

On Wed, 2012-09-19 at 13:19 -0400, Ade Lee wrote:
> Changes to use standard dbuser
>     
>     We create a user that can be used to connect to the database using the
>     subsystem cert for client auth.  We identified this user, using the seeAlso
>     attribute and provided certmap rules to this effect.
>     
>     For this user, we used to reuse the uid = user CA-hostname-port, which is already
>     created for inter-system communication.  But this is problematic if more than one
>     dbuser exists, as the directory server may bind as the incorrect user.  In any
>     replication topology, there must be only one dbuser using the subsystem cert.
>     
>     To simplify things, we create a new user specifically for this purpose
>     (pkidbuser), and we remove the seeAlso attribute from the older dbusers.
>     
>     A script is needed to convert existing dogtag 9 istances to use the new user,
>     and set the relevant acls.  This will be done in a separate commit.
> 
> Please review.
> 
> Ade
> 
> differences between files attachment
> (pki-vakwetu-0057-Changes-to-use-standard-dbuser.patch)
> >From a57a6e4a68e358fade3e1f217a5f5228004a1c77 Mon Sep 17 00:00:00 2001
> From: Ade Lee <alee at redhat.com>
> Date: Wed, 19 Sep 2012 12:37:41 -0400
> Subject: [PATCH] Changes to use standard dbuser
> 
> We create a user that can be used to connect to the database using the
> subsystem cert for client auth.  We identified this user, using the seeAlso
> attribute and provided certmap rules to this effect.
> 
> For this user, we used to reuse the uid = user CA-hostname-port, which is already
> created for inter-system communication.  But this is problematic if more than one
> dbuser exists, as the directory server may bind as the incorrect user.  In any
> replication topology, there must be only one dbuser using the subsystem cert.
> 
> To simplify things, we create a new user specifically for this purpose
> (pkidbuser), and we remove the seeAlso attribute from the older dbusers.
> 
> A script is needed to convert existing dogtag 9 istances to use the new user,
> and set the relevant acls.  This will be done in a separate commit.
> ---
>  .../com/netscape/certsrv/logging/AuditFormat.java  |  2 +
>  .../com/netscape/certsrv/usrgrp/IUGSubsystem.java  |  8 ++++
>  .../cms/servlet/csadmin/ConfigurationUtils.java    | 52 +++++++++++++++++++---
>  .../netscape/cms/servlet/csadmin/DonePanel.java    | 12 +----
>  .../cms/servlet/csadmin/SystemConfigService.java   |  8 +---
>  .../com/netscape/cmscore/logging/AuditFormat.java  |  5 +++
>  .../com/netscape/cmscore/usrgrp/UGSubsystem.java   | 47 +++++++++++++++++++
>  7 files changed, 109 insertions(+), 25 deletions(-)
> 
> diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
> index 72980aa5ad04e3c92c64a2a055c40924723054fb..005043ada55174e231c9acf823fece15a6527314 100644
> --- a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
> +++ b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
> @@ -106,6 +106,8 @@ public class AuditFormat {
>              "Admin UID: {0} removed User UID: {1} from group: {2}";
>      public static final String ADDCERTSUBJECTDNFORMAT =
>              "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}";
> +    public static final String REMOVECERTSUBJECTDNFORMAT =
> +            "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}";
>  
>      // LDAP publishing
>      public static final String LDAP_PUBLISHED_FORMAT =
> diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
> index eb7f84ebf4c02985c864e1c6855277f4939729bb..543b33c26bdc7863b714ffc57a229c17e766f4d4 100644
> --- a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
> +++ b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
> @@ -88,6 +88,14 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp {
>      public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException;
>  
>      /**
> +     * Remove a certSubjectDN field from the user
> +     * @param identity
> +     * @throws EUsrGrpException
> +     * @throws LDAPException
> +     */
> +    public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException;
> +
> +    /**
>       * Removes a user certificate for a user entry
>       * given a user certificate DN (actually, a combination of version,
>       * serialNumber, issuerDN, and SubjectDN), and it gets removed
> diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
> index 6cd64f654348c0b80aa216c936e2149dc966590d..afeb4c1f6fb7cd922100d78dddfd8c14182aa7ef 100644
> --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
> +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
> @@ -144,6 +144,7 @@ import com.netscape.certsrv.ocsp.IOCSPAuthority;
>  import com.netscape.certsrv.system.InstallToken;
>  import com.netscape.certsrv.system.InstallTokenRequest;
>  import com.netscape.certsrv.system.SystemConfigClient;
> +import com.netscape.certsrv.usrgrp.EUsrGrpException;
>  import com.netscape.certsrv.usrgrp.IGroup;
>  import com.netscape.certsrv.usrgrp.IUGSubsystem;
>  import com.netscape.certsrv.usrgrp.IUser;
> @@ -170,6 +171,7 @@ public class ConfigurationUtils {
>      public static String AUTH_FAILURE = "2";
>      public static final BigInteger BIG_ZERO = new BigInteger("0");
>      public static final Long MINUS_ONE = Long.valueOf(-1);
> +    public static final String DBUSER = "pkidbuser";
>  
>      public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException,
>              IncorrectPasswordException {
> @@ -717,8 +719,6 @@ public class ConfigurationUtils {
>              BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException,
>              NoSuchItemOnTokenException, InvalidBERException, IOException {
>          byte b[] = new byte[1000000];
> -        IConfigStore cs = CMS.getConfigStore();
> -        String instanceRoot = cs.getString("instanceRoot");
>  
>          FileInputStream fis = new FileInputStream(p12File);
>          while (fis.available() > 0)
> @@ -1204,8 +1204,7 @@ public class ConfigurationUtils {
>          String instanceId = cs.getString("instanceId");
>          String cstype = cs.getString("cs.type");
>  
> -        String dbuser = "uid=" + LDAPUtil.escapeDN(cstype + "-" + cs.getString("machineName") + "-"
> -                + cs.getString("service.securePort")) + ",ou=people," + baseDN;
> +        String dbuser = "uid=" + DBUSER + ",ou= people," + baseDN;
>  
>          String configDir = instancePath + File.separator + cstype.toLowerCase() + File.separator + "conf";
>  
> @@ -3389,19 +3388,28 @@ public class ConfigurationUtils {
>          }
>      }
>  
> -    public static void setupDBUser(String dbuser) throws CertificateException, LDAPException, EBaseException,
> +    public static void setupDBUser() throws CertificateException, LDAPException, EBaseException,
>              NotInitializedException, ObjectNotFoundException, TokenException, IOException {
>          IUGSubsystem system =
>                  (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
>  
> +        try {
> +            @SuppressWarnings("unused")
> +            Enumeration<IUser> dbusers = system.findUsers(DBUSER);
> +            CMS.debug("DB User already exists: " + DBUSER);
> +            return;
> +        } catch (EUsrGrpException e) {
> +            CMS.debug("Creating DB User: " + DBUSER);
> +        }
> +
>          String b64 = getSubsystemCert();
>          if (b64 == null) {
>              CMS.debug("setupDBUser(): failed to fetch subsystem cert");
>              return;
>          }
>  
> -        IUser user = system.createUser(dbuser);
> -        user.setFullName(dbuser);
> +        IUser user = system.createUser(DBUSER);
> +        user.setFullName(DBUSER);
>          user.setEmail("");
>          user.setPassword("");
>          user.setUserType("agentType");
> @@ -3414,6 +3422,36 @@ public class ConfigurationUtils {
>          CMS.debug("setupDBUser(): successfully added the user");
>          system.addUserCert(user);
>          CMS.debug("setupDBUser(): successfully add the user certificate");
> +
> +        // set subject dn
> +        system.addCertSubjectDN(user);
> +
> +        // remove old db users
> +        CMS.debug("Removing seeAlso from old dbusers");
> +        removeOldDBUsers(certs[0].getSubjectDN().toString());
> +    }
> +
> +    public static void removeOldDBUsers(String subjectDN) throws EBaseException, LDAPException {
> +        IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
> +        IConfigStore cs = CMS.getConfigStore();
> +        String userbasedn = "ou=people, " + cs.getString("internaldb.basedn");
> +        IConfigStore dbCfg = cs.getSubStore("internaldb");
> +        ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory();
> +        dbFactory.init(dbCfg);
> +        LDAPConnection conn = dbFactory.getConn();
> +
> +        String filter = "(&(seeAlso=" + LDAPUtil.escapeDN(subjectDN) + ")(!(uid=" + DBUSER + ")))";
> +        String[] attrs = null;
> +        LDAPSearchResults res = conn.search(userbasedn, LDAPConnection.SCOPE_SUB, filter,
> +                attrs, false);
> +        if (res != null) {
> +            while (res.hasMoreElements()) {
> +                String uid = (String) res.next().getAttribute("uid").getStringValues().nextElement();
> +                IUser user = system.getUser(uid);
> +                CMS.debug("removeOldDUsers: Removing seeAlso from " + uid);
> +                system.removeCertSubjectDN(user);
> +            }
> +        }
>      }
>  
>      public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
> diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> index e81afdd2f9068e27dd3c89d462e6c92805b6158e..197c16ad351c15b6bc00ec39dd21499ea293143a 100644
> --- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> +++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> @@ -31,8 +31,6 @@ import com.netscape.certsrv.apps.CMS;
>  import com.netscape.certsrv.base.IConfigStore;
>  import com.netscape.certsrv.ocsp.IOCSPAuthority;
>  import com.netscape.certsrv.property.PropertySet;
> -import com.netscape.certsrv.usrgrp.IUGSubsystem;
> -import com.netscape.certsrv.usrgrp.IUser;
>  import com.netscape.cms.servlet.wizard.WizardServlet;
>  import com.netscape.cmsutil.util.Utils;
>  
> @@ -225,16 +223,8 @@ public class DonePanel extends WizardPanelBase {
>              e.printStackTrace();
>          }
>  
> -        String dbuser = null;
>          try {
> -            dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-"
> -                    + cs.getString("service.securePort");
> -            if (!sdtype.equals("new")) {
> -                ConfigurationUtils.setupDBUser(dbuser);
> -            }
> -            IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
> -            IUser user = system.getUser(dbuser);
> -            system.addCertSubjectDN(user);
> +            ConfigurationUtils.setupDBUser();
>          } catch (Exception e) {
>              e.printStackTrace();
>              CMS.debug("DonePanel - update(): Unable to create or update dbuser" + e);
> diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
> index 4ae9579f29479a2e01e2e14b386f14f8a0b80f7e..3bbe3ca8099f0e722271e9bf7ae21812bffb5404 100644
> --- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
> +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
> @@ -703,13 +703,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
>          }
>  
>          try {
> -            String dbuser = csType + "-" + CMS.getEEHost() + "-" + cs.getString("service.securePort");
> -            if (! securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) {
> -                ConfigurationUtils.setupDBUser(dbuser);
> -            }
> -            IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
> -            IUser user = system.getUser(dbuser);
> -            system.addCertSubjectDN(user);
> +            ConfigurationUtils.setupDBUser();
>          } catch (Exception e) {
>              e.printStackTrace();
>              throw new PKIException("Errors in creating or updating dbuser: " + e);
> diff --git a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
> index 9ba62babbd6c401f90b461fccacda275b5e69da8..42c3b0d6f2ac2ea809f78d36b2f856dc3de3c10b 100644
> --- a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
> +++ b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
> @@ -108,4 +108,9 @@ public class AuditFormat {
>              "Admin UID: {0} added User UID: {1} to group: {2}";
>      public static final String REMOVEUSERGROUPFORMAT =
>              "Admin UID: {0} removed User UID: {1} from group: {2}";
> +    public static final String ADDCERTSUBJECTDNFORMAT =
> +            "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}";
> +    public static final String REMOVECERTSUBJECTDNFORMAT =
> +            "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}";
> +
>  }
> diff --git a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
> index 9e3dacb17a16f0d292476b351b9e2309cb184f1b..76132734d2f6604b8770c05a3473d7b0176d2738 100644
> --- a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
> +++ b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
> @@ -820,6 +820,53 @@ public final class UGSubsystem implements IUGSubsystem {
>          return;
>      }
>  
> +    public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException {
> +        User user = (User) identity;
> +
> +        if (user == null) {
> +            return;
> +        }
> +
> +        X509Certificate cert[] = null;
> +        LDAPModificationSet addCert = new LDAPModificationSet();
> +
> +        if ((cert = user.getX509Certificates()) != null) {
> +            LDAPAttribute attrCertDNStr = new LDAPAttribute(LDAP_ATTR_CERTDN);
> +            attrCertDNStr.addValue(cert[0].getSubjectDN().toString());
> +            addCert.add(LDAPModification.DELETE, attrCertDNStr);
> +
> +            LDAPConnection ldapconn = null;
> +
> +            try {
> +                ldapconn = getConn();
> +                ldapconn.modify("uid=" + LDAPUtil.escapeDN(user.getUserID()) +
> +                        "," + getUserBaseDN(), addCert);
> +                // for audit log
> +                SessionContext sessionContext = SessionContext.getContext();
> +                String adminId = (String) sessionContext.get(SessionContext.USER_ID);
> +
> +                mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP,
> +                        AuditFormat.LEVEL, AuditFormat.REMOVECERTSUBJECTDNFORMAT,
> +                        new Object[] { adminId, user.getUserID(),
> +                                cert[0].getSubjectDN().toString() }
> +                        );
> +
> +            } catch (LDAPException e) {
> +                if (Debug.ON) {
> +                    e.printStackTrace();
> +                }
> +                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
> +                throw e;
> +            } catch (ELdapException e) {
> +                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
> +            } finally {
> +                if (ldapconn != null)
> +                    returnConn(ldapconn);
> +            }
> +        }
> +        return;
> +    }
> +
>      /**
>       * Removes a user certificate for a user entry
>       * given a user certificate DN (actually, a combination of version,
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From edewata at redhat.com  Thu Sep 20 15:06:37 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 20 Sep 2012 10:06:37 -0500
Subject: [Pki-devel] [PATCH] 120 Added log messages using Log4j.
Message-ID: <505B30FD.3030402@redhat.com>

Some REST services (user, group, and group member) have been modified
to log messages using Log4j.

Ticket #195

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0120-Added-log-messages-using-Log4j.patch
Type: text/x-patch
Size: 19467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120920/a6bb1df0/attachment.bin>

From edewata at redhat.com  Thu Sep 20 15:07:03 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 20 Sep 2012 10:07:03 -0500
Subject: [Pki-devel] [PATCH] 121 Added unescapeRDNValue() method.
Message-ID: <505B3117.60106@redhat.com>

A new method has been added to unescape RDN values in a DN. This
is used to get the correct group member ID from a DN stored in
the uniqueMember attribute.

Ticket #193

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0121-Added-unescapeRDNValue-method.patch
Type: text/x-patch
Size: 8509 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120920/792dd1fb/attachment.bin>

From mharmsen at redhat.com  Thu Sep 20 17:52:51 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Thu, 20 Sep 2012 10:52:51 -0700
Subject: [Pki-devel] [PATCH] Audit Cert Renewal
Message-ID: <505B57F3.4060604@redhat.com>

The attached patch addresses the following PKI issue:

  * TRAC Ticket #333 - Increase audit cert renewal range to 2 years
  * Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years

This patch is intended for both Dogtag 9 and Dogtag 10.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120920/3f87b963/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120920-Audit-Cert-Renewal.patch
Type: text/x-patch
Size: 1634 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120920/3f87b963/attachment.bin>

From awnuk at redhat.com  Thu Sep 20 22:06:32 2012
From: awnuk at redhat.com (Andrew Wnuk)
Date: Thu, 20 Sep 2012 15:06:32 -0700
Subject: [Pki-devel] [PATCH] Audit Cert Renewal
In-Reply-To: <505B57F3.4060604@redhat.com>
References: <505B57F3.4060604@redhat.com>
Message-ID: <505B9368.20302@redhat.com>

On 09/20/2012 10:52 AM, Matthew Harmsen wrote:
> The attached patch addresses the following PKI issue:
>
>   * TRAC Ticket #333 - Increase audit cert renewal range to 2 years
>   * Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years
>
> This patch is intended for both Dogtag 9 and Dogtag 10.
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
ACK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120920/bf4cab23/attachment.htm>

From mharmsen at redhat.com  Fri Sep 21 03:14:54 2012
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Thu, 20 Sep 2012 20:14:54 -0700
Subject: [Pki-devel] [PATCH] Correctly resolve symlinks in subdirectories
Message-ID: <505BDBAE.10605@redhat.com>

The attached patch addresses the following PKI issue:

  * TRAC Ticket #338 - Dogtag 10: pkihelper.py directory.set_mode() does
    not resolve symlinks correctly

Please review this patch for Dogtag 10.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120920/6fb08ca7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120920-Correctly-resolve-symlinks-in-subdirectories.patch
Type: text/x-patch
Size: 1863 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120920/6fb08ca7/attachment.bin>

From alee at redhat.com  Fri Sep 21 17:32:49 2012
From: alee at redhat.com (Ade Lee)
Date: Fri, 21 Sep 2012 13:32:49 -0400
Subject: [Pki-devel] PATCH -
	0058-Use-getStatus-servlet-to-report-startup-status
Message-ID: <1348248770.2575.35.camel@aleeredhat.laptop>

Use getStatus servlet to report startup status.  This provides an
interface for clients to call and determine if the server is up and
ready to serve.
    
Also added code to report the rpm version of the server in the same
servlet.

This is for dogtag 10.  A dogtag 9 version of this patch is forthcoming.

Ade
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0058-Use-getStatus-servlet-to-report-startup-status.patch
Type: text/x-patch
Size: 6495 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120921/ef870d22/attachment.bin>

From alee at redhat.com  Fri Sep 21 19:44:53 2012
From: alee at redhat.com (Ade Lee)
Date: Fri, 21 Sep 2012 15:44:53 -0400
Subject: [Pki-devel] PATCH -
 0058-Use-getStatus-servlet-to-report-startup-status
In-Reply-To: <1348248770.2575.35.camel@aleeredhat.laptop>
References: <1348248770.2575.35.camel@aleeredhat.laptop>
Message-ID: <1348256694.2575.45.camel@aleeredhat.laptop>

after discussion with Endi, decided to use a VERSION file generated by
cmake and delivered probably by pki-base to get the version.

Removed that code from this patch.  Pushed getStatus changes to master.

Ade

On Fri, 2012-09-21 at 13:32 -0400, Ade Lee wrote:
> Use getStatus servlet to report startup status.  This provides an
> interface for clients to call and determine if the server is up and
> ready to serve.
>     
> Also added code to report the rpm version of the server in the same
> servlet.
> 
> This is for dogtag 10.  A dogtag 9 version of this patch is forthcoming.
> 
> Ade
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From edewata at redhat.com  Mon Sep 24 19:47:56 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 24 Sep 2012 14:47:56 -0500
Subject: [Pki-devel] [PATCH] 123 Merged pki-setup into pki-server.
Message-ID: <5060B8EC.5050102@redhat.com>

The scripts to create and remove PKI instances have been moved from
pki-setup into pki-server package.

Ticket #336

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0123-Merged-pki-setup-into-pki-server.patch
Type: text/x-patch
Size: 11759 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120924/1e3ed499/attachment.bin>

From cfu at redhat.com  Mon Sep 24 23:06:32 2012
From: cfu at redhat.com (Christina Fu)
Date: Mon, 24 Sep 2012 16:06:32 -0700
Subject: [Pki-devel] Review Request: TMS ECC Key Recovery
Message-ID: <5060E778.4000708@redhat.com>

https://fedorahosted.org/pki/ticket/252  - TMS - ECC Key Recovery

patch for review:
https://fedorahosted.org/pki/attachment/ticket/252/TMS-ECC-Recovery.patchForReview

This patch provides code to allow ECC key recovery in the TMS environment.
It was tested to work with tpsclient.  The key injection part of 
implementation for the actual smart card tokens is scheduled to be done 
in  #235 at a later time.

I can do a demo tomorrow in office.

thanks,
Christina



From alee at redhat.com  Tue Sep 25 13:43:28 2012
From: alee at redhat.com (Ade Lee)
Date: Tue, 25 Sep 2012 09:43:28 -0400
Subject: [Pki-devel] [PATCH] 123 Merged pki-setup into pki-server.
In-Reply-To: <5060B8EC.5050102@redhat.com>
References: <5060B8EC.5050102@redhat.com>
Message-ID: <1348580608.2575.58.camel@aleeredhat.laptop>

ack

On Mon, 2012-09-24 at 14:47 -0500, Endi Sukma Dewata wrote:
> The scripts to create and remove PKI instances have been moved from
> pki-setup into pki-server package.
> 
> Ticket #336
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From edewata at redhat.com  Tue Sep 25 17:37:25 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 25 Sep 2012 12:37:25 -0500
Subject: [Pki-devel] [PATCH] 123 Merged pki-setup into pki-server.
In-Reply-To: <1348580608.2575.58.camel@aleeredhat.laptop>
References: <5060B8EC.5050102@redhat.com>
	<1348580608.2575.58.camel@aleeredhat.laptop>
Message-ID: <5061EBD5.9050804@redhat.com>

On 9/25/2012 8:43 AM, Ade Lee wrote:
> ack

Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Tue Sep 25 18:28:52 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 25 Sep 2012 13:28:52 -0500
Subject: [Pki-devel] [PATCH] 124 Added VERSION file.
Message-ID: <5061F7E4.7090007@redhat.com>

The CMake scripts have been modified to store the version number
in /usr/share/pki/VERSION and in JAR manifest files. These files
can be read by PKI applications to obtain the version number
without having to query the RPM database.

Fixed warnings in Java.cmake file.

Ticket #339

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0124-Added-VERSION-file.patch
Type: text/x-patch
Size: 22233 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120925/e6f3ed3b/attachment.bin>

From edewata at redhat.com  Tue Sep 25 20:19:08 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 25 Sep 2012 15:19:08 -0500
Subject: [Pki-devel] [PATCH] 122 Renamed escapeDN() into escapeRDNValue().
Message-ID: <506211BC.5010102@redhat.com>

The escapeDN() has been renamed into escapeRDNValue() for better
clarity.

Ticket #193

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0122-Renamed-escapeDN-into-escapeRDNValue.patch
Type: text/x-patch
Size: 28267 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120925/51885fa4/attachment.bin>

From edewata at redhat.com  Wed Sep 26 03:11:48 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 25 Sep 2012 22:11:48 -0500
Subject: [Pki-devel] [PATCH] 125 Fixed synchronization problem in
	CertificateRepository.
Message-ID: <50627274.7010304@redhat.com>

Some synchronized methods in CertificateRepository have been moved
into CertStatusUpdateThread to avoid blocking other synchronized
methods too long.

Ticket #313

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0125-Fixed-synchronization-problem-in-CertificateReposito.patch
Type: text/x-patch
Size: 7562 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120925/586748dc/attachment.bin>

From jmagne at redhat.com  Thu Sep 27 01:39:04 2012
From: jmagne at redhat.com (John Magne)
Date: Wed, 26 Sep 2012 21:39:04 -0400 (EDT)
Subject: [Pki-devel] Review Request: TMS ECC Key Recovery
In-Reply-To: <5060E778.4000708@redhat.com>
Message-ID: <1838820972.2062227.1348709944705.JavaMail.root@redhat.com>

Couple Questions:

In the following piece of the patch:

+            SECITEM_FreeItem(&der, PR_FALSE);
81	                        SECKEY_DestroySubjectPublicKeyInfo(spki);
82	 

It looks like both are executed , even when the call to  
   spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der);

Fails and spki is NULL. Does the DestroySubjectPublicKeyInfo handle this? Also Will "der" be in a state to harm the call to SECITEM_FreeItem?



Index: tps/src/engine/RA.cpp
187	===================================================================
188	--- tps/src/engine/RA.cpp       (revision 2497)
189	+++ tps/src/engine/RA.cpp       (working copy)
190	@@ -1238,7 +1238,10 @@
191	        goto loser;
192	       } else {
193	        RA::Debug(LL_PER_PDU, "RecoverKey", "got public key =%s", tmp);
194	-       *publicKey_s  = PL_strdup(tmp);
195	+          char *tmp_publicKey_s  = PL_strdup(tmp);
196	+          Buffer *decodePubKey = Util::URLDecode(tmp_publicKey_s);
197	+          *publicKey_s =
198	+              BTOA_DataToAscii(decodePubKey->getBuf(), decodePubKey->getLen());
199	       }
200	 
201	       tmp = NULL;
202	@@ -1256,7 +1259,7 @@
203	           RA::Error(LL_PER_PDU, "RecoverKey",
204	               "did not get iv_param for recovered  key in DRM response");
205	       } else {
206	-          RA::Debug(LL_PER_PDU, "ServerSideKeyGen", "got iv_param for recovered key =%s", tmp);
207	+          RA::Debug(LL_PER_PDU, "RecoverKey", "got iv_param for recovered key =%s", tmp);
208	           *ivParam_s  = PL_strdup(tmp);
209	       }

In the above code we are doing a strdup giving publicKey_s.

Are we freeing that string anywhere?






----- Original Message -----
From: "Christina Fu" <cfu at redhat.com>
To: "pki-devel" <pki-devel at redhat.com>
Sent: Monday, September 24, 2012 4:06:32 PM
Subject: [Pki-devel] Review Request: TMS ECC Key Recovery

https://fedorahosted.org/pki/ticket/252  - TMS - ECC Key Recovery

patch for review:
https://fedorahosted.org/pki/attachment/ticket/252/TMS-ECC-Recovery.patchForReview

This patch provides code to allow ECC key recovery in the TMS environment.
It was tested to work with tpsclient.  The key injection part of 
implementation for the actual smart card tokens is scheduled to be done 
in  #235 at a later time.

I can do a demo tomorrow in office.

thanks,
Christina

_______________________________________________
Pki-devel mailing list
Pki-devel at redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel



From alee at redhat.com  Thu Sep 27 17:06:41 2012
From: alee at redhat.com (Ade Lee)
Date: Thu, 27 Sep 2012 13:06:41 -0400
Subject: [Pki-devel] [PATCH] 59 - fall back to old interface for install
	token if needed
Message-ID: <1348765601.2575.63.camel@aleeredhat.laptop>

Please review.

Ade
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0059-fall-back-to-old-interface-for-installtoken-if-neede.patch
Type: text/x-patch
Size: 6972 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120927/4c02bbce/attachment.bin>

From cfu at redhat.com  Thu Sep 27 17:56:18 2012
From: cfu at redhat.com (Christina Fu)
Date: Thu, 27 Sep 2012 10:56:18 -0700
Subject: [Pki-devel] Review Request: TMS ECC Key Recovery
In-Reply-To: <1838820972.2062227.1348709944705.JavaMail.root@redhat.com>
References: <1838820972.2062227.1348709944705.JavaMail.root@redhat.com>
Message-ID: <50649342.2090808@redhat.com>

Hi Jack,

Thanks for the review.  Please find my response in-line below.

thanks,
Christina

On 09/26/2012 06:39 PM, John Magne wrote:
> Couple Questions:
>
> In the following piece of the patch:
>
> +            SECITEM_FreeItem(&der, PR_FALSE);
> 81	                        SECKEY_DestroySubjectPublicKeyInfo(spki);
> 82	
>
> It looks like both are executed , even when the call to
>     spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der);
>
> Fails and spki is NULL. Does the DestroySubjectPublicKeyInfo handle this? Also Will "der" be in a state to harm the call to SECITEM_FreeItem?
>

DestroySubjectPublicKeyInfo checks before it frees so it is okay if spki happens to be null:

void
SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki)
{
     if (spki && spki->arena) {
     PORT_FreeArena(spki->arena, PR_FALSE);
     }
}

Also, the content of der is copied over in 
SECKEY_DecodeDERSubjectPublicKeyInfo(), so once the call is done, the 
code has no use for der any more, hence the SECITEM_FreeItem after.
Also, SECITEM_FreeItem checks for null before it frees as well, so it's 
safe to call.
>
> Index: tps/src/engine/RA.cpp
> 187	===================================================================
> 188	--- tps/src/engine/RA.cpp       (revision 2497)
> 189	+++ tps/src/engine/RA.cpp       (working copy)
> 190	@@ -1238,7 +1238,10 @@
> 191	        goto loser;
> 192	       } else {
> 193	        RA::Debug(LL_PER_PDU, "RecoverKey", "got public key =%s", tmp);
> 194	-       *publicKey_s  = PL_strdup(tmp);
> 195	+          char *tmp_publicKey_s  = PL_strdup(tmp);
> 196	+          Buffer *decodePubKey = Util::URLDecode(tmp_publicKey_s);
> 197	+          *publicKey_s =
> 198	+              BTOA_DataToAscii(decodePubKey->getBuf(), decodePubKey->getLen());
> 199	       }
> 200	
> 201	       tmp = NULL;
> 202	@@ -1256,7 +1259,7 @@
> 203	           RA::Error(LL_PER_PDU, "RecoverKey",
> 204	               "did not get iv_param for recovered  key in DRM response");
> 205	       } else {
> 206	-          RA::Debug(LL_PER_PDU, "ServerSideKeyGen", "got iv_param for recovered key =%s", tmp);
> 207	+          RA::Debug(LL_PER_PDU, "RecoverKey", "got iv_param for recovered key =%s", tmp);
> 208	           *ivParam_s  = PL_strdup(tmp);
> 209	       }
>
> In the above code we are doing a strdup giving publicKey_s.
>
> Are we freeing that string anywhere?
>
I introduced two variables there.  Yes, I should free them.
>
>
>
>
> ----- Original Message -----
> From: "Christina Fu"<cfu at redhat.com>
> To: "pki-devel"<pki-devel at redhat.com>
> Sent: Monday, September 24, 2012 4:06:32 PM
> Subject: [Pki-devel] Review Request: TMS ECC Key Recovery
>
> https://fedorahosted.org/pki/ticket/252  - TMS - ECC Key Recovery
>
> patch for review:
> https://fedorahosted.org/pki/attachment/ticket/252/TMS-ECC-Recovery.patchForReview
>
> This patch provides code to allow ECC key recovery in the TMS environment.
> It was tested to work with tpsclient.  The key injection part of
> implementation for the actual smart card tokens is scheduled to be done
> in  #235 at a later time.
>
> I can do a demo tomorrow in office.
>
> thanks,
> Christina
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel



From alee at redhat.com  Fri Sep 28 01:35:08 2012
From: alee at redhat.com (Ade Lee)
Date: Thu, 27 Sep 2012 21:35:08 -0400
Subject: [Pki-devel] [PATCH] 121 Added unescapeRDNValue() method.
In-Reply-To: <505B3117.60106@redhat.com>
References: <505B3117.60106@redhat.com>
Message-ID: <1348796108.2575.64.camel@aleeredhat.laptop>

This needs to be rebased.

Ade
On Thu, 2012-09-20 at 10:07 -0500, Endi Sukma Dewata wrote:
> A new method has been added to unescape RDN values in a DN. This
> is used to get the correct group member ID from a DN stored in
> the uniqueMember attribute.
> 
> Ticket #193
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From alee at redhat.com  Fri Sep 28 01:39:15 2012
From: alee at redhat.com (Ade Lee)
Date: Thu, 27 Sep 2012 21:39:15 -0400
Subject: [Pki-devel] [PATCH] 122 Renamed escapeDN() into
 escapeRDNValue().
In-Reply-To: <506211BC.5010102@redhat.com>
References: <506211BC.5010102@redhat.com>
Message-ID: <1348796356.2575.65.camel@aleeredhat.laptop>

ack.

On Tue, 2012-09-25 at 15:19 -0500, Endi Sukma Dewata wrote:
> The escapeDN() has been renamed into escapeRDNValue() for better
> clarity.
> 
> Ticket #193
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From edewata at redhat.com  Fri Sep 28 02:23:34 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Sep 2012 21:23:34 -0500
Subject: [Pki-devel] [PATCH] 122 Renamed escapeDN() into
	escapeRDNValue().
In-Reply-To: <1348796356.2575.65.camel@aleeredhat.laptop>
References: <506211BC.5010102@redhat.com>
	<1348796356.2575.65.camel@aleeredhat.laptop>
Message-ID: <50650A26.6080400@redhat.com>

On 9/27/2012 8:39 PM, Ade Lee wrote:
> ack.

Pushed to master.

-- 
Endi S. Dewata



From alee at redhat.com  Fri Sep 28 02:42:25 2012
From: alee at redhat.com (Ade Lee)
Date: Thu, 27 Sep 2012 22:42:25 -0400
Subject: [Pki-devel] [PATCH] 59 - fall back to old interface for install
 token if needed
In-Reply-To: <1348765601.2575.63.camel@aleeredhat.laptop>
References: <1348765601.2575.63.camel@aleeredhat.laptop>
Message-ID: <1348800146.2575.66.camel@aleeredhat.laptop>

Changes made as discussed on #irc.  Acked by Endi.  Pushed to master.

On Thu, 2012-09-27 at 13:06 -0400, Ade Lee wrote:
> Please review.
> 
> Ade
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0059-1-fall-back-to-old-interface-for-installtoken-if-neede.patch
Type: text/x-patch
Size: 7691 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120927/18313007/attachment.bin>

From edewata at redhat.com  Fri Sep 28 03:38:22 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Sep 2012 22:38:22 -0500
Subject: [Pki-devel] [PATCH] 124 Added VERSION file.
In-Reply-To: <5061F7E4.7090007@redhat.com>
References: <5061F7E4.7090007@redhat.com>
Message-ID: <50651BAE.3090702@redhat.com>

On 9/25/2012 1:28 PM, Endi Sukma Dewata wrote:
> The CMake scripts have been modified to store the version number
> in /usr/share/pki/VERSION and in JAR manifest files. These files
> can be read by PKI applications to obtain the version number
> without having to query the RPM database.
>
> Fixed warnings in Java.cmake file.
>
> Ticket #339

New patch attached. The VERSION file is now generated for the core 
packages only because it will only be included in pki-base. This fixes 
the problem building other packages such as RA.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0124-1-Added-VERSION-file.patch
Type: text/x-patch
Size: 22858 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120927/5f1c7dec/attachment.bin>

From alee at redhat.com  Fri Sep 28 03:47:55 2012
From: alee at redhat.com (Ade Lee)
Date: Thu, 27 Sep 2012 23:47:55 -0400
Subject: [Pki-devel] [PATCH] 125 Fixed synchronization problem in
 CertificateRepository.
In-Reply-To: <50627274.7010304@redhat.com>
References: <50627274.7010304@redhat.com>
Message-ID: <1348804076.2575.67.camel@aleeredhat.laptop>

looks ok to me, but I's like Andrew to take a look.

Ade

On Tue, 2012-09-25 at 22:11 -0500, Endi Sukma Dewata wrote:
> Some synchronized methods in CertificateRepository have been moved
> into CertStatusUpdateThread to avoid blocking other synchronized
> methods too long.
> 
> Ticket #313
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From edewata at redhat.com  Fri Sep 28 04:02:32 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 27 Sep 2012 23:02:32 -0500
Subject: [Pki-devel] [PATCH] 124 Added VERSION file.
In-Reply-To: <50651BAE.3090702@redhat.com>
References: <5061F7E4.7090007@redhat.com> <50651BAE.3090702@redhat.com>
Message-ID: <50652158.2050309@redhat.com>

On 9/27/2012 10:38 PM, Endi Sukma Dewata wrote:
> On 9/25/2012 1:28 PM, Endi Sukma Dewata wrote:
>> The CMake scripts have been modified to store the version number
>> in /usr/share/pki/VERSION and in JAR manifest files. These files
>> can be read by PKI applications to obtain the version number
>> without having to query the RPM database.
>>
>> Fixed warnings in Java.cmake file.
>>
>> Ticket #339
>
> New patch attached. The VERSION file is now generated for the core
> packages only because it will only be included in pki-base. This fixes
> the problem building other packages such as RA.

New patch attached. Fixed wrong variable name.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0124-2-Added-VERSION-file.patch
Type: text/x-patch
Size: 22856 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120927/2253b71d/attachment.bin>

From edewata at redhat.com  Fri Sep 28 05:39:50 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 28 Sep 2012 00:39:50 -0500
Subject: [Pki-devel] [PATCH] 126 Added package checking for pkispawn and
	pkidestroy.
Message-ID: <50653826.1050301@redhat.com>

The pkiparser.py has been modified such that it will check whether
the package for the subsystem being created/removed by pkispawn/
pkidestroy has been installed.

Ticket #332

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0126-Added-package-checking-in-pkispawn-and-pkidestroy.patch
Type: text/x-patch
Size: 4348 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120928/ad85a7c6/attachment.bin>

From edewata at redhat.com  Fri Sep 28 06:01:31 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 28 Sep 2012 01:01:31 -0500
Subject: [Pki-devel] [PATCH] 127 Added version number into server status.
Message-ID: <50653D3B.8080909@redhat.com>

The GetStatus servlet has been modified to include the server version
number.

Ticket #339

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0127-Added-version-number-into-server-status.patch
Type: text/x-patch
Size: 1611 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120928/32913a37/attachment.bin>

From alee at redhat.com  Fri Sep 28 14:02:59 2012
From: alee at redhat.com (Ade Lee)
Date: Fri, 28 Sep 2012 10:02:59 -0400
Subject: [Pki-devel] [PATCH] 126 Added package checking for pkispawn and
 pkidestroy.
In-Reply-To: <50653826.1050301@redhat.com>
References: <50653826.1050301@redhat.com>
Message-ID: <1348840980.2575.75.camel@aleeredhat.laptop>

ack

On Fri, 2012-09-28 at 00:39 -0500, Endi Sukma Dewata wrote:
> The pkiparser.py has been modified such that it will check whether
> the package for the subsystem being created/removed by pkispawn/
> pkidestroy has been installed.
> 
> Ticket #332
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From alee at redhat.com  Fri Sep 28 14:03:50 2012
From: alee at redhat.com (Ade Lee)
Date: Fri, 28 Sep 2012 10:03:50 -0400
Subject: [Pki-devel] [PATCH] 127 Added version number into server status.
In-Reply-To: <50653D3B.8080909@redhat.com>
References: <50653D3B.8080909@redhat.com>
Message-ID: <1348841030.2575.76.camel@aleeredhat.laptop>

ack

On Fri, 2012-09-28 at 01:01 -0500, Endi Sukma Dewata wrote:
> The GetStatus servlet has been modified to include the server version
> number.
> 
> Ticket #339
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From alee at redhat.com  Fri Sep 28 14:08:09 2012
From: alee at redhat.com (Ade Lee)
Date: Fri, 28 Sep 2012 10:08:09 -0400
Subject: [Pki-devel] [PATCH] 126 Added package checking for pkispawn and
 pkidestroy.
In-Reply-To: <1348840980.2575.75.camel@aleeredhat.laptop>
References: <50653826.1050301@redhat.com>
	<1348840980.2575.75.camel@aleeredhat.laptop>
Message-ID: <1348841290.2575.79.camel@aleeredhat.laptop>

actually .. its ok to check for the package pki-ca etc. when you want to
pkispawn an instance.   But maybe, we do not want to do this check when
executing pkidestroy.

After all someone might remove the rpm. and then try to clean up the
instances.  As far as I know, there isn't any reason for them not to be
able to do that.

Ade

On Fri, 2012-09-28 at 10:02 -0400, Ade Lee wrote:
> ack
> 
> On Fri, 2012-09-28 at 00:39 -0500, Endi Sukma Dewata wrote:
> > The pkiparser.py has been modified such that it will check whether
> > the package for the subsystem being created/removed by pkispawn/
> > pkidestroy has been installed.
> > 
> > Ticket #332
> > 
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel




From edewata at redhat.com  Fri Sep 28 14:46:03 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 28 Sep 2012 09:46:03 -0500
Subject: [Pki-devel] [PATCH] 124 Added VERSION file.
In-Reply-To: <50652158.2050309@redhat.com>
References: <5061F7E4.7090007@redhat.com> <50651BAE.3090702@redhat.com>
	<50652158.2050309@redhat.com>
Message-ID: <5065B82B.7030606@redhat.com>

On 9/27/2012 11:02 PM, Endi Sukma Dewata wrote:
> On 9/27/2012 10:38 PM, Endi Sukma Dewata wrote:
>> On 9/25/2012 1:28 PM, Endi Sukma Dewata wrote:
>>> The CMake scripts have been modified to store the version number
>>> in /usr/share/pki/VERSION and in JAR manifest files. These files
>>> can be read by PKI applications to obtain the version number
>>> without having to query the RPM database.
>>>
>>> Fixed warnings in Java.cmake file.
>>>
>>> Ticket #339
>>
>> New patch attached. The VERSION file is now generated for the core
>> packages only because it will only be included in pki-base. This fixes
>> the problem building other packages such as RA.
>
> New patch attached. Fixed wrong variable name.

ACKed by Ade. Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Fri Sep 28 14:46:10 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 28 Sep 2012 09:46:10 -0500
Subject: [Pki-devel] [PATCH] 127 Added version number into server status.
In-Reply-To: <50653D3B.8080909@redhat.com>
References: <50653D3B.8080909@redhat.com>
Message-ID: <5065B832.90900@redhat.com>

On 9/28/2012 1:01 AM, Endi Sukma Dewata wrote:
> The GetStatus servlet has been modified to include the server version
> number.
>
> Ticket #339

ACKed by Ade. Pushed to master.

-- 
Endi S. Dewata



From awnuk at redhat.com  Fri Sep 28 18:18:30 2012
From: awnuk at redhat.com (Andrew Wnuk)
Date: Fri, 28 Sep 2012 11:18:30 -0700
Subject: [Pki-devel] [PATCH] 125 Fixed synchronization problem in
	CertificateRepository.
In-Reply-To: <50627274.7010304@redhat.com>
References: <50627274.7010304@redhat.com>
Message-ID: <5065E9F6.70006@redhat.com>

On 09/25/2012 08:11 PM, Endi Sukma Dewata wrote:
> Some synchronized methods in CertificateRepository have been moved
> into CertStatusUpdateThread to avoid blocking other synchronized
> methods too long.
>
> Ticket #313
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
NACK.

processRevokedCerts - seems to be use only by CRLIssuingPoint and it is 
not used by CertificateRepository maintenance thread therefore I so not 
reason to move processRevokedCerts to CertStatusUpdateTask.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120928/843820e3/attachment.htm>

From edewata at redhat.com  Sat Sep 29 14:43:32 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Sat, 29 Sep 2012 09:43:32 -0500
Subject: [Pki-devel] [PATCH] 126 Added package checking for pkispawn and
 pkidestroy.
In-Reply-To: <1348841290.2575.79.camel@aleeredhat.laptop>
References: <50653826.1050301@redhat.com>
	<1348840980.2575.75.camel@aleeredhat.laptop>
	<1348841290.2575.79.camel@aleeredhat.laptop>
Message-ID: <50670914.7070202@redhat.com>

On 9/28/2012 9:08 AM, Ade Lee wrote:
> actually .. its ok to check for the package pki-ca etc. when you want to
> pkispawn an instance.   But maybe, we do not want to do this check when
> executing pkidestroy.
>
> After all someone might remove the rpm. and then try to clean up the
> instances.  As far as I know, there isn't any reason for them not to be
> able to do that.
>
> Ade

New patch attached. As discussed, we might move some deployment files 
into the subsystem package in the future so pkidestroy may require the 
subsystem package to be installed. But for now I've moved the code from 
pkiparse.py into pkispawn so the checking is done in pkispawn only.

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0126-1-Added-package-checking-for-pkispawn.patch
Type: text/x-patch
Size: 2072 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120929/629b11fd/attachment.bin>

From edewata at redhat.com  Sun Sep 30 17:52:25 2012
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Sun, 30 Sep 2012 12:52:25 -0500
Subject: [Pki-devel] [PATCH] 128 Using RPM version number in CMake.
Message-ID: <506886D9.1090804@redhat.com>

The RPM spec files have been modified to pass the full RPM version
number to CMake. The version number contains the product version
number, release number, milestone, and platform. The CMake scritps
will parse and use this version number to generate Java manifest
files. The product version number will be used as the specification
version and full version number will be used as the implementation
version.

Ticket #339

-- 
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0128-Using-RPM-version-number-in-CMake.patch
Type: text/x-patch
Size: 25615 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120930/58042b13/attachment.bin>