From mharmsen at redhat.com Tue Mar 5 02:53:11 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 04 Mar 2013 18:53:11 -0800 Subject: [Pki-devel] [PATCH] PKI Theme changes Message-ID: <51355E17.8040908@redhat.com> Please review the attached patch which addresses the following issues: * TRAC Ticket #517 - Clean up theme dependencies * TRAC Ticket #518 - Remove UI dependencies from pkispawn . . . * Bugzilla Bug #916134 - unresolved dependency in pki-server: pki-server-theme This patch was tested by installing a CA on a 64-bit Fedora 18 machine which contained no packages to provide "pki-server-theme". -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130304-PKI-theme-changes.patch Type: text/x-patch Size: 12242 bytes Desc: not available URL: From akoneru at redhat.com Tue Mar 5 04:03:45 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 04 Mar 2013 23:03:45 -0500 Subject: [Pki-devel] [PATCH] 36 - Fix for track ticket 493 in Dogtag 10.0.2 - No interpolation for password fields. Message-ID: <1362456225.26254.2.camel@akoneru.redhat.com> Please review the patch attached for fixing the ticket 493 in Dogtag 10.0.2. Tested in both in both interactive and file-passing (-f option) of pkispawn. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0036-Ticket-493-Fix-Interpolation-should-not-apply-for-pa.patch Type: text/x-patch Size: 4496 bytes Desc: not available URL: From mharmsen at redhat.com Tue Mar 5 18:38:53 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 05 Mar 2013 10:38:53 -0800 Subject: [Pki-devel] [PATCH] PKI Theme changes [REVISED] Message-ID: <51363BBD.6000706@redhat.com> Please review the attached patch which addresses the following issues: * TRAC Ticket #517 - Clean up theme dependencies * TRAC Ticket #518 - Remove UI dependencies from pkispawn . . . * Bugzilla Bug #916134 - unresolved dependency in pki-server: pki-server-theme This patch was tested by installing a CA on a 64-bit Fedora 18 machine both with and without packages to provide a "pki-server-theme". -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130305-PKI-theme-changes.patch Type: text/x-patch Size: 12862 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 5 20:01:06 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 Mar 2013 14:01:06 -0600 Subject: [Pki-devel] [PATCH] PKI Theme changes [REVISED] In-Reply-To: <51363BBD.6000706@redhat.com> References: <51363BBD.6000706@redhat.com> Message-ID: <51364F02.5030401@redhat.com> On 3/5/2013 12:38 PM, Matthew Harmsen wrote: > Please review the attached patch which addresses the following issues: > > * TRAC Ticket #517 - Clean up theme dependencies > * TRAC Ticket #518 - Remove UI dependencies from pkispawn . . . > * Bugzilla Bug #916134 - unresolved dependency in pki-server: > pki-server-theme > > This patch was tested by installing a CA on a 64-bit Fedora 18 machine > both with and without packages to provide a "pki-server-theme". ACK. Tested as a standalone Dogtag without theme, with released IPA 3.1.2 (which requires theme), and with a modified IPA (without theme). -- Endi S. Dewata From edewata at redhat.com Tue Mar 5 20:59:30 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 Mar 2013 14:59:30 -0600 Subject: [Pki-devel] [PATCH] 36 - Fix for track ticket 493 in Dogtag 10.0.2 - No interpolation for password fields. In-Reply-To: <1362456225.26254.2.camel@akoneru.redhat.com> References: <1362456225.26254.2.camel@akoneru.redhat.com> Message-ID: <51365CB2.4040604@redhat.com> On 3/4/2013 10:03 PM, Abhishek Koneru wrote: > Please review the patch attached for fixing the ticket 493 in Dogtag > 10.0.2. > > Tested in both in both interactive and file-passing (-f option) of > pkispawn. > > --Abhishek Some comments: 1. In set_property() the new code checks whether the new property is sensitive. If it is the value will be added directly into the dict, otherwise it will use the ConfigParser.set(). This code might not be necessary. To my understanding the interpolation will be evaluated during retrieval only (in get() and items()), so changing how the value is stored would not affect the interpolation. 2. In the new code the sensitive_parameters will be parsed each time flatten_master_dict() is called. It might be better to parse the list once right after the file is loaded in read_pki_configuration_file(), and store the parsed value as an attribute so it can be used by other methods without parsing it again. 3. The list_items() could be simplified. It's not necessary to merge the section with the default section because interpolation only works in the same section. I think you could call ConfigParser.items(section, True) to get all (param, raw_value) pairs. If the parameter is not sensitive then call ConfigParser.get(section, param) to get the interpolated value and use it to replace the raw value. Then either return all tuples as a list like the original items() or put them in a dict like in your patch. 4. What does the 'list' in list_items() mean? It might be better to use the same name as the original method it's trying to replace (e.g. items()). -- Endi S. Dewata From alee at redhat.com Wed Mar 6 15:26:50 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 06 Mar 2013 10:26:50 -0500 Subject: [Pki-devel] [PATCH] PKI Theme changes [REVISED] In-Reply-To: <51364F02.5030401@redhat.com> References: <51363BBD.6000706@redhat.com> <51364F02.5030401@redhat.com> Message-ID: <1362583610.4933.3.camel@localhost.localdomain> On Tue, 2013-03-05 at 14:01 -0600, Endi Sukma Dewata wrote: > On 3/5/2013 12:38 PM, Matthew Harmsen wrote: > > Please review the attached patch which addresses the following issues: > > > > * TRAC Ticket #517 - Clean up theme dependencies > > * TRAC Ticket #518 - Remove UI dependencies from pkispawn . . . > > * Bugzilla Bug #916134 - unresolved dependency in pki-server: > > pki-server-theme > > > > This patch was tested by installing a CA on a 64-bit Fedora 18 machine > > both with and without packages to provide a "pki-server-theme". > > ACK. Tested as a standalone Dogtag without theme, with released IPA > 3.1.2 (which requires theme), and with a modified IPA (without theme). > Was the certificate functionality in IPA (cert issuance, revocation etc.) in IPA tested without a theme -- checking in the logs to ensure no exceptions are thrown. Are we sure that we are not throwing any exceptions because the templates are not there? We need to confirm this before suggesting that IPA remove its dependency on its theme packages. Ade From alee at redhat.com Wed Mar 6 16:34:26 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 06 Mar 2013 11:34:26 -0500 Subject: [Pki-devel] [PATCH] 214 Added cert-request-show command. In-Reply-To: <51269B89.6070305@redhat.com> References: <51269B89.6070305@redhat.com> Message-ID: <1362587666.4933.5.camel@localhost.localdomain> ACK On Thu, 2013-02-21 at 16:11 -0600, Endi Sukma Dewata wrote: > A new cert-request-show command has been added to allow EE users to > check certificate request status. > > Ticket #511 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Wed Mar 6 16:33:54 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 06 Mar 2013 11:33:54 -0500 Subject: [Pki-devel] [PATCH] 213 Added DS info validation. In-Reply-To: <51250520.5040807@redhat.com> References: <51250520.5040807@redhat.com> Message-ID: <1362587634.4933.4.camel@localhost.localdomain> this does not take into account the option of using ldaps. On Wed, 2013-02-20 at 11:17 -0600, Endi Sukma Dewata wrote: > The installer script has been modified to validate DS info in both > interactive and silent installation. > > Ticket #472 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Thu Mar 7 01:22:20 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Mar 2013 19:22:20 -0600 Subject: [Pki-devel] [PATCH] 214 Added cert-request-show command. In-Reply-To: <1362587666.4933.5.camel@localhost.localdomain> References: <51269B89.6070305@redhat.com> <1362587666.4933.5.camel@localhost.localdomain> Message-ID: <5137EBCC.4010805@redhat.com> On 3/6/2013 10:34 AM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Mar 7 01:22:29 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Mar 2013 19:22:29 -0600 Subject: [Pki-devel] [PATCH] 213 Added DS info validation. In-Reply-To: <1362587634.4933.4.camel@localhost.localdomain> References: <51250520.5040807@redhat.com> <1362587634.4933.4.camel@localhost.localdomain> Message-ID: <5137EBD5.1030905@redhat.com> On 3/6/2013 10:33 AM, Ade Lee wrote: > this does not take into account the option of using ldaps. New patch attached fixing this issue. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0213-1-Added-DS-info-validation.patch Type: text/x-patch Size: 7845 bytes Desc: not available URL: From edewata at redhat.com Thu Mar 7 01:22:43 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 Mar 2013 19:22:43 -0600 Subject: [Pki-devel] [PATCH] 215 Added security domain info validation. In-Reply-To: <5127A6E4.4050302@redhat.com> References: <5127A6E4.4050302@redhat.com> Message-ID: <5137EBE3.1030205@redhat.com> On 2/22/2013 11:12 AM, Endi Sukma Dewata wrote: > The installer script has been modified to validate security domain > info in both interactive and silent installation. > > A basic Python API has been added to access the REST interface. > > Ticket #473 Rebased on top of patch #213-1. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0215-1-Added-security-domain-info-validation.patch Type: text/x-patch Size: 19962 bytes Desc: not available URL: From akoneru at redhat.com Thu Mar 7 16:33:50 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 07 Mar 2013 11:33:50 -0500 Subject: [Pki-devel] [PATCH] 36-1 Revised - [PATCH] 36 - Fix for track ticket 493 in Dogtag 10.0.2 - No interpolation for password fields. In-Reply-To: <51365CB2.4040604@redhat.com> References: <1362456225.26254.2.camel@akoneru.redhat.com> <51365CB2.4040604@redhat.com> Message-ID: <1362674030.9840.10.camel@akoneru.redhat.com> On discussion with Endi and Ade, it has been agreed to use an escape('%') character to allow usage of % in the values of the configuration file. If a configuration file is passed to the pkispawn script, any occurrence of '%' must have a '%' used with it as an escape character. Eg. key=abc%def, must be entered as key=abc%%def => which is read as abc %def. Similarly, key=abc%%def must be key=abc%%%%def I the interactive mode, the escape character is added by the code. User can enter the actual value without the escape character. Please review the attached patch attached for with the required changes. --Abhishek On Tue, 2013-03-05 at 14:59 -0600, Endi Sukma Dewata wrote: > On 3/4/2013 10:03 PM, Abhishek Koneru wrote: > > Please review the patch attached for fixing the ticket 493 in Dogtag > > 10.0.2. > > > > Tested in both in both interactive and file-passing (-f option) of > > pkispawn. > > > > --Abhishek > > Some comments: > > 1. In set_property() the new code checks whether the new property is > sensitive. If it is the value will be added directly into the dict, > otherwise it will use the ConfigParser.set(). This code might not be > necessary. To my understanding the interpolation will be evaluated > during retrieval only (in get() and items()), so changing how the value > is stored would not affect the interpolation. > > 2. In the new code the sensitive_parameters will be parsed each time > flatten_master_dict() is called. It might be better to parse the list > once right after the file is loaded in read_pki_configuration_file(), > and store the parsed value as an attribute so it can be used by other > methods without parsing it again. > > 3. The list_items() could be simplified. It's not necessary to merge the > section with the default section because interpolation only works in the > same section. I think you could call ConfigParser.items(section, True) > to get all (param, raw_value) pairs. If the parameter is not sensitive > then call ConfigParser.get(section, param) to get the interpolated value > and use it to replace the raw value. Then either return all tuples as a > list like the original items() or put them in a dict like in your patch. > > 4. What does the 'list' in list_items() mean? It might be better to use > the same name as the original method it's trying to replace (e.g. items()). > -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0036-1-Ticket-493-Changes-done-to-bypass-interpolation-for-.patch Type: text/x-patch Size: 1394 bytes Desc: not available URL: From alee at redhat.com Thu Mar 7 17:08:59 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 07 Mar 2013 12:08:59 -0500 Subject: [Pki-devel] [PATCH] 119 - fix various eclipse warnings Message-ID: <1362676139.21332.3.camel@aleeredhat.laptop> These are just simple fixes that remove some unnecessary code (mostly "unused" annotations). This drops the warnings to 246. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0119-Clean-up-various-eclipse-warnings.patch Type: text/x-patch Size: 58966 bytes Desc: not available URL: From alee at redhat.com Thu Mar 7 17:29:30 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 07 Mar 2013 12:29:30 -0500 Subject: [Pki-devel] [PATCH] 119 - fix various eclipse warnings In-Reply-To: <1362676139.21332.3.camel@aleeredhat.laptop> References: <1362676139.21332.3.camel@aleeredhat.laptop> Message-ID: <1362677370.21332.4.camel@aleeredhat.laptop> acked by endi. Pushed to master. On Thu, 2013-03-07 at 12:08 -0500, Ade Lee wrote: > These are just simple fixes that remove some unnecessary code (mostly > "unused" annotations). This drops the warnings to 246. > > Ade > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Thu Mar 7 18:22:18 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Mar 2013 12:22:18 -0600 Subject: [Pki-devel] [PATCH] 36-1 Revised - [PATCH] 36 - Fix for track ticket 493 in Dogtag 10.0.2 - No interpolation for password fields. In-Reply-To: <1362674030.9840.10.camel@akoneru.redhat.com> References: <1362456225.26254.2.camel@akoneru.redhat.com> <51365CB2.4040604@redhat.com> <1362674030.9840.10.camel@akoneru.redhat.com> Message-ID: <5138DADA.4030903@redhat.com> On 3/7/2013 10:33 AM, Abhishek Koneru wrote: > On discussion with Endi and Ade, it has been agreed to use an > escape('%') character to allow usage of % in the values of the > configuration file. > > If a configuration file is passed to the pkispawn script, any occurrence > of '%' must have a '%' used with it as an escape character. > Eg. key=abc%def, must be entered as key=abc%%def => which is read as abc > %def. Similarly, key=abc%%def must be key=abc%%%%def > > I the interactive mode, the escape character is added by the code. User > can enter the actual value without the escape character. > > Please review the attached patch attached for with the required changes. ACK. Just a few things: 1. Please clean up the whitespace before push: git am --whitespace=fix 2. Please add a one-line title/summary in the commit log. See previous commit logs for example. The first line of the log message is used in many things such as patch filename, patch title, trac link, release notes, etc. so it would be nice to have a short but descriptive title. -- Endi S. Dewata From akoneru at redhat.com Thu Mar 7 19:51:30 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 7 Mar 2013 14:51:30 -0500 (EST) Subject: [Pki-devel] [PATCH] 36-1 Revised - [PATCH] 36 - Fix for track ticket 493 in Dogtag 10.0.2 - No interpolation for password fields. In-Reply-To: <5138DADA.4030903@redhat.com> Message-ID: <1990381893.5626470.1362685890383.JavaMail.root@redhat.com> Followed the steps. Pushed to master. --Abhishek ----- Original Message ----- From: "Endi Sukma Dewata" To: "Abhishek Koneru" Cc: "pki-devel" Sent: Thursday, March 7, 2013 1:22:18 PM Subject: Re: [PATCH] 36-1 Revised - [PATCH] 36 - Fix for track ticket 493 in Dogtag 10.0.2 - No interpolation for password fields. On 3/7/2013 10:33 AM, Abhishek Koneru wrote: > On discussion with Endi and Ade, it has been agreed to use an > escape('%') character to allow usage of % in the values of the > configuration file. > > If a configuration file is passed to the pkispawn script, any occurrence > of '%' must have a '%' used with it as an escape character. > Eg. key=abc%def, must be entered as key=abc%%def => which is read as abc > %def. Similarly, key=abc%%def must be key=abc%%%%def > > I the interactive mode, the escape character is added by the code. User > can enter the actual value without the escape character. > > Please review the attached patch attached for with the required changes. ACK. Just a few things: 1. Please clean up the whitespace before push: git am --whitespace=fix 2. Please add a one-line title/summary in the commit log. See previous commit logs for example. The first line of the log message is used in many things such as patch filename, patch title, trac link, release notes, etc. so it would be nice to have a short but descriptive title. -- Endi S. Dewata From edewata at redhat.com Thu Mar 7 22:58:04 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Mar 2013 16:58:04 -0600 Subject: [Pki-devel] [PATCH] 213 Added DS info validation. In-Reply-To: <5137EBD5.1030905@redhat.com> References: <51250520.5040807@redhat.com> <1362587634.4933.4.camel@localhost.localdomain> <5137EBD5.1030905@redhat.com> Message-ID: <51391B7C.6010507@redhat.com> On 3/6/2013 7:22 PM, Endi Sukma Dewata wrote: > On 3/6/2013 10:33 AM, Ade Lee wrote: >> this does not take into account the option of using ldaps. > > New patch attached fixing this issue. ACKed by Ade. Fixed exception handling in ds_base_dn_exists(). Added dependency to python-ldap. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu Mar 7 22:58:07 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 07 Mar 2013 16:58:07 -0600 Subject: [Pki-devel] [PATCH] 215 Added security domain info validation. In-Reply-To: <5137EBE3.1030205@redhat.com> References: <5127A6E4.4050302@redhat.com> <5137EBE3.1030205@redhat.com> Message-ID: <51391B7F.1060006@redhat.com> On 3/6/2013 7:22 PM, Endi Sukma Dewata wrote: > On 2/22/2013 11:12 AM, Endi Sukma Dewata wrote: >> The installer script has been modified to validate security domain >> info in both interactive and silent installation. >> >> A basic Python API has been added to access the REST interface. >> >> Ticket #473 > > Rebased on top of patch #213-1. ACKed by Ade. Added validation for CA clone and subordinate. Pushed to master. -- Endi S. Dewata From alee at redhat.com Fri Mar 8 14:33:02 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 08 Mar 2013 09:33:02 -0500 Subject: [Pki-devel] [PATCH] 120 - cleanup some resource leaks Message-ID: <1362753182.6247.1.camel@aleeredhat.laptop> Please review. With this patch, the warnings in eclipse go down to 154. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0120-Plug-resource-leaks.patch Type: text/x-patch Size: 122050 bytes Desc: not available URL: From mharmsen at redhat.com Fri Mar 8 20:30:12 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 08 Mar 2013 12:30:12 -0800 Subject: [Pki-devel] [PATCH] Bugzilla Bug #919476 - pkispawn crashes due to dangling symlink to jss4.jar Message-ID: <513A4A54.8000901@redhat.com> In Fedora 16, 17, and 18, JNI jar files were required to be located under architecture specific locations (e. g. - /usr/lib/java and /usr/lib64/java). These rules were re-defined in 'https://fedoraproject.org/wiki/Packaging:Java#Packaging_JAR_files_that_use_JNI', as the JNI packaging rules were changed in Fedora 19 (and RHEL 7) back to the JNI rules that existed for Fedora 15 (e. g. - all JNI jar files will be located under /usr/lib/java). Please review the attached patch which fixes pki-core to comply with these rules: * *Bugzilla Bug #919476* -pkispawn crashes due to dangling symlink to jss4.jar This patch has only been tested by installing a CA on a 64-bit Fedora 18 machine; no tests have been run against a 64-bit Fedora 19 machine, yet. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130308-Bugzilla-Bug-919476-pkispawn-crashes-due-to-dangling.patch Type: text/x-patch Size: 4086 bytes Desc: not available URL: From alee at redhat.com Fri Mar 8 21:00:10 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 08 Mar 2013 16:00:10 -0500 Subject: [Pki-devel] [PATCH] Bugzilla Bug #919476 - pkispawn crashes due to dangling symlink to jss4.jar In-Reply-To: <513A4A54.8000901@redhat.com> References: <513A4A54.8000901@redhat.com> Message-ID: <1362776410.6247.2.camel@aleeredhat.laptop> ACK. On Fri, 2013-03-08 at 12:30 -0800, Matthew Harmsen wrote: > In Fedora 16, 17, and 18, JNI jar files were required to be located > under architecture specific locations (e. g. - /usr/lib/java > and /usr/lib64/java). > > These rules were re-defined in > 'https://fedoraproject.org/wiki/Packaging:Java#Packaging_JAR_files_that_use_JNI', as the JNI packaging rules were changed > in Fedora 19 (and RHEL 7) back to the JNI rules that existed for > Fedora 15 (e. g. - all JNI jar files will be located > under /usr/lib/java). > > Please review the attached patch which fixes pki-core to comply with > these rules: > * Bugzilla Bug #919476 - pkispawn crashes due to dangling > symlink to jss4.jar > This patch has only been tested by installing a CA on a 64-bit Fedora > 18 machine; no tests have been run against a 64-bit Fedora 19 machine, > yet. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Fri Mar 8 22:13:29 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 08 Mar 2013 14:13:29 -0800 Subject: [Pki-devel] Your Fedora 'svnpki' membership has been removed In-Reply-To: References: <20130307175212.7135320C1C@bastion01.phx2.fedoraproject.org> Message-ID: <513A6289.30309@redhat.com> Alexander, This sounds great! We would greatly appreciate it If you could do one of the following (whichever is easier): * Login with your Fedora account and file individual TRAC tickets at https://fedorahosted.org/pki/newticket for each of these issues (attaching a patch if you have them), or * File individual Bugzilla Bugs for each of these issues (attaching a patch to the bug if you have them). Thanks, -- Matt On 03/08/13 00:19, Alexander Jung wrote: > Hi, > > I did not realize I had been accepted to that group. > > We (mostly me, but some collegues too) have developed some fixes for > problems we encountered with the dogtag CA. > > The Problems we fixed are: > - problems when having more than 2 million certs in the ldap > - flatfileauth does not honor the ValueNames configured > - scep does not work against Cisco with CA key in hsm > We developed quite a few extensions, some of them are not specific to > our company: > - Validity: make certificates expire on tue, wed, thr at 15:00 only > and not during change of year and month. > - SubjectAlternativeNames: fill the dns reverse lookup into the SAN > field, to make a server cert work wwith all the dns names the machine > is configured for. > > I could open bugs and attach patches or commit directly, when you allow me to. > > yours, > > Alexander Jung > > > 2013/3/7 : >> mharmsen has removed you from the 'svnpki' >> group of the Fedora Accounts System This change is effective >> immediately for new operations, and should propagate into the e-mail >> aliases within an hour. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Sat Mar 9 02:29:46 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 08 Mar 2013 21:29:46 -0500 Subject: [Pki-devel] [PATCH] 120 - cleanup some resource leaks In-Reply-To: <1362753182.6247.1.camel@aleeredhat.laptop> References: <1362753182.6247.1.camel@aleeredhat.laptop> Message-ID: <1362796186.8998.1.camel@aleeredhat.laptop> pushed to master with changes from review by Endi. Specifically, 1. try with resources does not require a catch() section. So extraneous catch sections that were added were removed. 2. some formatting issues fixed. On Fri, 2013-03-08 at 09:33 -0500, Ade Lee wrote: > Please review. With this patch, the warnings in eclipse go down to 154. > > Ade > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From nkinder at redhat.com Sat Mar 9 03:44:55 2013 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 08 Mar 2013 19:44:55 -0800 Subject: [Pki-devel] Your Fedora 'svnpki' membership has been removed In-Reply-To: <513A6289.30309@redhat.com> References: <20130307175212.7135320C1C@bastion01.phx2.fedoraproject.org> <513A6289.30309@redhat.com> Message-ID: <513AB037.1030004@redhat.com> On 03/08/2013 02:13 PM, Matthew Harmsen wrote: > Alexander, > > This sounds great! > > We would greatly appreciate it If you could do one of the following > (whichever is easier): > > * Login with your Fedora account and file individual TRAC tickets at > https://fedorahosted.org/pki/newticket for each of these issues > (attaching a patch if you have them), or > * File individual Bugzilla Bugs for each of these issues (attaching > a patch to the bug if you have them). > Please file the tickets in Trac. I would prefer that we only look for new issues in one place, and that place should be Trac. Thanks, -NGK > > Thanks, > -- Matt > > On 03/08/13 00:19, Alexander Jung wrote: >> Hi, >> >> I did not realize I had been accepted to that group. >> >> We (mostly me, but some collegues too) have developed some fixes for >> problems we encountered with the dogtag CA. >> >> The Problems we fixed are: >> - problems when having more than 2 million certs in the ldap >> - flatfileauth does not honor the ValueNames configured >> - scep does not work against Cisco with CA key in hsm >> We developed quite a few extensions, some of them are not specific to >> our company: >> - Validity: make certificates expire on tue, wed, thr at 15:00 only >> and not during change of year and month. >> - SubjectAlternativeNames: fill the dns reverse lookup into the SAN >> field, to make a server cert work wwith all the dns names the machine >> is configured for. >> >> I could open bugs and attach patches or commit directly, when you allow me to. >> >> yours, >> >> Alexander Jung >> >> >> 2013/3/7: >>> mharmsen has removed you from the 'svnpki' >>> group of the Fedora Accounts System This change is effective >>> immediately for new operations, and should propagate into the e-mail >>> aliases within an hour. > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Mar 11 18:31:44 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 11 Mar 2013 13:31:44 -0500 Subject: [Pki-devel] [PATCH] 216 Fixed python-requests compatibility issue. Message-ID: <513E2310.8010602@redhat.com> The Python REST client has been modified to parse JSON data using a method that is compatible with python-requests 1.1. The RPM spec file has been modified to require python-requests 1.1 package. Ticket #535 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0216-Fixed-python-requests-compatibility-issue.patch Type: text/x-patch Size: 2250 bytes Desc: not available URL: From edewata at redhat.com Mon Mar 11 18:57:10 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 11 Mar 2013 13:57:10 -0500 Subject: [Pki-devel] [PATCH] 217 Fixed CLI return code. Message-ID: <513E2906.2080902@redhat.com> The Perl wrapper for CLI has been fixed to pass the error code returned by Java clients. Ticket #520 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0217-Fixed-CLI-return-code.patch Type: text/x-patch Size: 885 bytes Desc: not available URL: From mharmsen at redhat.com Mon Mar 11 21:51:02 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 11 Mar 2013 14:51:02 -0700 Subject: [Pki-devel] [PATCH] Bugzilla Bug #919476 - pkispawn crashes due to dangling symlink to jss4.jar - REVISED Message-ID: <513E51C6.4030902@redhat.com> In Fedora 16, 17, and 18, JNI jar files were required to be located under architecture specific locations (e. g. - /usr/lib/java and /usr/lib64/java). These rules were re-defined in 'https://fedoraproject.org/wiki/Packaging:Java#Packaging_JAR_files_that_use_JNI', as the JNI packaging rules were changed in Fedora 19 (and RHEL 7) back to the JNI rules that existed for Fedora 15 (e. g. - all JNI jar files will be located under /usr/lib/java). Please review the attached patches which fix pki-core to comply with these rules (on Fedora 19 and later): * *Bugzilla Bug #919476* -pkispawn crashes due to dangling symlink to jss4.jar This first patch is in addition to the previously checked-in code to allow it to work on platforms >= Fedora 19. The second patch is specifically for Koji builds of Fedora 19. The third patch is the spec file used for the Koji build of Fedora 19. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130311-Bugzilla-Bug-919476-pkispawn-crashes-due-to-dangling-2.patch Type: text/x-patch Size: 2385 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-core-10.0.1-bz919476.patch Type: text/x-patch Size: 3460 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-core.spec Type: text/x-rpm-spec Size: 85238 bytes Desc: not available URL: From alee at redhat.com Mon Mar 11 22:00:53 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 11 Mar 2013 18:00:53 -0400 Subject: [Pki-devel] [PATCH] Bugzilla Bug #919476 - pkispawn crashes due to dangling symlink to jss4.jar - REVISED In-Reply-To: <513E51C6.4030902@redhat.com> References: <513E51C6.4030902@redhat.com> Message-ID: <1363039253.9821.10.camel@aleeredhat.laptop> ack. On Mon, 2013-03-11 at 14:51 -0700, Matthew Harmsen wrote: > In Fedora 16, 17, and 18, JNI jar files were required to be located > under architecture specific locations (e. g. - /usr/lib/java > and /usr/lib64/java). > > These rules were re-defined in > 'https://fedoraproject.org/wiki/Packaging:Java#Packaging_JAR_files_that_use_JNI', as the JNI packaging rules were changed > in Fedora 19 (and RHEL 7) back to the JNI rules that existed for > Fedora 15 (e. g. - all JNI jar files will be located > under /usr/lib/java). > > Please review the attached patches which fix pki-core to comply with > these rules (on Fedora 19 and later): > * Bugzilla Bug #919476 - pkispawn crashes due to dangling > symlink to jss4.jar > This first patch is in addition to the previously checked-in code to > allow it to work on platforms >= Fedora 19. > The second patch is specifically for Koji builds of Fedora 19. > The third patch is the spec file used for the Koji build of Fedora 19. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Tue Mar 12 15:33:37 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Mar 2013 10:33:37 -0500 Subject: [Pki-devel] [PATCH] 218 Replaced Tomcat's random number generator. Message-ID: <513F4AD1.9080902@redhat.com> By default Tomcat relies on /dev/random as a random number generator to generate the session ID's. Under certain conditions /dev/random may block, which will block Tomcat as well. To solve the problem all webapps in Tomcat have been configured to use the random number generator provided by JSS. Ticket #524 Tested with IPA. Migration script will be added in a separate patch. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0218-Replaced-Tomcat-s-random-number-generator.patch Type: text/x-patch Size: 7795 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 12 19:43:28 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Mar 2013 14:43:28 -0500 Subject: [Pki-devel] REST interface docs Message-ID: <513F8560.8040707@redhat.com> Just FYI, the current REST interface are documented here: http://pki.fedoraproject.org/wiki/REST#Current_Implementation Currently they are just links to the interface definitions. In the future we might want to auto-generate the docs using a tool that can read REST-related annotations. -- Endi S. Dewata From edewata at redhat.com Tue Mar 12 21:33:26 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Mar 2013 16:33:26 -0500 Subject: [Pki-devel] [PATCH] 219 Added python build-time dependency for TPS and RA. Message-ID: <513F9F26.7000304@redhat.com> Due to recent CMake script changes, TPS and RA now require python to build properly. Ticket #540 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0219-Added-python-build-time-dependency-for-TPS-and-RA.patch Type: text/x-patch Size: 2576 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 13 01:55:00 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Mar 2013 20:55:00 -0500 Subject: [Pki-devel] Migration proposal Message-ID: <513FDC74.80605@redhat.com> Hi, Please take a look at the following proposal: http://pki.fedoraproject.org/wiki/Migration The idea is based on deployment scriptlets, but it has been adapted for migration. -- Endi S. Dewata From alee at redhat.com Wed Mar 13 04:46:49 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 13 Mar 2013 00:46:49 -0400 Subject: [Pki-devel] [PATCH] 219 Added python build-time dependency for TPS and RA. In-Reply-To: <513F9F26.7000304@redhat.com> References: <513F9F26.7000304@redhat.com> Message-ID: <1363150009.6104.0.camel@aleeredhat.laptop> ack. On Tue, 2013-03-12 at 16:33 -0500, Endi Sukma Dewata wrote: > Due to recent CMake script changes, TPS and RA now require python > to build properly. > > Ticket #540 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Wed Mar 13 04:49:47 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 13 Mar 2013 00:49:47 -0400 Subject: [Pki-devel] [PATCH] 217 Fixed CLI return code. In-Reply-To: <513E2906.2080902@redhat.com> References: <513E2906.2080902@redhat.com> Message-ID: <1363150187.6104.1.camel@aleeredhat.laptop> ACK On Mon, 2013-03-11 at 13:57 -0500, Endi Sukma Dewata wrote: > The Perl wrapper for CLI has been fixed to pass the error code returned > by Java clients. > > Ticket #520 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Wed Mar 13 15:54:22 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Mar 2013 10:54:22 -0500 Subject: [Pki-devel] [PATCH] 217 Fixed CLI return code. In-Reply-To: <1363150187.6104.1.camel@aleeredhat.laptop> References: <513E2906.2080902@redhat.com> <1363150187.6104.1.camel@aleeredhat.laptop> Message-ID: <5140A12E.8060102@redhat.com> On 3/12/2013 11:49 PM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Mar 13 15:55:11 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 13 Mar 2013 10:55:11 -0500 Subject: [Pki-devel] [PATCH] 219 Added python build-time dependency for TPS and RA. In-Reply-To: <1363150009.6104.0.camel@aleeredhat.laptop> References: <513F9F26.7000304@redhat.com> <1363150009.6104.0.camel@aleeredhat.laptop> Message-ID: <5140A15F.4090701@redhat.com> On 3/12/2013 11:46 PM, Ade Lee wrote: > ack. Pushed to master. -- Endi S. Dewata From awnuk at redhat.com Wed Mar 13 19:35:08 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 13 Mar 2013 12:35:08 -0700 Subject: [Pki-devel] Migration proposal In-Reply-To: <513FDC74.80605@redhat.com> References: <513FDC74.80605@redhat.com> Message-ID: <5140D4EC.7060307@redhat.com> On 03/12/2013 06:55 PM, Endi Sukma Dewata wrote: > Hi, > > Please take a look at the following proposal: > http://pki.fedoraproject.org/wiki/Migration > > The idea is based on deployment scriptlets, but it has been adapted > for migration. > Is this really migration or should this be in place upgrade? From nkinder at redhat.com Wed Mar 13 22:17:26 2013 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 13 Mar 2013 15:17:26 -0700 Subject: [Pki-devel] Migration proposal In-Reply-To: <5140D4EC.7060307@redhat.com> References: <513FDC74.80605@redhat.com> <5140D4EC.7060307@redhat.com> Message-ID: <5140FAF6.9000001@redhat.com> On 03/13/2013 12:35 PM, Andrew Wnuk wrote: > On 03/12/2013 06:55 PM, Endi Sukma Dewata wrote: >> Hi, >> >> Please take a look at the following proposal: >> http://pki.fedoraproject.org/wiki/Migration >> >> The idea is based on deployment scriptlets, but it has been adapted >> for migration. >> > Is this really migration or should this be in place upgrade? It definitely covers in-place upgrade. In the future, migration might go through the same framework (this would be ideal as opposed to having separate migration scripts). -NGK > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Thu Mar 14 15:16:03 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 14 Mar 2013 10:16:03 -0500 Subject: [Pki-devel] Migration proposal In-Reply-To: <5140FAF6.9000001@redhat.com> References: <513FDC74.80605@redhat.com> <5140D4EC.7060307@redhat.com> <5140FAF6.9000001@redhat.com> Message-ID: <5141E9B3.4070801@redhat.com> On 3/13/2013 5:17 PM, Nathan Kinder wrote: > On 03/13/2013 12:35 PM, Andrew Wnuk wrote: >> On 03/12/2013 06:55 PM, Endi Sukma Dewata wrote: >>> http://pki.fedoraproject.org/wiki/Migration >> Is this really migration or should this be in place upgrade? > It definitely covers in-place upgrade. In the future, migration might > go through the same framework (this would be ideal as opposed to having > separate migration scripts). I moved the page to: http://pki.fedoraproject.org/wiki/Upgrade The old link still works. I also updated the page based on the discussion on IRC yesterday. -- Endi S. Dewata From akoneru at redhat.com Fri Mar 15 15:00:34 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 15 Mar 2013 11:00:34 -0400 Subject: [Pki-devel] [PATCH] 37 Updating the pkispawn/pkidestroy man pages with information regarding interactive mode installation (#471) Message-ID: <1363359634.16147.2.camel@akoneru.redhat.com> Please review the attached patch w.r.t the trac ticket 471 to add information regarding interactive mode installation to pkispawn/pkidestroy man pages. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0037-Updated-pkispawn-pkidestroy-manpages-with-the-steps-.patch Type: text/x-patch Size: 5749 bytes Desc: not available URL: From akoneru at redhat.com Sat Mar 16 02:20:28 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 15 Mar 2013 22:20:28 -0400 (EDT) Subject: [Pki-devel] [PATCH] 38 Fixes for trac tickets #509 and #525 In-Reply-To: <711578991.7223554.1363400417171.JavaMail.root@redhat.com> Message-ID: <1208818611.7223560.1363400428829.JavaMail.root@redhat.com> Please review the attached patch with fixes for incorrect information in pkispawn man page. Also added the sample config files for different installations of pki subsystems. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0038-Minor-fixes-to-pkispawn-man-page-updating-the-sample.patch Type: text/x-patch Size: 8744 bytes Desc: not available URL: From akoneru at redhat.com Sat Mar 16 02:23:11 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 15 Mar 2013 22:23:11 -0400 (EDT) Subject: [Pki-devel] [PATCH] 39 Fix for trac ticket #507 - Making the pki.conf irreplacebale by an upgrade In-Reply-To: <987841979.7224154.1363400587308.JavaMail.root@redhat.com> Message-ID: <567829589.7224159.1363400591813.JavaMail.root@redhat.com> Please review the attached patch with fixes for trac ticket 507 which addresses the issue of the pki.conf being replaced while upgrading pki. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0039-Adding-changes-to-pki-core.spec-file-so-that-the-sys.patch Type: text/x-patch Size: 890 bytes Desc: not available URL: From cfu at redhat.com Tue Mar 19 03:19:50 2013 From: cfu at redhat.com (Christina Fu) Date: Mon, 18 Mar 2013 20:19:50 -0700 Subject: [Pki-devel] Request for Review: TPS Revocation Routing Message-ID: <5147D956.40800@redhat.com> Hi, Please review the code for the following design: http://pki.fedoraproject.org/wiki/TPS_Revocation_Routing for *Bug 902952* -RFE: Cert System 8.1 - Issuance/Revocation routing with TPS and multiple non-cloned CAs code: https://bugzilla.redhat.com/attachment.cgi?id=712351&action=diff&context=patch&collapsed=&headers=1&format=raw thanks! Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Tue Mar 19 04:48:30 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 19 Mar 2013 00:48:30 -0400 Subject: [Pki-devel] [PATCH] 216 Fixed python-requests compatibility issue. In-Reply-To: <513E2310.8010602@redhat.com> References: <513E2310.8010602@redhat.com> Message-ID: <1363668510.2221.0.camel@aleeredhat.laptop> The newest python-requests has been pushed to stable. ACK. On Mon, 2013-03-11 at 13:31 -0500, Endi Sukma Dewata wrote: > The Python REST client has been modified to parse JSON data using a > method that is compatible with python-requests 1.1. The RPM spec file > has been modified to require python-requests 1.1 package. > > Ticket #535 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Tue Mar 19 14:15:09 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 19 Mar 2013 10:15:09 -0400 Subject: [Pki-devel] [PATCH] 37 Updating the pkispawn/pkidestroy man pages with information regarding interactive mode installation (#471) In-Reply-To: <1363359634.16147.2.camel@akoneru.redhat.com> References: <1363359634.16147.2.camel@akoneru.redhat.com> Message-ID: <1363702509.2221.25.camel@aleeredhat.laptop> Comments: 1. The commit message looks like it goes on continuously on a single line. This makes it difficult to see when doing a "git log". 2. The patch ends up adding several trailing whitespace errors. Fix these before checking in. 3. In pkidestroy man page, add the note about prompting for the parameter under each parameter, rather than as a separate note. For example, -s Specifies the subsystem to be removed, where is CA, KRA, OCSP, or TKS. If this option is not specified, pkidestroy will prompt for its value. 4. Include documentation of the new password/ user options for pkidestroy. You can do this in the other ticket you are working on. 5. pkispawn: a) Move the section on interactive mode to before examples. It should be a heading at the same level as OPTIONS and EXAMPLES b) Replace Dogtag with Certificate Server (all instances) c) The subheadings do not look right. Change as follows. Note that I have removed the enclosing brackets. These headings should be in bold. [Choosing a subsystem type to install] --> Subsystem Type [Providing instance specific parameters] --> Instance Specific Parameters [Setting up the Administrator user] --> Administrative User Parameters [Specify the 389 Directory Server to be used for the internal database]-> Directory Server Parameters [Setting up the Security Domain properties]-> Security Domain Parameters d) The security domain part should look like this: Security Domain Parameters Name: the name of the security domain. Required only if installing a root CA. Default value: Security Domain. Hostname: the hostname for the security domain CA. Required for all non-CA subsystems. The default value is the hostname of this system. Secure HTTP port: the https port for the security domain. Required for all non-CA subsystems. The default value is 8443. Username: the username of the security domain administrator. Required for all non-CA subsystems. The default value is caadmin. Password: password for the security domain administrator. Required for all non-CA subsystems. e) Do not bold or italicize any default values. [8080] -> 8080 On Fri, 2013-03-15 at 11:00 -0400, Abhishek Koneru wrote: > Please review the attached patch w.r.t the trac ticket 471 to add > information regarding interactive mode installation to > pkispawn/pkidestroy man pages. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Tue Mar 19 15:11:52 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 19 Mar 2013 11:11:52 -0400 Subject: [Pki-devel] [PATCH] 38 Fixes for trac tickets #509 and #525 In-Reply-To: <1208818611.7223560.1363400428829.JavaMail.root@redhat.com> References: <1208818611.7223560.1363400428829.JavaMail.root@redhat.com> Message-ID: <1363705912.2221.40.camel@aleeredhat.laptop> Comments: 1. In pkispawn, in the section "KRA, OCSP, or TKS using default configuration": rather than explaining that myconfig.txt is the same as the above section with an additional parameter, its clearer just to print out a new myconfig.txt as in the previous section. You still want to mention though that the security domain password is the same as the admin password for the CA. Note the typo "whick". 2. The line adding the signing subordinate DN is too long, partly because it repeats itself. Shorten to fit on line if possible. 3. Also in that section, there should be a note about the subordinate CA subject DN having to be different from the root CA signing subject DN. See a corresponding note in the "externally signed CA section" 4. In sample.cfg, change the comment to: +##Required for all subsystems that are not root CAs 5. The sample files for KRA, TKS etc. like sampleKRA-OCSP-TKSclone.cfg are a little confusing. Rather pick one of these -- a KRA for instances and provide a sample instead. So in this case, [KRA/OCSP/TKS] -> [KRA] On Fri, 2013-03-15 at 22:20 -0400, Abhishek Koneru wrote: > Please review the attached patch with fixes for incorrect information in pkispawn man page. > Also added the sample config files for different installations of pki subsystems. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Tue Mar 19 15:19:41 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 19 Mar 2013 11:19:41 -0400 Subject: [Pki-devel] [PATCH] 39 Fix for trac ticket #507 - Making the pki.conf irreplacebale by an upgrade In-Reply-To: <567829589.7224159.1363400591813.JavaMail.root@redhat.com> References: <567829589.7224159.1363400591813.JavaMail.root@redhat.com> Message-ID: <1363706381.2221.42.camel@aleeredhat.laptop> 1. Same comment about commit message being too long. 2. In general, when you change the spec file, you might update the version. In this case, as there are many spec files changes coming in, we will dispense with that. ACK On Fri, 2013-03-15 at 22:23 -0400, Abhishek Koneru wrote: > Please review the attached patch with fixes for trac ticket 507 which > addresses the issue of the pki.conf being replaced while upgrading pki. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Tue Mar 19 16:59:11 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Mar 2013 11:59:11 -0500 Subject: [Pki-devel] [PATCH] 216 Fixed python-requests compatibility issue. In-Reply-To: <1363668510.2221.0.camel@aleeredhat.laptop> References: <513E2310.8010602@redhat.com> <1363668510.2221.0.camel@aleeredhat.laptop> Message-ID: <5148995F.4060107@redhat.com> On 3/18/2013 11:48 PM, Ade Lee wrote: > The newest python-requests has been pushed to stable. > > ACK. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Mar 19 16:59:19 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Mar 2013 11:59:19 -0500 Subject: [Pki-devel] [PATCH] 218 Replaced Tomcat's random number generator. In-Reply-To: <513F4AD1.9080902@redhat.com> References: <513F4AD1.9080902@redhat.com> Message-ID: <51489967.7020207@redhat.com> On 3/12/2013 10:33 AM, Endi Sukma Dewata wrote: > By default Tomcat relies on /dev/random as a random number generator > to generate the session ID's. Under certain conditions /dev/random > may block, which will block Tomcat as well. To solve the problem all > webapps in Tomcat have been configured to use the random number > generator provided by JSS. > > Ticket #524 > > Tested with IPA. Migration script will be added in a separate patch. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Mar 19 17:32:56 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Mar 2013 12:32:56 -0500 Subject: [Pki-devel] [PATCH] 220 Added CLI option to capture HTTP messages. Message-ID: <5148A148.7060601@redhat.com> A new option has been added to the CLI to capture HTTP requests and responses and store them in the specified folder. Ticket #523 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0220-Added-CLI-option-to-capture-HTTP-messages.patch Type: text/x-patch Size: 9863 bytes Desc: not available URL: From cfu at redhat.com Tue Mar 19 17:35:43 2013 From: cfu at redhat.com (Christina Fu) Date: Tue, 19 Mar 2013 10:35:43 -0700 Subject: [Pki-devel] Request for Review: TPS Revocation Routing In-Reply-To: <5147D956.40800@redhat.com> References: <5147D956.40800@redhat.com> Message-ID: <5148A1EF.3010503@redhat.com> Please note that the "Issuance routing" part in this bug is not included in this design/patch. It will be filed as a separate bug to be addressed. This design/patch is for TPS revocation routing only. regards, Christina On 03/18/2013 08:19 PM, Christina Fu wrote: > Hi, > Please review the code for the following design: > http://pki.fedoraproject.org/wiki/TPS_Revocation_Routing > for *Bug 902952* > -RFE: Cert System 8.1 - Issuance/Revocation routing with TPS and > multiple non-cloned CAs > > code: > https://bugzilla.redhat.com/attachment.cgi?id=712351&action=diff&context=patch&collapsed=&headers=1&format=raw > > thanks! > Christina > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Tue Mar 19 20:54:48 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 19 Mar 2013 16:54:48 -0400 Subject: [Pki-devel] [PATCH] refactor installation code to use python client instead of jython Message-ID: <1363726488.15479.4.camel@aleeredhat.laptop> This is a pretty big change, but we want to get it into 10.0.2 so that we can eliminate our dependency on jython. So far, its been tested against a straight CA install. I plan to continue testing against other configurations, but as the code change is quite large, I want to start the review early. Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0122-Refactor-installation-code-to-remove-dependency-on-j.patch Type: text/x-patch Size: 100316 bytes Desc: not available URL: From akoneru at redhat.com Wed Mar 20 13:07:46 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 20 Mar 2013 09:07:46 -0400 Subject: [Pki-devel] [PATCH] 37-2 Fixes for review comments on [PATCH] 37 Updating the pkispawn/pkidestroy man pages with information regarding interactive mode installation (#471) In-Reply-To: <1363702509.2221.25.camel@aleeredhat.laptop> References: <1363359634.16147.2.camel@akoneru.redhat.com> <1363702509.2221.25.camel@aleeredhat.laptop> Message-ID: <1363784866.2310.2.camel@akoneru.redhat.com> Please find the fixes for review comments given for patch 37 attached for review. --Abhishek On Tue, 2013-03-19 at 10:15 -0400, Ade Lee wrote: > Comments: > > 1. The commit message looks like it goes on continuously on a single > line. This makes it difficult to see when doing a "git log". > > 2. The patch ends up adding several trailing whitespace errors. Fix > these before checking in. > > 3. In pkidestroy man page, add the note about prompting for the > parameter under each parameter, rather than as a separate note. > > For example, > -s > Specifies the subsystem to be removed, where is CA, KRA, > OCSP, or TKS. If this option is not specified, pkidestroy will prompt > for its value. > > 4. Include documentation of the new password/ user options for > pkidestroy. You can do this in the other ticket you are working on. > > 5. pkispawn: > > a) Move the section on interactive mode to before examples. It should > be a heading at the same level as OPTIONS and EXAMPLES > b) Replace Dogtag with Certificate Server (all instances) > c) The subheadings do not look right. Change as follows. Note that I > have removed the enclosing brackets. These headings should be in bold. > > [Choosing a subsystem type to install] --> Subsystem Type > [Providing instance specific parameters] --> Instance Specific Parameters > [Setting up the Administrator user] --> Administrative User Parameters > [Specify the 389 Directory Server to be used for the internal database]-> Directory Server Parameters > [Setting up the Security Domain properties]-> Security Domain Parameters > > d) The security domain part should look like this: > > Security Domain Parameters > > Name: > the name of the security domain. Required only if installing a root CA. > Default value: Security Domain. > > Hostname: > the hostname for the security domain CA. Required for all non-CA subsystems. > The default value is the hostname of this system. > Secure HTTP port: > the https port for the security domain. Required for all non-CA subsystems. > The default value is 8443. > Username: > the username of the security domain administrator. Required for all non-CA subsystems. > The default value is caadmin. > Password: > password for the security domain administrator. Required for all non-CA subsystems. > > e) Do not bold or italicize any default values. [8080] -> 8080 > > > On Fri, 2013-03-15 at 11:00 -0400, Abhishek Koneru wrote: > > Please review the attached patch w.r.t the trac ticket 471 to add > > information regarding interactive mode installation to > > pkispawn/pkidestroy man pages. > > > > --Abhishek > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0037-2-Updated-pkispawn-pkidestroy-manpages-with-the-steps-.patch Type: text/x-patch Size: 7054 bytes Desc: not available URL: From akoneru at redhat.com Wed Mar 20 13:15:58 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 20 Mar 2013 09:15:58 -0400 Subject: [Pki-devel] [PATCH] 38-2 Fixes for review comments on [PATCH] 38 Fixes for trac tickets #509 and #525 In-Reply-To: <1363705912.2221.40.camel@aleeredhat.laptop> References: <1208818611.7223560.1363400428829.JavaMail.root@redhat.com> <1363705912.2221.40.camel@aleeredhat.laptop> Message-ID: <1363785358.2310.5.camel@akoneru.redhat.com> Please review the attached patch with fixes for review comments given for patch 38. --Abhishek On Tue, 2013-03-19 at 11:11 -0400, Ade Lee wrote: > Comments: > > 1. In pkispawn, in the section "KRA, OCSP, or TKS using default > configuration": rather than explaining that myconfig.txt is the same as > the above section with an additional parameter, its clearer just to > print out a new myconfig.txt as in the previous section. You still want > to mention though that the security domain password is the same as the > admin password for the CA. Note the typo "whick". > > 2. The line adding the signing subordinate DN is too long, partly > because it repeats itself. Shorten to fit on line if possible. > > 3. Also in that section, there should be a note about the subordinate > CA subject DN having to be different from the root CA signing subject > DN. See a corresponding note in the "externally signed CA section" > > 4. In sample.cfg, change the comment to: > +##Required for all subsystems that are not root CAs > > 5. The sample files for KRA, TKS etc. like sampleKRA-OCSP-TKSclone.cfg > are a little confusing. Rather pick one of these -- a KRA for > instances and provide a sample instead. So in this case, > [KRA/OCSP/TKS] -> [KRA] > > On Fri, 2013-03-15 at 22:20 -0400, Abhishek Koneru wrote: > > Please review the attached patch with fixes for incorrect information in pkispawn man page. > > Also added the sample config files for different installations of pki subsystems. > > > > --Abhishek > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0038-2-Minor-fixes-to-pkispawn-man-page-updating-the-sample.patch Type: text/x-patch Size: 8979 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 20 15:19:49 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Mar 2013 10:19:49 -0500 Subject: [Pki-devel] [PATCH] refactor installation code to use python client instead of jython In-Reply-To: <1363726488.15479.4.camel@aleeredhat.laptop> References: <1363726488.15479.4.camel@aleeredhat.laptop> Message-ID: <5149D395.9010304@redhat.com> On 3/19/2013 3:54 PM, Ade Lee wrote: > This is a pretty big change, but we want to get it into 10.0.2 so that > we can eliminate our dependency on jython. > > So far, its been tested against a straight CA install. I plan to > continue testing against other configurations, but as the code change is > quite large, I want to start the review early. > > Please review, > Ade Some comments: 1. Right now the encoder.py has to import other PKI modules in order to construct the TYPES and NOTYPES lists, so if new modules are added we'd need to update the encoder.py. This is not ideal since encoder.py is a common module. It might be better to let the modules register themselves into those lists, for example in encoder.py we can do something like this: import pki.encoder class ConfigurationRequest: ... encoder.TYPES['ConfigurationRequest'] = ConfigurationRequest 2. The SystemCertData is now in NOTYPES list. What if we want to send a SystemCertData object in a future API? It will need to be in TYPES. Maybe instead of using NOTYPES we should check if the object is an array and the elements are in TYPES then we return an array of encoded objects. 3. JSON responses should be converted back into Python object: http://stackoverflow.com/questions/6578986/how-to-convert-json-data-into-a-python-object 4. The ConfigurationResponse.getSystemCerts() should return a List instead of a Collection. 5. File access can be written with the 'with' keyword: with open(...) as f: data = f.read() 6. Sometimes OCSP or TKS installation failed: pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... configuring PKI configuration data. pkispawn : ERROR ....... Exception from Java Configuration Servlet: [Errno 111] Connection refused Maybe Tomcat is too slow to start? Sometimes it works just fine. -- Endi S. Dewata From cfu at redhat.com Wed Mar 20 17:33:34 2013 From: cfu at redhat.com (Christina Fu) Date: Wed, 20 Mar 2013 10:33:34 -0700 Subject: [Pki-devel] Request for Review: TPS Revocation Routing In-Reply-To: <5148A1EF.3010503@redhat.com> References: <5147D956.40800@redhat.com> <5148A1EF.3010503@redhat.com> Message-ID: <5149F2EE.50208@redhat.com> Here is a newer revision that stores AKI in the CS.cfg the first time it is figured out so it does not have to be figured out for every revocation or unrevocation operation. https://bugzilla.redhat.com/attachment.cgi?id=713376&action=diff&context=patch&collapsed=&headers=1&format=raw Christina On 03/19/2013 10:35 AM, Christina Fu wrote: > Please note that the "Issuance routing" part in this bug is not > included in this design/patch. It will be filed as a separate bug to > be addressed. > This design/patch is for TPS revocation routing only. > > regards, > Christina > > On 03/18/2013 08:19 PM, Christina Fu wrote: >> Hi, >> Please review the code for the following design: >> http://pki.fedoraproject.org/wiki/TPS_Revocation_Routing >> for *Bug 902952* >> -RFE: Cert System 8.1 - Issuance/Revocation routing with TPS and >> multiple non-cloned CAs >> >> code: >> https://bugzilla.redhat.com/attachment.cgi?id=712351&action=diff&context=patch&collapsed=&headers=1&format=raw >> >> thanks! >> Christina >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From akoneru at redhat.com Wed Mar 20 18:44:17 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 20 Mar 2013 14:44:17 -0400 Subject: [Pki-devel] [PATCH]39-2 A revised fix for trac ticket #507 - Making the pki.conf irreplacebale by an upgrade In-Reply-To: <1363706381.2221.42.camel@aleeredhat.laptop> References: <567829589.7224159.1363400591813.JavaMail.root@redhat.com> <1363706381.2221.42.camel@aleeredhat.laptop> Message-ID: <1363805057.2310.15.camel@akoneru.redhat.com> Please find attached the revised fix for #507 after discussing with Ade, Matt and Endi for review. The final state of the pki.conf file follow the same rules as shown for the macro %config(noreplace) here: http://www-uxsup.csx.cam.ac.uk/~jw35/docs/rpm_config.html. Additionally, during un-install, if pki.conf is edited on the disk, then it is saved as pki.conf.rpm.save in /etc/pki. --Abhishek On Tue, 2013-03-19 at 11:19 -0400, Ade Lee wrote: > 1. Same comment about commit message being too long. > 2. In general, when you change the spec file, you might update the > version. In this case, as there are many spec files changes coming in, > we will dispense with that. > > ACK > > On Fri, 2013-03-15 at 22:23 -0400, Abhishek Koneru wrote: > > Please review the attached patch with fixes for trac ticket 507 which > > addresses the issue of the pki.conf being replaced while upgrading pki. > > > > --Abhishek > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0039-2-Adding-changes-to-pki-core.spec-file-so-that-the-sys.patch Type: text/x-patch Size: 1019 bytes Desc: not available URL: From jmagne at redhat.com Wed Mar 20 19:04:28 2013 From: jmagne at redhat.com (John Magne) Date: Wed, 20 Mar 2013 15:04:28 -0400 (EDT) Subject: [Pki-devel] Request for Review: TPS Revocation Routing In-Reply-To: <5149F2EE.50208@redhat.com> Message-ID: <723063977.12131382.1363806268975.JavaMail.root@redhat.com> Christina: Just some comments below: 1. TPS_PUBLIC int CertEnroll::revokeFromOtherCA( CERTCertificate *cert, + bool revoke, + const char*serialno, char *&o_status, + const char *reason) { + + const char *caList = NULL; + const char *nick = NULL; + char configname[256]; + char configname_nick[256]; + ConfigStore *store = RA::GetConfigStore(); Initialize the char arrays like : char configname_nick[256] = {0}; Check that store is not NULL ? 2. Same method: Assert that char *caList_x = PL_strdup(caList); is not NULL? 3. TOKENDB_PUBLIC int CertEnroll::UnrevokeCertificate(CERTCertificate *cert, const char *serialno, const char *connid, + char *&o_status) +{ + char configname[5000]; + CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); + CERTCertificate *caCert = NULL; + char * caNickname = NULL; + + PR_ASSERT(certdb != NULL); + if ((cert == NULL) || + (serialno == NULL) || (connid == NULL)) { + RA::Debug("CertEnroll::UnrevokeCertificate", "missing info in call"); + return 1; + } + if (cert != NULL) { + /* For debugging; If cert was NULL, we would have already bombed out of the func. Same thing here: +TOKENDB_PUBLIC int CertEnroll::RevokeCertificate(CERTCertificate *cert, const char *reason, const char *serialno, const char *connid, char *&o_status) 4. Higher level question: Why do we have this special function revokeFromOtherCA that is called from Unrevoke and Revoke. Why can't we just have one Revoke that first tries the regular CA and then rifles through the list of others to contact? That way we wouldn't need Unrevoke and revokeFromOtherCA?? 5. caSKI_x = BTOA_ConvertItemToAscii(&ca_ski); Looks like caSKI_x gets set in two different ways, here and earlier. At the end we have a free, is this free method appropriate for both cases? Also in same method: char error_msg[512]; + int status = 0; + status = store->Commit(true, error_msg, 512); Init the error_msg? Also, is Commit expecting a char * ? or do we need the address of error_msg? This comes up in the other revoke related methods as well. 6. Same method: RevokeCertificate looks almost line for line identical to this one. I suppose there must be some way to conveniently merge these into one? 7. Method: TPS_PUBLIC int CertEnroll::revokeFromOtherCA( CERTCertificate *cert, + bool revoke, + const char*serialno, char *&o_status, + const char *reason) { + /* store it in config */ + caSKI_x = BTOA_ConvertItemToAscii(&ca_ski); + if (caSKI_x == NULL) { + if (caCert != NULL) { + CERT_DestroyCertificate(cert); + } + continue; + } Looks like you are Destroying the wrong cert, cert instead of caCert. Also, I think the same thing is happening further down here: if (ret == 0) { + if (caList_x != NULL) { + PL_strfree(caList_x); + } + if (caSKI_x != NULL) { + PL_strfree(caSKI_x); + } + if (caCert != NULL) { + CERT_DestroyCertificate(cert); + } And at the end of the function. Maybe this is on purpose, but should we be destroying something that was sent in as a param? Also, there seems to be some duplication in the freeing code, maybe create a cleanup label and jump down? 8. One more general question: Inside each ca connection entry in the cfg, we have a list of other ca connections, which I suppose point to other ca connections. I was just wondering if this list should be at a higher level? If I get this right, would every ca connection have a list of pointers to all the other ca connections? Actually , it now looks like maybe that is what you are doing, having the list as conn.ca.list=ca1,ca2, but you appear to have this guy listed under the comments for the block of conn.ca1, which represents a specific connection. 9. Looks like we have some more uninitialized static char arrays sprinkled in the code. Just a minor thing. ----- Original Message ----- From: "Christina Fu" To: pki-devel at redhat.com Sent: Wednesday, March 20, 2013 10:33:34 AM Subject: Re: [Pki-devel] Request for Review: TPS Revocation Routing Here is a newer revision that stores AKI in the CS.cfg the first time it is figured out so it does not have to be figured out for every revocation or unrevocation operation. https://bugzilla.redhat.com/attachment.cgi?id=713376&action=diff&context=patch&collapsed=&headers=1&format=raw Christina On 03/19/2013 10:35 AM, Christina Fu wrote: Please note that the "Issuance routing" part in this bug is not included in this design/patch. It will be filed as a separate bug to be addressed. This design/patch is for TPS revocation routing only. regards, Christina On 03/18/2013 08:19 PM, Christina Fu wrote: Hi, Please review the code for the following design: http://pki.fedoraproject.org/wiki/TPS_Revocation_Routing for Bug 902952 - RFE: Cert System 8.1 - Issuance/Revocation routing with TPS and multiple non-cloned CAs code: https://bugzilla.redhat.com/attachment.cgi?id=712351&action=diff&context=patch&collapsed=&headers=1&format=raw thanks! Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Wed Mar 20 19:26:18 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 20 Mar 2013 15:26:18 -0400 Subject: [Pki-devel] [PATCH] refactor installation code to use python client instead of jython In-Reply-To: <5149D395.9010304@redhat.com> References: <1363726488.15479.4.camel@aleeredhat.laptop> <5149D395.9010304@redhat.com> Message-ID: <1363807578.3626.6.camel@aleeredhat.laptop> I'll file a separate patch to address the issues below. For the last issue, I am attaching a patch to check the server status prior to doing the configuration. This patch is to be applied on top of the previous one. (122) Ade On Wed, 2013-03-20 at 10:19 -0500, Endi Sukma Dewata wrote: > On 3/19/2013 3:54 PM, Ade Lee wrote: > > This is a pretty big change, but we want to get it into 10.0.2 so that > > we can eliminate our dependency on jython. > > > > So far, its been tested against a straight CA install. I plan to > > continue testing against other configurations, but as the code change is > > quite large, I want to start the review early. > > > > Please review, > > Ade > > Some comments: > > 1. Right now the encoder.py has to import other PKI modules in order to > construct the TYPES and NOTYPES lists, so if new modules are added we'd > need to update the encoder.py. This is not ideal since encoder.py is a > common module. It might be better to let the modules register themselves > into those lists, for example in encoder.py we can do something like this: > > import pki.encoder > > class ConfigurationRequest: > ... > > encoder.TYPES['ConfigurationRequest'] = ConfigurationRequest > > 2. The SystemCertData is now in NOTYPES list. What if we want to send a > SystemCertData object in a future API? It will need to be in TYPES. > > Maybe instead of using NOTYPES we should check if the object is an array > and the elements are in TYPES then we return an array of encoded objects. > > 3. JSON responses should be converted back into Python object: > > http://stackoverflow.com/questions/6578986/how-to-convert-json-data-into-a-python-object > > 4. The ConfigurationResponse.getSystemCerts() should return a List > instead of a Collection. > > 5. File access can be written with the 'with' keyword: > > with open(...) as f: > data = f.read() > > 6. Sometimes OCSP or TKS installation failed: > > pkispawn : INFO ....... constructing PKI configuration data. > pkispawn : INFO ....... configuring PKI configuration data. > pkispawn : ERROR ....... Exception from Java Configuration > Servlet: [Errno 111] Connection refused > > Maybe Tomcat is too slow to start? Sometimes it works just fine. > -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0123-Add-status-servlet-to-all-subsystems.patch Type: text/x-patch Size: 12361 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 20 20:49:27 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Mar 2013 15:49:27 -0500 Subject: [Pki-devel] [PATCH] refactor installation code to use python client instead of jython In-Reply-To: <1363807578.3626.6.camel@aleeredhat.laptop> References: <1363726488.15479.4.camel@aleeredhat.laptop> <5149D395.9010304@redhat.com> <1363807578.3626.6.camel@aleeredhat.laptop> Message-ID: <514A20D7.6030608@redhat.com> On 3/20/2013 2:26 PM, Ade Lee wrote: > I'll file a separate patch to address the issues below. > > For the last issue, I am attaching a patch to check the server status > prior to doing the configuration. This patch is to be applied on top of > the previous one. (122) > > Ade OCSP installation is consistently failing. There's a missing element. pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at ocsp-master.service' Traceback (most recent call last): File "/sbin/pkispawn", line 405, in main(sys.argv) File "/sbin/pkispawn", line 389, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line 98, in spawn status = util.instance.wait_for_startup(60) File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 1026, in wait_for_startup status = self.get_instance_status() File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 1005, in get_instance_status response = client.getStatus() File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in getStatus self.connection.subsystem + '/getStatus') File "/usr/lib/python2.7/site-packages/pki/client.py", line 54, in get r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 638, in raise_for_status raise http_error requests.exceptions.HTTPError: 404 Client Error: Not Found -- Endi S. Dewata From edewata at redhat.com Wed Mar 20 20:51:28 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Mar 2013 15:51:28 -0500 Subject: [Pki-devel] [PATCH]39-2 A revised fix for trac ticket #507 - Making the pki.conf irreplacebale by an upgrade In-Reply-To: <1363805057.2310.15.camel@akoneru.redhat.com> References: <567829589.7224159.1363400591813.JavaMail.root@redhat.com> <1363706381.2221.42.camel@aleeredhat.laptop> <1363805057.2310.15.camel@akoneru.redhat.com> Message-ID: <514A2150.70400@redhat.com> On 3/20/2013 1:44 PM, Abhishek Koneru wrote: > Please find attached the revised fix for #507 after discussing with Ade, > Matt and Endi for review. > The final state of the pki.conf file follow the same rules as shown for > the macro %config(noreplace) here: > http://www-uxsup.csx.cam.ac.uk/~jw35/docs/rpm_config.html. > > Additionally, during un-install, if pki.conf is edited on the disk, then > it is saved as pki.conf.rpm.save in /etc/pki. I think the default.cfg is not user configurable, so it shouldn't be marked with %config. -- Endi S. Dewata From edewata at redhat.com Wed Mar 20 21:57:19 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 20 Mar 2013 16:57:19 -0500 Subject: [Pki-devel] [PATCH] refactor installation code to use python client instead of jython In-Reply-To: <5149D395.9010304@redhat.com> References: <1363726488.15479.4.camel@aleeredhat.laptop> <5149D395.9010304@redhat.com> Message-ID: <514A30BF.60104@redhat.com> On 3/20/2013 10:19 AM, Endi Sukma Dewata wrote: > On 3/19/2013 3:54 PM, Ade Lee wrote: >> This is a pretty big change, but we want to get it into 10.0.2 so that >> we can eliminate our dependency on jython. >> >> So far, its been tested against a straight CA install. I plan to >> continue testing against other configurations, but as the code change is >> quite large, I want to start the review early. Additional comments for patch #122: 7. All command line arguments for should be quoted in case they contain spaces. This including paths and file names. It would be better to use subprocess.call() instead of os.system(). The arguments can be specified as a list, so they don't need to be quoted. 8. In general a function should not call sys.exit() on error. It would be better to raise an Error and let the main program handle it. 9. Boolean attributes (e.g. isClone, backupKeys, importAdminCert) in Python objects should use real boolean values instead of string. 10. Currently the config_client is instantiated as a global variable in pkihelper.py which may limit its reusability. It would be better to instantiate it where it's actually used (in configuration.py). -- Endi S. Dewata From akoneru at redhat.com Wed Mar 20 22:08:26 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 20 Mar 2013 18:08:26 -0400 Subject: [Pki-devel] [PATCH] 40 Catch the Keyboard interrupt during the execution of pkispawn Message-ID: <1363817306.2310.18.camel@akoneru.redhat.com> Please review the patch with fixes for ticket 536 - Catch the keyboard interrupt during the execution of pkispawn and pkidestroy. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0040-Catch-the-KeyboardInterrupt-Ctrl-C-input-during-the-.patch Type: text/x-patch Size: 2129 bytes Desc: not available URL: From alee at redhat.com Thu Mar 21 04:47:18 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 21 Mar 2013 00:47:18 -0400 Subject: [Pki-devel] [PATCH]39-2 A revised fix for trac ticket #507 - Making the pki.conf irreplacebale by an upgrade In-Reply-To: <514A2150.70400@redhat.com> References: <567829589.7224159.1363400591813.JavaMail.root@redhat.com> <1363706381.2221.42.camel@aleeredhat.laptop> <1363805057.2310.15.camel@akoneru.redhat.com> <514A2150.70400@redhat.com> Message-ID: <1363841238.24235.1.camel@aleeredhat.laptop> agreed. default.cfg should not be user configurable. After removing the %config on that file - ACK. On Wed, 2013-03-20 at 15:51 -0500, Endi Sukma Dewata wrote: > On 3/20/2013 1:44 PM, Abhishek Koneru wrote: > > Please find attached the revised fix for #507 after discussing with Ade, > > Matt and Endi for review. > > The final state of the pki.conf file follow the same rules as shown for > > the macro %config(noreplace) here: > > http://www-uxsup.csx.cam.ac.uk/~jw35/docs/rpm_config.html. > > > > Additionally, during un-install, if pki.conf is edited on the disk, then > > it is saved as pki.conf.rpm.save in /etc/pki. > > I think the default.cfg is not user configurable, so it shouldn't be > marked with %config. > From alee at redhat.com Thu Mar 21 05:46:13 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 21 Mar 2013 01:46:13 -0400 Subject: [Pki-devel] [PATCH] 38-2 Fixes for review comments on [PATCH] 38 Fixes for trac tickets #509 and #525 In-Reply-To: <1363785358.2310.5.camel@akoneru.redhat.com> References: <1208818611.7223560.1363400428829.JavaMail.root@redhat.com> <1363705912.2221.40.camel@aleeredhat.laptop> <1363785358.2310.5.camel@akoneru.redhat.com> Message-ID: <1363844773.24235.5.camel@aleeredhat.laptop> See comments below: On Wed, 2013-03-20 at 09:15 -0400, Abhishek Koneru wrote: > Please review the attached patch with fixes for review comments given > for patch 38. > > --Abhishek > > On Tue, 2013-03-19 at 11:11 -0400, Ade Lee wrote: > > Comments: > > > > 1. In pkispawn, in the section "KRA, OCSP, or TKS using default > > configuration": rather than explaining that myconfig.txt is the same as > > the above section with an additional parameter, its clearer just to > > print out a new myconfig.txt as in the previous section. You still want > > to mention though that the security domain password is the same as the > > admin password for the CA. Note the typo "whick". > > > > 2. The line adding the signing subordinate DN is too long, partly > > because it repeats itself. Shorten to fit on line if possible. > > This line is still too long. Try to make it fit within 80 characters. You could shorten to cn=CA Subordinate Signing,o=example.com for example. > > > 3. Also in that section, there should be a note about the subordinate > > CA subject DN having to be different from the root CA signing subject > > DN. See a corresponding note in the "externally signed CA section" > > The note is fine - but add a line before the note to separate from the previous paragraph. > > 4. In sample.cfg, change the comment to: > > +##Required for all subsystems that are not root CAs > > > > 5. The sample files for KRA, TKS etc. like sampleKRA-OCSP-TKSclone.cfg > > are a little confusing. Rather pick one of these -- a KRA for > > instances and provide a sample instead. So in this case, > > [KRA/OCSP/TKS] -> [KRA] I still see the heading [KRA/OCSP/TKS] in your sample config files. > > > > On Fri, 2013-03-15 at 22:20 -0400, Abhishek Koneru wrote: > > > Please review the attached patch with fixes for incorrect information in pkispawn man page. > > > Also added the sample config files for different installations of pki subsystems. > > > > > > --Abhishek > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > From alee at redhat.com Thu Mar 21 07:04:06 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 21 Mar 2013 03:04:06 -0400 Subject: [Pki-devel] [PATCH] refactor installation code to use python client instead of jython In-Reply-To: <514A30BF.60104@redhat.com> References: <1363726488.15479.4.camel@aleeredhat.laptop> <5149D395.9010304@redhat.com> <514A30BF.60104@redhat.com> Message-ID: <1363849446.24235.12.camel@aleeredhat.laptop> Attached new patch to be applied on top of 122, 123. The patch also addresses some of the issues in the previous email. See comments below. On Wed, 2013-03-20 at 16:57 -0500, Endi Sukma Dewata wrote: > On 3/20/2013 10:19 AM, Endi Sukma Dewata wrote: > > On 3/19/2013 3:54 PM, Ade Lee wrote: > >> This is a pretty big change, but we want to get it into 10.0.2 so that > >> we can eliminate our dependency on jython. > >> > >> So far, its been tested against a straight CA install. I plan to > >> continue testing against other configurations, but as the code change is > >> quite large, I want to start the review early. > > Additional comments for patch #122: > > 7. All command line arguments for should be quoted in case they contain > spaces. This including paths and file names. > > It would be better to use subprocess.call() instead of os.system(). The > arguments can be specified as a list, so they don't need to be quoted. > Done for code added in this patch. There are other parts of pkispawn that need to be checked for this issue. > 8. In general a function should not call sys.exit() on error. It would > be better to raise an Error and let the main program handle it. > This is a general problem in pkispawn (not just in the code submitted). In keeping with the behavior in pkijython, this was continued in the code submitted. A ticket should be opened to address this throughout the scriptlets. > 9. Boolean attributes (e.g. isClone, backupKeys, importAdminCert) in > Python objects should use real boolean values instead of string. > There is already a ticket to make the fields in the java object ConfigurationRequest use real boolean values, slated for 10.1. Python clients should be handled then too. > 10. Currently the config_client is instantiated as a global variable in > pkihelper.py which may limit its reusability. It would be better to > instantiate it where it's actually used (in configuration.py). > Done. -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0124-Address-various-issues-from-review.patch Type: text/x-patch Size: 18085 bytes Desc: not available URL: From alee at redhat.com Thu Mar 21 07:05:32 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 21 Mar 2013 03:05:32 -0400 Subject: [Pki-devel] [PATCH] refactor installation code to use python client instead of jython In-Reply-To: <514A20D7.6030608@redhat.com> References: <1363726488.15479.4.camel@aleeredhat.laptop> <5149D395.9010304@redhat.com> <1363807578.3626.6.camel@aleeredhat.laptop> <514A20D7.6030608@redhat.com> Message-ID: <1363849532.24235.13.camel@aleeredhat.laptop> Fixed in 124. On Wed, 2013-03-20 at 15:49 -0500, Endi Sukma Dewata wrote: > On 3/20/2013 2:26 PM, Ade Lee wrote: > > I'll file a separate patch to address the issues below. > > > > For the last issue, I am attaching a patch to check the server status > > prior to doing the configuration. This patch is to be applied on top of > > the previous one. (122) > > > > Ade > > OCSP installation is consistently failing. There's a missing > element. > > pkispawn : INFO ....... executing 'systemctl start > pki-tomcatd at ocsp-master.service' > Traceback (most recent call last): > File "/sbin/pkispawn", line 405, in > main(sys.argv) > File "/sbin/pkispawn", line 389, in main > rv = instance.spawn() > File > "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line > 98, in spawn > status = util.instance.wait_for_startup(60) > File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", > line 1026, in wait_for_startup > status = self.get_instance_status() > File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", > line 1005, in get_instance_status > response = client.getStatus() > File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in > getStatus > self.connection.subsystem + '/getStatus') > File "/usr/lib/python2.7/site-packages/pki/client.py", line 54, in get > r.raise_for_status() > File "/usr/lib/python2.7/site-packages/requests/models.py", line 638, > in raise_for_status > raise http_error > requests.exceptions.HTTPError: 404 Client Error: Not Found > From alee at redhat.com Thu Mar 21 07:09:04 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 21 Mar 2013 03:09:04 -0400 Subject: [Pki-devel] [PATCH] refactor installation code to use python client instead of jython In-Reply-To: <5149D395.9010304@redhat.com> References: <1363726488.15479.4.camel@aleeredhat.laptop> <5149D395.9010304@redhat.com> Message-ID: <1363849744.24235.16.camel@aleeredhat.laptop> See comments below: On Wed, 2013-03-20 at 10:19 -0500, Endi Sukma Dewata wrote: > On 3/19/2013 3:54 PM, Ade Lee wrote: > > This is a pretty big change, but we want to get it into 10.0.2 so that > > we can eliminate our dependency on jython. > > > > So far, its been tested against a straight CA install. I plan to > > continue testing against other configurations, but as the code change is > > quite large, I want to start the review early. > > > > Please review, > > Ade > > Some comments: > > 1. Right now the encoder.py has to import other PKI modules in order to > construct the TYPES and NOTYPES lists, so if new modules are added we'd > need to update the encoder.py. This is not ideal since encoder.py is a > common module. It might be better to let the modules register themselves > into those lists, for example in encoder.py we can do something like this: > > import pki.encoder > > class ConfigurationRequest: > ... > > encoder.TYPES['ConfigurationRequest'] = ConfigurationRequest > Fixed in 124. > 2. The SystemCertData is now in NOTYPES list. What if we want to send a > SystemCertData object in a future API? It will need to be in TYPES. > > Maybe instead of using NOTYPES we should check if the object is an array > and the elements are in TYPES then we return an array of encoded objects. > Due to time constraints, we will not fix this in this patch. Please open a ticket. > 3. JSON responses should be converted back into Python object: > > http://stackoverflow.com/questions/6578986/how-to-convert-json-data-into-a-python-object > Same as above. Please open a ticket. > 4. The ConfigurationResponse.getSystemCerts() should return a List > instead of a Collection. Fixed in 124. > 5. File access can be written with the 'with' keyword: > > with open(...) as f: > data = f.read() > Fixed in 124 for the code added in this patch. There are, however, many other occurences in the python code that should be addressed. Please open a ticket to address these. > 6. Sometimes OCSP or TKS installation failed: > > pkispawn : INFO ....... constructing PKI configuration data. > pkispawn : INFO ....... configuring PKI configuration data. > pkispawn : ERROR ....... Exception from Java Configuration > Servlet: [Errno 111] Connection refused > > Maybe Tomcat is too slow to start? Sometimes it works just fine. > Fixed in 123. From akoneru at redhat.com Thu Mar 21 16:07:07 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 21 Mar 2013 12:07:07 -0400 Subject: [Pki-devel] [PATCH] 38-3 Fixes for review comments for patch 38-2 In-Reply-To: <1363844773.24235.5.camel@aleeredhat.laptop> References: <1208818611.7223560.1363400428829.JavaMail.root@redhat.com> <1363705912.2221.40.camel@aleeredhat.laptop> <1363785358.2310.5.camel@akoneru.redhat.com> <1363844773.24235.5.camel@aleeredhat.laptop> Message-ID: <1363882027.10572.2.camel@akoneru.redhat.com> Fixed the review comments for 38-2. Please review the patch so that it can be pushed. --Abhishek On Thu, 2013-03-21 at 01:46 -0400, Ade Lee wrote: > See comments below: > > On Wed, 2013-03-20 at 09:15 -0400, Abhishek Koneru wrote: > > Please review the attached patch with fixes for review comments given > > for patch 38. > > > > --Abhishek > > > > On Tue, 2013-03-19 at 11:11 -0400, Ade Lee wrote: > > > Comments: > > > > > > 1. In pkispawn, in the section "KRA, OCSP, or TKS using default > > > configuration": rather than explaining that myconfig.txt is the same as > > > the above section with an additional parameter, its clearer just to > > > print out a new myconfig.txt as in the previous section. You still want > > > to mention though that the security domain password is the same as the > > > admin password for the CA. Note the typo "whick". > > > > > > 2. The line adding the signing subordinate DN is too long, partly > > > because it repeats itself. Shorten to fit on line if possible. > > > > This line is still too long. Try to make it fit within 80 characters. > You could shorten to cn=CA Subordinate Signing,o=example.com for > example. > > > > > 3. Also in that section, there should be a note about the subordinate > > > CA subject DN having to be different from the root CA signing subject > > > DN. See a corresponding note in the "externally signed CA section" > > > > The note is fine - but add a line before the note to separate from the > previous paragraph. > > > > 4. In sample.cfg, change the comment to: > > > +##Required for all subsystems that are not root CAs > > > > > > 5. The sample files for KRA, TKS etc. like sampleKRA-OCSP-TKSclone.cfg > > > are a little confusing. Rather pick one of these -- a KRA for > > > instances and provide a sample instead. So in this case, > > > [KRA/OCSP/TKS] -> [KRA] > > I still see the heading [KRA/OCSP/TKS] in your sample config files. > > > > > > > On Fri, 2013-03-15 at 22:20 -0400, Abhishek Koneru wrote: > > > > Please review the attached patch with fixes for incorrect information in pkispawn man page. > > > > Also added the sample config files for different installations of pki subsystems. > > > > > > > > --Abhishek > > > > _______________________________________________ > > > > Pki-devel mailing list > > > > Pki-devel at redhat.com > > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0038-3-Minor-fixes-to-pkispawn-man-page-updating-the-sample.patch Type: text/x-patch Size: 8948 bytes Desc: not available URL: From akoneru at redhat.com Thu Mar 21 16:43:35 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 21 Mar 2013 12:43:35 -0400 (EDT) Subject: [Pki-devel] [PATCH]39-2 A revised fix for trac ticket #507 - Making the pki.conf irreplacebale by an upgrade In-Reply-To: <1363841238.24235.1.camel@aleeredhat.laptop> Message-ID: <177253228.8296886.1363884215017.JavaMail.root@redhat.com> Removed the %config tag for default.cfg. Pushed to master. --Abhishek ----- Original Message ----- From: "Ade Lee" To: "Endi Sukma Dewata" Cc: "Abhishek Koneru" , pki-devel at redhat.com Sent: Thursday, March 21, 2013 12:47:18 AM Subject: Re: [Pki-devel] [PATCH]39-2 A revised fix for trac ticket #507 - Making the pki.conf irreplacebale by an upgrade agreed. default.cfg should not be user configurable. After removing the %config on that file - ACK. On Wed, 2013-03-20 at 15:51 -0500, Endi Sukma Dewata wrote: > On 3/20/2013 1:44 PM, Abhishek Koneru wrote: > > Please find attached the revised fix for #507 after discussing with Ade, > > Matt and Endi for review. > > The final state of the pki.conf file follow the same rules as shown for > > the macro %config(noreplace) here: > > http://www-uxsup.csx.cam.ac.uk/~jw35/docs/rpm_config.html. > > > > Additionally, during un-install, if pki.conf is edited on the disk, then > > it is saved as pki.conf.rpm.save in /etc/pki. > > I think the default.cfg is not user configurable, so it shouldn't be > marked with %config. > From cfu at redhat.com Thu Mar 21 20:13:20 2013 From: cfu at redhat.com (Christina Fu) Date: Thu, 21 Mar 2013 13:13:20 -0700 Subject: [Pki-devel] Request for Review: Bug 904289 - Add ECC Support to Certificate Profiles Message-ID: <514B69E0.1020804@redhat.com> The following is the patch for *Bug 904289* -Add ECC Support to Certificate Profiles https://bugzilla.redhat.com/attachment.cgi?id=714089&action=diff&context=patch&collapsed=&headers=1&format=raw Please review. thanks! Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Mar 21 20:23:11 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Mar 2013 15:23:11 -0500 Subject: [Pki-devel] [PATCH] 221 Added upgrade framework. Message-ID: <514B6C2F.20709@redhat.com> A new Python module has been added to provide a framework for upgrade scriplets. A new tool called pkirespawn has been added to execute the scriptlets. Upgrade tracker and command-line options will be added separately. The pki.conf has been moved from pki-server to pki-base. Ticket #544, #553 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0221-Added-upgrade-framework.patch Type: text/x-patch Size: 8660 bytes Desc: not available URL: From edewata at redhat.com Thu Mar 21 20:23:13 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Mar 2013 15:23:13 -0500 Subject: [Pki-devel] [PATCH] 222 Added upgrade script for random number generator. Message-ID: <514B6C31.9060301@redhat.com> An upgrade script has been added to update the context.xml to configure the random number generator. Ticket #545 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0222-Added-upgrade-script-for-random-number-generator.patch Type: text/x-patch Size: 6492 bytes Desc: not available URL: From edewata at redhat.com Thu Mar 21 20:23:49 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 21 Mar 2013 15:23:49 -0500 Subject: [Pki-devel] [PATCH] 223 Fixed JSON encoding class registration. Message-ID: <514B6C55.9030007@redhat.com> The class registration for JSON encoding has been moved after the class definitions to avoid problems. Ticket #532 ACKed by Ade, pushed to master. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0223-Fixed-JSON-encoding-class-registration.patch Type: text/x-patch Size: 1236 bytes Desc: not available URL: From jmagne at redhat.com Thu Mar 21 23:49:51 2013 From: jmagne at redhat.com (John Magne) Date: Thu, 21 Mar 2013 19:49:51 -0400 (EDT) Subject: [Pki-devel] Request for Review: TPS Revocation Routing In-Reply-To: <5149F2EE.50208@redhat.com> Message-ID: <481773974.12942239.1363909791337.JavaMail.root@redhat.com> Based on latest submissions. ACK ----- Original Message ----- From: "Christina Fu" To: pki-devel at redhat.com Sent: Wednesday, 20 March, 2013 10:33:34 AM Subject: Re: [Pki-devel] Request for Review: TPS Revocation Routing Here is a newer revision that stores AKI in the CS.cfg the first time it is figured out so it does not have to be figured out for every revocation or unrevocation operation. https://bugzilla.redhat.com/attachment.cgi?id=713376&action=diff&context=patch&collapsed=&headers=1&format=raw Christina On 03/19/2013 10:35 AM, Christina Fu wrote: Please note that the "Issuance routing" part in this bug is not included in this design/patch. It will be filed as a separate bug to be addressed. This design/patch is for TPS revocation routing only. regards, Christina On 03/18/2013 08:19 PM, Christina Fu wrote: Hi, Please review the code for the following design: http://pki.fedoraproject.org/wiki/TPS_Revocation_Routing for Bug 902952 - RFE: Cert System 8.1 - Issuance/Revocation routing with TPS and multiple non-cloned CAs code: https://bugzilla.redhat.com/attachment.cgi?id=712351&action=diff&context=patch&collapsed=&headers=1&format=raw thanks! Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From awnuk at redhat.com Fri Mar 22 00:24:33 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 21 Mar 2013 17:24:33 -0700 Subject: [Pki-devel] [Patch] Option to include nextUpdate as an offset to thisUpdate Message-ID: <514BA4C1.4050604@redhat.com> This patch provides an option to generate CRLs with nextUpdate calculated as sum of thisUpdate and an offset. Bug: 919556. -------------- next part -------------- Index: pki/dogtag/console-ui/CMSAdminRS.properties =================================================================== --- pki/dogtag/console-ui/CMSAdminRS.properties (revision 2533) +++ pki/dogtag/console-ui/CMSAdminRS.properties (working copy) @@ -598,6 +598,7 @@ CRLSETTING_LABEL_NEXTTIME_LABEL=Extend next update time in full CRLs CRLSETTING_LABEL_MINUTES_LABEL=minutes CRLSETTING_LABEL_GRACEPERIOD_LABEL=Next update grace period +CRLSETTING_LABEL_NEXTASTHISEXTENSION_LABEL=Next update as this update extension CRLSETTING_DIALOG_UPDATES_TITLE=Error CRLSETTING_DIALOG_UPDATES_MESSAGE=You are required to select at least one form of CRL updates. CRLSETTING_DIALOG_BLANKSCHEMA_TITLE=Error @@ -618,6 +619,10 @@ CRLSETTING_DIALOG_BLANKGRACE_MESSAGE=Grace period must be specified! CRLSETTING_DIALOG_GRACENUMBER_TITLE=Number Format Error CRLSETTING_DIALOG_GRACENUMBER_MESSAGE=Grace period must be a positive integer! +CRLSETTING_DIALOG_BLANKNEXTASTHISEXTENSION_TITLE=Error +CRLSETTING_DIALOG_BLANKNEXTASTHISEXTENSION_MESSAGE=Grace period must be specified! +CRLSETTING_DIALOG_NEXTASTHISEXTENSIONNUMBER_TITLE=Number Format Error +CRLSETTING_DIALOG_NEXTASTHISEXTENSIONNUMBER_MESSAGE=This update extension must be a positive integer! CRLCACHE_TITLE=Cache CRLCACHE_BORDER_CACHE_LABEL=CRL Cache CRLCACHE_LABEL_CACHE_LABEL=Enable CRL cache: Index: pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java =================================================================== --- pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java (revision 2533) +++ pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java (working copy) @@ -204,6 +204,11 @@ private long mNextUpdateGracePeriod; /** + * next update as this update extension + */ + private long mNextAsThisUpdateExtension; + + /** * Boolean flag controlling whether CRLv2 extensions are to be * used in CRL. */ @@ -663,6 +668,9 @@ // get next update grace period mNextUpdateGracePeriod = MINUTE * config.getInteger(Constants.PR_GRACE_PERIOD, 0); + // get next update as this update extension + mNextAsThisUpdateExtension = MINUTE * config.getInteger(Constants.PR_NEXT_AS_THIS_EXTENSION, 0); + // Get V2 or V1 CRL mAllowExtensions = config.getBoolean(Constants.PR_EXTENSIONS, false); @@ -1005,6 +1013,16 @@ } } + if (name.equals(Constants.PR_NEXT_AS_THIS_EXTENSION)) { + try { + if (value != null && value.length() > 0) { + mNextAsThisUpdateExtension = MINUTE * Long.parseLong(value.trim()); + } + } catch (NumberFormatException e) { + noRestart = false; + } + } + // -- CRL Cache -- if (name.equals(Constants.PR_ENABLE_CACHE)) { if (value.equals(Constants.FALSE) && mEnableCRLCache) { @@ -2330,6 +2348,15 @@ mLastUpdate = thisUpdate; // mNextUpdate = nextUpdate; mNextDeltaUpdate = (nextDeltaUpdate != null)? new Date(nextDeltaUpdate.getTime()): null; + if (mNextAsThisUpdateExtension > 0) { + Date nextUpdateAsThisUpdateExtension = new Date(thisUpdate.getTime()+mNextAsThisUpdateExtension); + if (nextUpdate != null && nextUpdate.before(nextUpdateAsThisUpdateExtension)) { + nextUpdate = nextUpdateAsThisUpdateExtension; + } + if (nextDeltaUpdate != null && nextDeltaUpdate.before(nextUpdateAsThisUpdateExtension)) { + nextDeltaUpdate = nextUpdateAsThisUpdateExtension; + } + } if (nextUpdate != null) { nextUpdate.setTime((nextUpdate.getTime())+mNextUpdateGracePeriod); } Index: pki/base/common/src/com/netscape/certsrv/common/Constants.java =================================================================== --- pki/base/common/src/com/netscape/certsrv/common/Constants.java (revision 2533) +++ pki/base/common/src/com/netscape/certsrv/common/Constants.java (working copy) @@ -214,6 +214,7 @@ public final static String PR_ENABLE_FREQ = "enableUpdateInterval"; public final static String PR_UPDATE_FREQ = "autoUpdateInterval"; public final static String PR_GRACE_PERIOD = "nextUpdateGracePeriod"; + public final static String PR_NEXT_AS_THIS_EXTENSION = "nextAsThisUpdateExtension"; public final static String PR_ENABLE_CACHE = "enableCRLCache"; public final static String PR_CACHE_FREQ = "cacheUpdateInterval"; public final static String PR_CACHE_RECOVERY = "enableCacheRecovery"; Index: pki/base/console/src/com/netscape/admin/certsrv/config/CMSCRLSettingPanel.java =================================================================== --- pki/base/console/src/com/netscape/admin/certsrv/config/CMSCRLSettingPanel.java (revision 2533) +++ pki/base/console/src/com/netscape/admin/certsrv/config/CMSCRLSettingPanel.java (working copy) @@ -59,6 +59,9 @@ private JLabel mGracePeriodLabel; private JTextField mGracePeriod; private JLabel mGracePeriodMinLabel; + private JLabel mNextAsThisUpdateExtensionLabel; + private JTextField mNextAsThisUpdateExtension; + private JLabel mNextAsThisUpdateExtensionMinLabel; private Color mActiveColor; private AdminConnection _admin; @@ -279,7 +282,32 @@ gbc.insets = new Insets(COMPONENT_SPACE,COMPONENT_SPACE,0,COMPONENT_SPACE); freqPanel.add(mGracePeriodMinLabel, gbc); + // next update as this update extension + CMSAdminUtil.resetGBC(gbc); + mNextAsThisUpdateExtensionLabel = makeJLabel("NEXTASTHISEXTENSION"); + gbc.anchor = gbc.WEST; + gbc.fill = gbc.NONE; + gbc.gridx = 0; + // gbc.gridx = 2; + gbc.weightx = 0.0; + gbc.gridwidth = 1; + gbc.insets = new Insets(COMPONENT_SPACE,DIFFERENT_COMPONENT_SPACE,0,0); + freqPanel.add(mNextAsThisUpdateExtensionLabel, gbc); + mNextAsThisUpdateExtension = makeJTextField(5); + gbc.anchor = gbc.WEST; + gbc.gridx++; + gbc.insets = new Insets(COMPONENT_SPACE,COMPONENT_SPACE,0,0); + freqPanel.add(mNextAsThisUpdateExtension, gbc); + + mNextAsThisUpdateExtensionMinLabel = makeJLabel("MINUTES"); + gbc.anchor = gbc.WEST; + gbc.gridx++; + gbc.weightx = 1.0; + gbc.gridwidth = gbc.REMAINDER; + gbc.insets = new Insets(COMPONENT_SPACE,COMPONENT_SPACE,0,COMPONENT_SPACE); + freqPanel.add(mNextAsThisUpdateExtensionMinLabel, gbc); + refresh(); } @@ -295,6 +323,7 @@ nvps.add(Constants.PR_ENABLE_FREQ, ""); nvps.add(Constants.PR_UPDATE_FREQ, ""); nvps.add(Constants.PR_GRACE_PERIOD, ""); + nvps.add(Constants.PR_NEXT_AS_THIS_EXTENSION, ""); try { NameValuePairs val = null; @@ -342,6 +371,8 @@ mFrequency.setText(value); } else if (name.equals(Constants.PR_GRACE_PERIOD)) { mGracePeriod.setText(value); + } else if (name.equals(Constants.PR_NEXT_AS_THIS_EXTENSION)) { + mNextAsThisUpdateExtension.setText(value); } } } @@ -530,6 +561,21 @@ showMessageDialog("GRACENUMBER"); return false; } + + if (mNextAsThisUpdateExtension.getText().trim().equals("")) { + showMessageDialog("BLANKNEXTASTHISEXTENSION"); + return false; + } + try { + int nextAsThisUpdateExtension = Integer.parseInt(mNextAsThisUpdateExtension.getText().trim()); + if (nextAsThisUpdateExtension < 0) { + showMessageDialog("NEXTASTHISEXTENSIONNUMBER"); + return false; + } + } catch (NumberFormatException e) { + showMessageDialog("NEXTASTHISEXTENSIONNUMBER"); + return false; + } } NameValuePairs nvps = new NameValuePairs(); @@ -571,6 +617,7 @@ nvps.add(Constants.PR_GRACE_PERIOD, mGracePeriod.getText().trim()); + nvps.add(Constants.PR_NEXT_AS_THIS_EXTENSION, mNextAsThisUpdateExtension.getText().trim()); _model.progressStart(); @@ -617,6 +664,11 @@ CMSAdminUtil.repaintComp(mGracePeriodLabel); mGracePeriodMinLabel.setEnabled(true); CMSAdminUtil.repaintComp(mGracePeriodMinLabel); + CMSAdminUtil.enableJTextField(mNextAsThisUpdateExtension, true, mActiveColor); + mNextAsThisUpdateExtensionLabel.setEnabled(true); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionLabel); + mNextAsThisUpdateExtensionMinLabel.setEnabled(true); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionMinLabel); } else { CMSAdminUtil.enableJTextField(mDailyAt, false, getBackground()); if (!mEnableFreq.isSelected()) { @@ -625,6 +677,11 @@ CMSAdminUtil.repaintComp(mGracePeriodLabel); mGracePeriodMinLabel.setEnabled(false); CMSAdminUtil.repaintComp(mGracePeriodMinLabel); + CMSAdminUtil.enableJTextField(mNextAsThisUpdateExtension, false, getBackground()); + mNextAsThisUpdateExtensionLabel.setEnabled(false); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionLabel); + mNextAsThisUpdateExtensionMinLabel.setEnabled(false); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionMinLabel); } } } @@ -638,6 +695,11 @@ CMSAdminUtil.repaintComp(mGracePeriodLabel); mGracePeriodMinLabel.setEnabled(true); CMSAdminUtil.repaintComp(mGracePeriodMinLabel); + CMSAdminUtil.enableJTextField(mNextAsThisUpdateExtension, true, mActiveColor); + mNextAsThisUpdateExtensionLabel.setEnabled(true); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionLabel); + mNextAsThisUpdateExtensionMinLabel.setEnabled(true); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionMinLabel); } else { CMSAdminUtil.enableJTextField(mFrequency, false, getBackground()); mMinLabel.setEnabled(false); @@ -648,6 +710,11 @@ CMSAdminUtil.repaintComp(mGracePeriodLabel); mGracePeriodMinLabel.setEnabled(false); CMSAdminUtil.repaintComp(mGracePeriodMinLabel); + CMSAdminUtil.enableJTextField(mNextAsThisUpdateExtension, false, getBackground()); + mNextAsThisUpdateExtensionLabel.setEnabled(false); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionLabel); + mNextAsThisUpdateExtensionMinLabel.setEnabled(false); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionMinLabel); } } } @@ -696,6 +763,11 @@ CMSAdminUtil.repaintComp(mGracePeriodLabel); mGracePeriodMinLabel.setEnabled(enable3); CMSAdminUtil.repaintComp(mGracePeriodMinLabel); + CMSAdminUtil.enableJTextField(mNextAsThisUpdateExtension, enable3, color3); + mNextAsThisUpdateExtensionLabel.setEnabled(enable3); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionLabel); + mNextAsThisUpdateExtensionMinLabel.setEnabled(enable3); + CMSAdminUtil.repaintComp(mNextAsThisUpdateExtensionMinLabel); } } Index: pki/base/console/src/com/netscape/certsrv/common/Constants.java =================================================================== --- pki/base/console/src/com/netscape/certsrv/common/Constants.java (revision 2533) +++ pki/base/console/src/com/netscape/certsrv/common/Constants.java (working copy) @@ -216,6 +216,7 @@ public final static String PR_ENABLE_FREQ = "enableUpdateInterval"; public final static String PR_UPDATE_FREQ = "autoUpdateInterval"; public final static String PR_GRACE_PERIOD = "nextUpdateGracePeriod"; + public final static String PR_NEXT_AS_THIS_EXTENSION = "nextAsThisUpdateExtension"; public final static String PR_ENABLE_CACHE = "enableCRLCache"; public final static String PR_CACHE_FREQ = "cacheUpdateInterval"; public final static String PR_CACHE_RECOVERY = "enableCacheRecovery"; Index: pki/redhat/console-ui/CMSAdminRS.properties =================================================================== --- pki/redhat/console-ui/CMSAdminRS.properties (revision 16063) +++ pki/redhat/console-ui/CMSAdminRS.properties (working copy) @@ -607,6 +607,7 @@ CRLSETTING_LABEL_NEXTTIME_LABEL=Extend next update time in full CRLs CRLSETTING_LABEL_MINUTES_LABEL=minutes CRLSETTING_LABEL_GRACEPERIOD_LABEL=Next update grace period +CRLSETTING_LABEL_NEXTASTHISEXTENSION_LABEL=Next update as this update extension CRLSETTING_DIALOG_UPDATES_TITLE=Error CRLSETTING_DIALOG_UPDATES_MESSAGE=You are required to select at least one form of CRL updates. CRLSETTING_DIALOG_BLANKSCHEMA_TITLE=Error @@ -627,6 +628,10 @@ CRLSETTING_DIALOG_BLANKGRACE_MESSAGE=Grace period must be specified! CRLSETTING_DIALOG_GRACENUMBER_TITLE=Number Format Error CRLSETTING_DIALOG_GRACENUMBER_MESSAGE=Grace period must be a positive integer! +CRLSETTING_DIALOG_BLANKNEXTASTHISEXTENSION_TITLE=Error +CRLSETTING_DIALOG_BLANKNEXTASTHISEXTENSION_MESSAGE=Grace period must be specified! +CRLSETTING_DIALOG_NEXTASTHISEXTENSIONNUMBER_TITLE=Number Format Error +CRLSETTING_DIALOG_NEXTASTHISEXTENSIONNUMBER_MESSAGE=This update extension must be a positive integer! CRLCACHE_TITLE=Cache CRLCACHE_BORDER_CACHE_LABEL=CRL Cache CRLCACHE_LABEL_CACHE_LABEL=Enable CRL cache: From mharmsen at redhat.com Fri Mar 22 00:28:23 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 21 Mar 2013 17:28:23 -0700 Subject: [Pki-devel] [Patch] Option to include nextUpdate as an offset to thisUpdate In-Reply-To: <514BA4C1.4050604@redhat.com> References: <514BA4C1.4050604@redhat.com> Message-ID: <514BA5A7.80907@redhat.com> ACK. I received a demo of this patch. -- Matt On 03/21/13 17:24, Andrew Wnuk wrote: > This patch provides an option to generate CRLs with nextUpdate > calculated as sum of thisUpdate and an offset. > > Bug: 919556. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Fri Mar 22 13:58:21 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 22 Mar 2013 09:58:21 -0400 Subject: [Pki-devel] [PATCH] 38-3 Fixes for review comments for patch 38-2 In-Reply-To: <1363882027.10572.2.camel@akoneru.redhat.com> References: <1208818611.7223560.1363400428829.JavaMail.root@redhat.com> <1363705912.2221.40.camel@aleeredhat.laptop> <1363785358.2310.5.camel@akoneru.redhat.com> <1363844773.24235.5.camel@aleeredhat.laptop> <1363882027.10572.2.camel@akoneru.redhat.com> Message-ID: <1363960701.2588.0.camel@aleeredhat.laptop> ack On Thu, 2013-03-21 at 12:07 -0400, Abhishek Koneru wrote: > Fixed the review comments for 38-2. > Please review the patch so that it can be pushed. > > --Abhishek > > > On Thu, 2013-03-21 at 01:46 -0400, Ade Lee wrote: > > See comments below: > > > > On Wed, 2013-03-20 at 09:15 -0400, Abhishek Koneru wrote: > > > Please review the attached patch with fixes for review comments given > > > for patch 38. > > > > > > --Abhishek > > > > > > On Tue, 2013-03-19 at 11:11 -0400, Ade Lee wrote: > > > > Comments: > > > > > > > > 1. In pkispawn, in the section "KRA, OCSP, or TKS using default > > > > configuration": rather than explaining that myconfig.txt is the same as > > > > the above section with an additional parameter, its clearer just to > > > > print out a new myconfig.txt as in the previous section. You still want > > > > to mention though that the security domain password is the same as the > > > > admin password for the CA. Note the typo "whick". > > > > > > > > 2. The line adding the signing subordinate DN is too long, partly > > > > because it repeats itself. Shorten to fit on line if possible. > > > > > > This line is still too long. Try to make it fit within 80 characters. > > You could shorten to cn=CA Subordinate Signing,o=example.com for > > example. > > > > > > > 3. Also in that section, there should be a note about the subordinate > > > > CA subject DN having to be different from the root CA signing subject > > > > DN. See a corresponding note in the "externally signed CA section" > > > > > > The note is fine - but add a line before the note to separate from the > > previous paragraph. > > > > > > 4. In sample.cfg, change the comment to: > > > > +##Required for all subsystems that are not root CAs > > > > > > > > 5. The sample files for KRA, TKS etc. like sampleKRA-OCSP-TKSclone.cfg > > > > are a little confusing. Rather pick one of these -- a KRA for > > > > instances and provide a sample instead. So in this case, > > > > [KRA/OCSP/TKS] -> [KRA] > > > > I still see the heading [KRA/OCSP/TKS] in your sample config files. > > > > > > > > > > On Fri, 2013-03-15 at 22:20 -0400, Abhishek Koneru wrote: > > > > > Please review the attached patch with fixes for incorrect information in pkispawn man page. > > > > > Also added the sample config files for different installations of pki subsystems. > > > > > > > > > > --Abhishek > > > > > _______________________________________________ > > > > > Pki-devel mailing list > > > > > Pki-devel at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > > > > > > > > > > > From alee at redhat.com Fri Mar 22 14:00:38 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 22 Mar 2013 10:00:38 -0400 Subject: [Pki-devel] [PATCH] 38-3 Fixes for review comments for patch 38-2 In-Reply-To: <1363960701.2588.0.camel@aleeredhat.laptop> References: <1208818611.7223560.1363400428829.JavaMail.root@redhat.com> <1363705912.2221.40.camel@aleeredhat.laptop> <1363785358.2310.5.camel@akoneru.redhat.com> <1363844773.24235.5.camel@aleeredhat.laptop> <1363882027.10572.2.camel@akoneru.redhat.com> <1363960701.2588.0.camel@aleeredhat.laptop> Message-ID: <1363960838.2588.1.camel@aleeredhat.laptop> Make sure to format the commit message so it fits in an 80 character wide screen. Ade On Fri, 2013-03-22 at 09:58 -0400, Ade Lee wrote: > ack > > On Thu, 2013-03-21 at 12:07 -0400, Abhishek Koneru wrote: > > Fixed the review comments for 38-2. > > Please review the patch so that it can be pushed. > > > > --Abhishek > > > > > > On Thu, 2013-03-21 at 01:46 -0400, Ade Lee wrote: > > > See comments below: > > > > > > On Wed, 2013-03-20 at 09:15 -0400, Abhishek Koneru wrote: > > > > Please review the attached patch with fixes for review comments given > > > > for patch 38. > > > > > > > > --Abhishek > > > > > > > > On Tue, 2013-03-19 at 11:11 -0400, Ade Lee wrote: > > > > > Comments: > > > > > > > > > > 1. In pkispawn, in the section "KRA, OCSP, or TKS using default > > > > > configuration": rather than explaining that myconfig.txt is the same as > > > > > the above section with an additional parameter, its clearer just to > > > > > print out a new myconfig.txt as in the previous section. You still want > > > > > to mention though that the security domain password is the same as the > > > > > admin password for the CA. Note the typo "whick". > > > > > > > > > > 2. The line adding the signing subordinate DN is too long, partly > > > > > because it repeats itself. Shorten to fit on line if possible. > > > > > > > > This line is still too long. Try to make it fit within 80 characters. > > > You could shorten to cn=CA Subordinate Signing,o=example.com for > > > example. > > > > > > > > > 3. Also in that section, there should be a note about the subordinate > > > > > CA subject DN having to be different from the root CA signing subject > > > > > DN. See a corresponding note in the "externally signed CA section" > > > > > > > > The note is fine - but add a line before the note to separate from the > > > previous paragraph. > > > > > > > > 4. In sample.cfg, change the comment to: > > > > > +##Required for all subsystems that are not root CAs > > > > > > > > > > 5. The sample files for KRA, TKS etc. like sampleKRA-OCSP-TKSclone.cfg > > > > > are a little confusing. Rather pick one of these -- a KRA for > > > > > instances and provide a sample instead. So in this case, > > > > > [KRA/OCSP/TKS] -> [KRA] > > > > > > I still see the heading [KRA/OCSP/TKS] in your sample config files. > > > > > > > > > > > > > On Fri, 2013-03-15 at 22:20 -0400, Abhishek Koneru wrote: > > > > > > Please review the attached patch with fixes for incorrect information in pkispawn man page. > > > > > > Also added the sample config files for different installations of pki subsystems. > > > > > > > > > > > > --Abhishek > > > > > > _______________________________________________ > > > > > > Pki-devel mailing list > > > > > > Pki-devel at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Fri Mar 22 14:29:21 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 22 Mar 2013 10:29:21 -0400 Subject: [Pki-devel] [PATCH] 220 Added CLI option to capture HTTP messages. In-Reply-To: <5148A148.7060601@redhat.com> References: <5148A148.7060601@redhat.com> Message-ID: <1363962561.2588.2.camel@aleeredhat.laptop> ACK On Tue, 2013-03-19 at 12:32 -0500, Endi Sukma Dewata wrote: > A new option has been added to the CLI to capture HTTP requests > and responses and store them in the specified folder. > > Ticket #523 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Fri Mar 22 15:02:03 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Mar 2013 10:02:03 -0500 Subject: [Pki-devel] [PATCH] 220 Added CLI option to capture HTTP messages. In-Reply-To: <1363962561.2588.2.camel@aleeredhat.laptop> References: <5148A148.7060601@redhat.com> <1363962561.2588.2.camel@aleeredhat.laptop> Message-ID: <514C726B.7010109@redhat.com> On 3/22/2013 9:29 AM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Mar 22 15:15:49 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Mar 2013 10:15:49 -0500 Subject: [Pki-devel] [PATCH] 40 Catch the Keyboard interrupt during the execution of pkispawn In-Reply-To: <1363817306.2310.18.camel@akoneru.redhat.com> References: <1363817306.2310.18.camel@akoneru.redhat.com> Message-ID: <514C75A5.9050009@redhat.com> On 3/20/2013 5:08 PM, Abhishek Koneru wrote: > Please review the patch with fixes for ticket 536 - Catch the keyboard > interrupt during the execution of pkispawn and pkidestroy. Some comments: 1. Please add a short subject line in the comment like the other patches. 2. Any reason you use signal handler instead of try-except? 3. If we keep the signal handler, the signal.signal() invocation should be moved into the main program so it's easier to read. 4. Does it print a single blank line between the interrupted line and the 'canceled' message? See the example: https://fedorahosted.org/pki/ticket/536 5. The US spelling is 'canceled' instead of 'cancelled': http://grammarist.com/spelling/cancel/ I think in the future we'll provide a proper translation & spelling for each locale, but to be consistent for now let's use US spelling as the default. -- Endi S. Dewata From akoneru at redhat.com Fri Mar 22 15:16:31 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 22 Mar 2013 11:16:31 -0400 Subject: [Pki-devel] [PATCH] 41 Changed the password input in pkidestroy from command line to a file. The parameter is still optional. Trac ticket #502 Message-ID: <1363965391.2537.2.camel@akoneru.redhat.com> Please review the attached patch which adds a -W option replacing the -w option in pkidestroy. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0041-Removed-the-w-security-domain-password-option-for-pk.patch Type: text/x-patch Size: 3339 bytes Desc: not available URL: From edewata at redhat.com Fri Mar 22 15:32:21 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Mar 2013 10:32:21 -0500 Subject: [Pki-devel] [PATCH] 41 Changed the password input in pkidestroy from command line to a file. The parameter is still optional. Trac ticket #502 In-Reply-To: <1363965391.2537.2.camel@akoneru.redhat.com> References: <1363965391.2537.2.camel@akoneru.redhat.com> Message-ID: <514C7985.6070805@redhat.com> On 3/22/2013 10:16 AM, Abhishek Koneru wrote: > Please review the attached patch which adds a -W password file> option replacing the -w > option in pkidestroy. Some comments: 1. Please add a short subject line in the comment like the other patches. 2. Let's use the US spelling 'canceled' as explained in the other patch. 3. Could you find out what the strip('[\']') is used for? In any case, the original code strips those characters from the password. The new code strips those characters from the file name, not the password. 4. Please use 'with' to open the file. See: https://fedorahosted.org/pki/ticket/560 -- Endi S. Dewata From jmagne at redhat.com Fri Mar 22 21:25:52 2013 From: jmagne at redhat.com (John Magne) Date: Fri, 22 Mar 2013 17:25:52 -0400 (EDT) Subject: [Pki-devel] Request for Review: Bug 904289 - Add ECC Support to Certificate Profiles In-Reply-To: <514B69E0.1020804@redhat.com> Message-ID: <1980087530.13590270.1363987552809.JavaMail.root@redhat.com> Changes look ok. ACK ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Thursday, March 21, 2013 1:13:20 PM Subject: [Pki-devel] Request for Review: Bug 904289 - Add ECC Support to Certificate Profiles The following is the patch for Bug 904289 - Add ECC Support to Certificate Profiles https://bugzilla.redhat.com/attachment.cgi?id=714089&action=diff&context=patch&collapsed=&headers=1&format=raw Please review. thanks! Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Mon Mar 25 13:49:31 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 25 Mar 2013 09:49:31 -0400 Subject: [Pki-devel] [PATCH] 8.1 - fresh install of CA has many 404's Message-ID: <1364219371.21683.3.camel@aleeredhat.laptop> Patch to fix 404's encountered on the CA and other subsystems on the 8.1 branch. This needs to be investigated as a separate ticket in the dogtag branch. There are still some 404's that are part of the CSS files. These will be addressed in a subsequent patch. This is in response to: https://bugzilla.redhat.com/show_bug.cgi?id=923414 ACKed by Jack Magne. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: foo2.patch Type: text/x-patch Size: 59564 bytes Desc: not available URL: From alee at redhat.com Mon Mar 25 15:22:21 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 25 Mar 2013 11:22:21 -0400 Subject: [Pki-devel] [PATCH] 8.1 - fix for CSS files Message-ID: <1364224941.21683.6.camel@aleeredhat.laptop> The CSS files contain references to image files that no longer exist. This is a patch to fix these references. Almost all the affected conponents in css files are not used. The ones that are used - systemBar, mainNav, dt -- are used in sendCookie, the security domain login, the installation wizard and the top level services link, and in 500/400 error pages. With the changes, these look just fine to me -- ie. exactly the same as before. Basically, all the images in the CSS files were missing. I removed the Background elements referring to them, unless they had a background color - in which case I kept only that bit. A more thorough cleanup - including removal of unused elements - is slated for D10.1 (ticket 567) Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: bar2.patch Type: text/x-patch Size: 9231 bytes Desc: not available URL: From akoneru at redhat.com Mon Mar 25 17:48:02 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 25 Mar 2013 13:48:02 -0400 Subject: [Pki-devel] [PATCH] 38-3 Fixes for review comments for patch 38-2 In-Reply-To: <1363960838.2588.1.camel@aleeredhat.laptop> References: <1208818611.7223560.1363400428829.JavaMail.root@redhat.com> <1363705912.2221.40.camel@aleeredhat.laptop> <1363785358.2310.5.camel@akoneru.redhat.com> <1363844773.24235.5.camel@aleeredhat.laptop> <1363882027.10572.2.camel@akoneru.redhat.com> <1363960701.2588.0.camel@aleeredhat.laptop> <1363960838.2588.1.camel@aleeredhat.laptop> Message-ID: <1364233682.3509.16.camel@akoneru.redhat.com> Formatted the commit message. Pushed to master. --Abhishek On Fri, 2013-03-22 at 10:00 -0400, Ade Lee wrote: > Make sure to format the commit message so it fits in an 80 character > wide screen. > > Ade > On Fri, 2013-03-22 at 09:58 -0400, Ade Lee wrote: > > ack > > > > On Thu, 2013-03-21 at 12:07 -0400, Abhishek Koneru wrote: > > > Fixed the review comments for 38-2. > > > Please review the patch so that it can be pushed. > > > > > > --Abhishek > > > > > > > > > On Thu, 2013-03-21 at 01:46 -0400, Ade Lee wrote: > > > > See comments below: > > > > > > > > On Wed, 2013-03-20 at 09:15 -0400, Abhishek Koneru wrote: > > > > > Please review the attached patch with fixes for review comments given > > > > > for patch 38. > > > > > > > > > > --Abhishek > > > > > > > > > > On Tue, 2013-03-19 at 11:11 -0400, Ade Lee wrote: > > > > > > Comments: > > > > > > > > > > > > 1. In pkispawn, in the section "KRA, OCSP, or TKS using default > > > > > > configuration": rather than explaining that myconfig.txt is the same as > > > > > > the above section with an additional parameter, its clearer just to > > > > > > print out a new myconfig.txt as in the previous section. You still want > > > > > > to mention though that the security domain password is the same as the > > > > > > admin password for the CA. Note the typo "whick". > > > > > > > > > > > > 2. The line adding the signing subordinate DN is too long, partly > > > > > > because it repeats itself. Shorten to fit on line if possible. > > > > > > > > > > This line is still too long. Try to make it fit within 80 characters. > > > > You could shorten to cn=CA Subordinate Signing,o=example.com for > > > > example. > > > > > > > > > > > 3. Also in that section, there should be a note about the subordinate > > > > > > CA subject DN having to be different from the root CA signing subject > > > > > > DN. See a corresponding note in the "externally signed CA section" > > > > > > > > > > The note is fine - but add a line before the note to separate from the > > > > previous paragraph. > > > > > > > > > > 4. In sample.cfg, change the comment to: > > > > > > +##Required for all subsystems that are not root CAs > > > > > > > > > > > > 5. The sample files for KRA, TKS etc. like sampleKRA-OCSP-TKSclone.cfg > > > > > > are a little confusing. Rather pick one of these -- a KRA for > > > > > > instances and provide a sample instead. So in this case, > > > > > > [KRA/OCSP/TKS] -> [KRA] > > > > > > > > I still see the heading [KRA/OCSP/TKS] in your sample config files. > > > > > > > > > > > > > > > > On Fri, 2013-03-15 at 22:20 -0400, Abhishek Koneru wrote: > > > > > > > Please review the attached patch with fixes for incorrect information in pkispawn man page. > > > > > > > Also added the sample config files for different installations of pki subsystems. > > > > > > > > > > > > > > --Abhishek > > > > > > > _______________________________________________ > > > > > > > Pki-devel mailing list > > > > > > > Pki-devel at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > From jmagne at redhat.com Mon Mar 25 18:41:29 2013 From: jmagne at redhat.com (John Magne) Date: Mon, 25 Mar 2013 14:41:29 -0400 (EDT) Subject: [Pki-devel] [PATCH] 8.1 - fix for CSS files In-Reply-To: <1364224941.21683.6.camel@aleeredhat.laptop> Message-ID: <2083219183.14488024.1364236889113.JavaMail.root@redhat.com> Looks fine: ACK ----- Original Message ----- From: "Ade Lee" To: pki-devel at redhat.com Sent: Monday, March 25, 2013 8:22:21 AM Subject: [Pki-devel] [PATCH] 8.1 - fix for CSS files The CSS files contain references to image files that no longer exist. This is a patch to fix these references. Almost all the affected conponents in css files are not used. The ones that are used - systemBar, mainNav, dt -- are used in sendCookie, the security domain login, the installation wizard and the top level services link, and in 500/400 error pages. With the changes, these look just fine to me -- ie. exactly the same as before. Basically, all the images in the CSS files were missing. I removed the Background elements referring to them, unless they had a background color - in which case I kept only that bit. A more thorough cleanup - including removal of unused elements - is slated for D10.1 (ticket 567) Ade _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Mon Mar 25 20:04:28 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 25 Mar 2013 16:04:28 -0400 Subject: [Pki-devel] [PATCH] 40-2 Comments on patch 40 addressed In-Reply-To: <514C75A5.9050009@redhat.com> References: <1363817306.2310.18.camel@akoneru.redhat.com> <514C75A5.9050009@redhat.com> Message-ID: <1364241868.3509.21.camel@akoneru.redhat.com> Please review the attached patch. On Fri, 2013-03-22 at 10:15 -0500, Endi Sukma Dewata wrote: > On 3/20/2013 5:08 PM, Abhishek Koneru wrote: > > Please review the patch with fixes for ticket 536 - Catch the keyboard > > interrupt during the execution of pkispawn and pkidestroy. > > Some comments: > > 1. Please add a short subject line in the comment like the other patches. Comment modified to have a short subject line > > 2. Any reason you use signal handler instead of try-except? > > 3. If we keep the signal handler, the signal.signal() invocation should > be moved into the main program so it's easier to read. Decided to go with signal handler rather than KeyboardInterrupt after discussing with Endi. Moved the handler invocation to main program. > > 4. Does it print a single blank line between the interrupted line and > the 'canceled' message? See the example: > > https://fedorahosted.org/pki/ticket/536 Message follows the example in ticket. > > 5. The US spelling is 'canceled' instead of 'cancelled': > > http://grammarist.com/spelling/cancel/ > > I think in the future we'll provide a proper translation & spelling for > each locale, but to be consistent for now let's use US spelling as the > default. > --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0040-2-Handle-the-Keyboard-interrupt-gracefully.patch Type: text/x-patch Size: 2464 bytes Desc: not available URL: From akoneru at redhat.com Mon Mar 25 20:10:02 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 25 Mar 2013 16:10:02 -0400 Subject: [Pki-devel] [PATCH] 41 -2 Fixes for review comments for Patch 41 In-Reply-To: <514C7985.6070805@redhat.com> References: <1363965391.2537.2.camel@akoneru.redhat.com> <514C7985.6070805@redhat.com> Message-ID: <1364242202.3509.25.camel@akoneru.redhat.com> Please review the attached patch. On Fri, 2013-03-22 at 10:32 -0500, Endi Sukma Dewata wrote: > On 3/22/2013 10:16 AM, Abhishek Koneru wrote: > > Please review the attached patch which adds a -W > password file> option replacing the -w > > option in pkidestroy. > > Some comments: > > 1. Please add a short subject line in the comment like the other patches. Modified the subject line. > > 2. Let's use the US spelling 'canceled' as explained in the other patch. > Done. > 3. Could you find out what the strip('[\']') is used for? In any case, > the original code strips those characters from the password. The new > code strips those characters from the file name, not the password. > Not required when password is input using a file. > 4. Please use 'with' to open the file. See: > > https://fedorahosted.org/pki/ticket/560 > Used the with construct for file reading. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0041-2-Change-how-the-password-is-passed-to-pkidestroy.patch Type: text/x-patch Size: 3049 bytes Desc: not available URL: From akoneru at redhat.com Mon Mar 25 20:13:40 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 25 Mar 2013 16:13:40 -0400 Subject: [Pki-devel] [PATCH] 37-3 Fixes for review comments on [PATCH] 37 - 2 In-Reply-To: <487553338.13261889.1364236371407.JavaMail.root@redhat.com> References: <487553338.13261889.1364236371407.JavaMail.root@redhat.com> Message-ID: <1364242420.3509.26.camel@akoneru.redhat.com> Removed the trailing whitespace. Pushed to master. --Abhishek On Mon, 2013-03-25 at 14:32 -0400, Endi Sukma Dewata wrote: > Looks good to me. There's a trailing whitespace in the patch. Please fix before push. > > -- > Endi S. Dewata > > ----- Original Message ----- > > Please do a quick review of the attached patch with fixes made as per > > our discussion on IRC. > > Though Ade has ack'ed, would like to have the patch go through a > > final > > review as you have pointed out a mistake in the file path. > > > > The comments were: > > 1. The file path specified where the user configuration is stored is > > wrong. * It is corrected from /var/lib/pki/ > name>//deployment.cfg to > > /etc/sysconfig/pki/tomcat/ > name>//deployment.cfg. > > > > 2. Removed the line : "-- When the -f is not > > specified:". > > > > 3. Corected the extraspaces in the line HTTP port under Tomcat > > instance > > section > > > > 4. Capitalize the HTTP, AJP, HTTPS in the description of those > > fields. > > > > 5. Proper formatting of commit message - Done. > > > > --Abhishek > > > > On Wed, 2013-03-20 at 09:07 -0400, Abhishek Koneru wrote: > > > Please find the fixes for review comments given for patch 37 > > > attached > > > for review. > > > > > > --Abhishek > > > > > > On Tue, 2013-03-19 at 10:15 -0400, Ade Lee wrote: > > > > Comments: > > > > > > > > 1. The commit message looks like it goes on continuously on a > > > > single > > > > line. This makes it difficult to see when doing a "git log". > > > > > > > > 2. The patch ends up adding several trailing whitespace errors. > > > > Fix > > > > these before checking in. > > > > > > > > 3. In pkidestroy man page, add the note about prompting for the > > > > parameter under each parameter, rather than as a separate note. > > > > > > > > For example, > > > > -s > > > > Specifies the subsystem to be removed, where > > > > is CA, KRA, > > > > OCSP, or TKS. If this option is not specified, > > > > pkidestroy will prompt > > > > for its value. > > > > > > > > 4. Include documentation of the new password/ user options for > > > > pkidestroy. You can do this in the other ticket you are working > > > > on. > > > > > > > > 5. pkispawn: > > > > > > > > a) Move the section on interactive mode to before examples. It > > > > should > > > > be a heading at the same level as OPTIONS and EXAMPLES > > > > b) Replace Dogtag with Certificate Server (all instances) > > > > c) The subheadings do not look right. Change as follows. Note > > > > that I > > > > have removed the enclosing brackets. These headings should be in > > > > bold. > > > > > > > > [Choosing a subsystem type to install] --> Subsystem Type > > > > [Providing instance specific parameters] --> Instance Specific > > > > Parameters > > > > [Setting up the Administrator user] --> Administrative User > > > > Parameters > > > > [Specify the 389 Directory Server to be used for the internal > > > > database]-> Directory Server Parameters > > > > [Setting up the Security Domain properties]-> Security Domain > > > > Parameters > > > > > > > > d) The security domain part should look like this: > > > > > > > > Security Domain Parameters > > > > > > > > Name: > > > > the name of the security domain. Required only if installing > > > > a root CA. > > > > Default value: Security Domain. > > > > > > > > Hostname: > > > > the hostname for the security domain CA. Required for all > > > > non-CA subsystems. > > > > The default value is the hostname of this system. > > > > Secure HTTP port: > > > > the https port for the security domain. Required for all > > > > non-CA subsystems. > > > > The default value is 8443. > > > > Username: > > > > the username of the security domain administrator. Required > > > > for all non-CA subsystems. > > > > The default value is caadmin. > > > > Password: > > > > password for the security domain administrator. Required > > > > for all non-CA subsystems. > > > > > > > > e) Do not bold or italicize any default values. [8080] -> 8080 > > > > > > > > > > > > On Fri, 2013-03-15 at 11:00 -0400, Abhishek Koneru wrote: > > > > > Please review the attached patch w.r.t the trac ticket 471 to > > > > > add > > > > > information regarding interactive mode installation to > > > > > pkispawn/pkidestroy man pages. > > > > > > > > > > --Abhishek > > > > > _______________________________________________ > > > > > Pki-devel mailing list > > > > > Pki-devel at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > > > > > > > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > From akoneru at redhat.com Tue Mar 26 16:50:53 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 26 Mar 2013 12:50:53 -0400 Subject: [Pki-devel] [PATCH] 42 Separate python deployment engine source code from python scriptlets code Trac ticket #521 Message-ID: <1364316653.2172.3.camel@akoneru.redhat.com> Please review the attached patch which deals with the trac ticket 521. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0042-Separate-folder-for-python-deployment-engine-source-.patch Type: text/x-patch Size: 10491 bytes Desc: not available URL: From edewata at redhat.com Tue Mar 26 18:53:32 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Mar 2013 13:53:32 -0500 Subject: [Pki-devel] [PATCH] 40-2 Comments on patch 40 addressed In-Reply-To: <1364241868.3509.21.camel@akoneru.redhat.com> References: <1363817306.2310.18.camel@akoneru.redhat.com> <514C75A5.9050009@redhat.com> <1364241868.3509.21.camel@akoneru.redhat.com> Message-ID: <5151EEAC.3080507@redhat.com> On 3/25/2013 3:04 PM, Abhishek Koneru wrote: > Please review the attached patch. A few more things: The signal handler in pkidestroy says 'Installation' instead of 'Uninstallation'. There are some trailing whitespaces. Other than that it's ACKed. Please fix before push. -- Endi S. Dewata From edewata at redhat.com Tue Mar 26 18:53:52 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Mar 2013 13:53:52 -0500 Subject: [Pki-devel] [PATCH] 41 -2 Fixes for review comments for Patch 41 In-Reply-To: <1364242202.3509.25.camel@akoneru.redhat.com> References: <1363965391.2537.2.camel@akoneru.redhat.com> <514C7985.6070805@redhat.com> <1364242202.3509.25.camel@akoneru.redhat.com> Message-ID: <5151EEC0.3060200@redhat.com> On 3/25/2013 3:10 PM, Abhishek Koneru wrote: > Please review the attached patch. A few more things: The -u and -W options should be added into the SYNOPSIS section. The patch also needs a rebase. The trailing whitespace should be removed. The 'Conflicts' log message should be removed as well. Other than that it's ACKed. Please fix before push. -- Endi S. Dewata From akoneru at redhat.com Tue Mar 26 19:36:20 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 26 Mar 2013 15:36:20 -0400 Subject: [Pki-devel] [PATCH] 40-2 Comments on patch 40 addressed In-Reply-To: <5151EEAC.3080507@redhat.com> References: <1363817306.2310.18.camel@akoneru.redhat.com> <514C75A5.9050009@redhat.com> <1364241868.3509.21.camel@akoneru.redhat.com> <5151EEAC.3080507@redhat.com> Message-ID: <1364326580.2172.4.camel@akoneru.redhat.com> Fixed the comments, pushed to master. --Abhishek On Tue, 2013-03-26 at 13:53 -0500, Endi Sukma Dewata wrote: > On 3/25/2013 3:04 PM, Abhishek Koneru wrote: > > Please review the attached patch. > > A few more things: The signal handler in pkidestroy says 'Installation' > instead of 'Uninstallation'. There are some trailing whitespaces. > > Other than that it's ACKed. Please fix before push. > From akoneru at redhat.com Tue Mar 26 19:36:51 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 26 Mar 2013 15:36:51 -0400 Subject: [Pki-devel] [PATCH] 41 -2 Fixes for review comments for Patch 41 In-Reply-To: <5151EEC0.3060200@redhat.com> References: <1363965391.2537.2.camel@akoneru.redhat.com> <514C7985.6070805@redhat.com> <1364242202.3509.25.camel@akoneru.redhat.com> <5151EEC0.3060200@redhat.com> Message-ID: <1364326611.2172.5.camel@akoneru.redhat.com> Fixed the comments, pushed to master. --Abhishek On Tue, 2013-03-26 at 13:53 -0500, Endi Sukma Dewata wrote: > On 3/25/2013 3:10 PM, Abhishek Koneru wrote: > > Please review the attached patch. > > A few more things: The -u and -W options should be added into the > SYNOPSIS section. The patch also needs a rebase. The trailing whitespace > should be removed. The 'Conflicts' log message should be removed as well. > > Other than that it's ACKed. Please fix before push. > From alee at redhat.com Tue Mar 26 19:38:33 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 26 Mar 2013 15:38:33 -0400 Subject: [Pki-devel] [PATCH] one more 8.1 patch for 404 issues Message-ID: <1364326713.18613.27.camel@aleeredhat.laptop> This one is for the TPS and RA. For the TPS, these show up in the config wizard and the top level services page. For the RA, these show up on every page -- even if the elements are not used. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: baz.patch Type: text/x-patch Size: 18439 bytes Desc: not available URL: From jmagne at redhat.com Tue Mar 26 20:11:49 2013 From: jmagne at redhat.com (John Magne) Date: Tue, 26 Mar 2013 16:11:49 -0400 (EDT) Subject: [Pki-devel] [PATCH] one more 8.1 patch for 404 issues In-Reply-To: <1364326713.18613.27.camel@aleeredhat.laptop> Message-ID: <277040264.15329039.1364328709697.JavaMail.root@redhat.com> Uses same method as before. ACK ----- Original Message ----- From: "Ade Lee" To: pki-devel at redhat.com Sent: Tuesday, March 26, 2013 12:38:33 PM Subject: [Pki-devel] [PATCH] one more 8.1 patch for 404 issues This one is for the TPS and RA. For the TPS, these show up in the config wizard and the top level services page. For the RA, these show up on every page -- even if the elements are not used. Ade _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Wed Mar 27 16:27:27 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 27 Mar 2013 12:27:27 -0400 Subject: [Pki-devel] [PATCH] 43 Fix for PKCS10Client throwing NoCLassDefError - Trac ticket 549 Message-ID: <1364401647.14010.5.camel@akoneru.redhat.com> Please review the patch with fix for trac ticket 549. The solution can be found in the comment section by Endi. The issue was due to the invocation of server side methods in client side. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0043-Change-calls-CMS.AtoB-and-CMS.BtoA-on-client-side.patch Type: text/x-patch Size: 3538 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 27 19:16:55 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Mar 2013 14:16:55 -0500 Subject: [Pki-devel] [PATCH] 224 Updated version number to 10.0.2-0.1. Message-ID: <515345A7.8090401@redhat.com> The compose scripts and RPM specs have been updated to use version 10.0.2-0.1. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0224-Updated-version-number-to-10.0.2-0.1.patch Type: text/x-patch Size: 14662 bytes Desc: not available URL: From edewata at redhat.com Wed Mar 27 21:47:16 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Mar 2013 16:47:16 -0500 Subject: [Pki-devel] [PATCH] 43 Fix for PKCS10Client throwing NoCLassDefError - Trac ticket 549 In-Reply-To: <1364401647.14010.5.camel@akoneru.redhat.com> References: <1364401647.14010.5.camel@akoneru.redhat.com> Message-ID: <515368E4.4030103@redhat.com> On 3/27/2013 11:27 AM, Abhishek Koneru wrote: > Please review the patch with fix for trac ticket 549. The solution can > be found in the comment section by Endi. > > The issue was due to the invocation of server side methods in client > side. ACK. -- Endi S. Dewata From akoneru at redhat.com Thu Mar 28 13:39:57 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 28 Mar 2013 09:39:57 -0400 Subject: [Pki-devel] [PATCH] 43 Fix for PKCS10Client throwing NoCLassDefError - Trac ticket 549 In-Reply-To: <515368E4.4030103@redhat.com> References: <1364401647.14010.5.camel@akoneru.redhat.com> <515368E4.4030103@redhat.com> Message-ID: <1364477997.30952.0.camel@akoneru.redhat.com> Thanks Endi. Pushed to Master. --Abhishek On Wed, 2013-03-27 at 16:47 -0500, Endi Sukma Dewata wrote: > On 3/27/2013 11:27 AM, Abhishek Koneru wrote: > > Please review the patch with fix for trac ticket 549. The solution can > > be found in the comment section by Endi. > > > > The issue was due to the invocation of server side methods in client > > side. > > ACK. > From alee at redhat.com Thu Mar 28 14:35:25 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 28 Mar 2013 10:35:25 -0400 Subject: [Pki-devel] [PATCH] 224 Updated version number to 10.0.2-0.1. In-Reply-To: <515345A7.8090401@redhat.com> References: <515345A7.8090401@redhat.com> Message-ID: <1364481325.2427.0.camel@localhost.localdomain> ACK On Wed, 2013-03-27 at 14:16 -0500, Endi Sukma Dewata wrote: > The compose scripts and RPM specs have been updated to use version > 10.0.2-0.1. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Thu Mar 28 17:55:46 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 28 Mar 2013 13:55:46 -0400 Subject: [Pki-devel] [PATCH] 44 Change the timeout implementation to be based on time Ticket 563 Message-ID: <1364493346.30952.4.camel@akoneru.redhat.com> Please review the patch with fixes for ticket 563. This patch also has a small miscellaneous addition to pkidestroy man page SYNOPSIS section, adding the -u and -W option to it. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0044-Change-timeout-from-number-of-tries-to-total-time.patch Type: text/x-patch Size: 2371 bytes Desc: not available URL: From akoneru at redhat.com Thu Mar 28 18:31:22 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 28 Mar 2013 14:31:22 -0400 Subject: [Pki-devel] [PATCH] 45 Remove pki_backup_password from examples in pkispawn man page. Ticket #465 Message-ID: <1364495482.30952.6.camel@akoneru.redhat.com> Please review the patch with a minor change in pkispawn man page. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0045-Remove-pki_backup_password-from-examples-in-pkispwan.patch Type: text/x-patch Size: 3233 bytes Desc: not available URL: