From edewata at redhat.com Fri Jul 1 00:06:16 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2016 19:06:16 -0500 Subject: [Pki-devel] [pki-devel][PATCH 0003] Added condition for checking instance id in kra commands In-Reply-To: References: Message-ID: <995819d4-7481-a999-62ce-ec2eea40978a@redhat.com> On 6/30/2016 5:09 AM, Abhijeet Kasurde wrote: > Hi All, > > Please review this patch. > > Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295 > > -- > Thanks, > Abhijeet Kasurde Thanks! Pushed to master with some changes: 1. The original code was supposed to normalize the token name, so if it's 'internal' or 'Internal Key Storage Token' it will be normalized to None. If token name is None we don't add -h when calling certutil since by default certutil will use internal token. There's a bug in PKIInstance.get_token_password() though. If the caller specifies token parameter to be None explicitly, it won't get the default value of 'internal'. The method has been fixed to check for None value. 2. The code that catches CalledProcessError has been moved into the main program (i.e. pki-server) so similar errors will be handled more consistently. 3. Some error messages are changed for consistency. -- Endi S. Dewata From edewata at redhat.com Fri Jul 1 00:10:56 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2016 19:10:56 -0500 Subject: [Pki-devel] [PATCH 0004] Updated notification message for kra-db-vlv-del command In-Reply-To: <9132056b-45e7-ed19-429d-bd6759cc1e04@redhat.com> References: <9132056b-45e7-ed19-429d-bd6759cc1e04@redhat.com> Message-ID: <2eb28354-12e9-25fc-572d-219c99221d51@redhat.com> On 6/30/2016 6:29 AM, Abhijeet Kasurde wrote: > Hi All, > > Please review this patch, > > Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295 > > -- > Thanks, > Abhijeet Kasurde Thanks! Pushed to master with some changes to return error code 1 if the KRA is missing. -- Endi S. Dewata From ftweedal at redhat.com Fri Jul 1 00:21:29 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 1 Jul 2016 10:21:29 +1000 Subject: [Pki-devel] [PATCH] 0127 Fix build on Fedora 25 In-Reply-To: <995469c7-944f-9fbd-dac1-ad07d146b942@redhat.com> References: <20160628062950.GX4200@dhcp-40-8.bne.redhat.com> <995469c7-944f-9fbd-dac1-ad07d146b942@redhat.com> Message-ID: <20160701002129.GW4200@dhcp-40-8.bne.redhat.com> On Thu, Jun 30, 2016 at 11:21:12AM -0500, Endi Sukma Dewata wrote: > On 6/28/2016 1:29 AM, Fraser Tweedale wrote: > > The attached patch fixes build on Fedora 25 (JAX-RS API JAR had > > moved). It also removes a bunch of redundant find_file directives. > > This can probably be done for many other JARs but I've kept it to > > just the one for now. > > > > No urgency to get this in. > > > > Cheers, > > Fraser > > I suppose this is a fix for this ticket? > https://fedorahosted.org/pki/ticket/2373 > > If so please assign the ticket to yourself and add a reference to this > ticket in the patch description. > > The build still works on F23 & F24, so I think it's safe to push. ACK. > Thanks; I did not know about that ticket. Added ticket reference to commit message and pushed to master (3fdc686c9a4bab492d50cef707beef1f5f043153). Cheers, Fraser From ftweedal at redhat.com Fri Jul 1 00:36:43 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 1 Jul 2016 10:36:43 +1000 Subject: [Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails In-Reply-To: <9cb95875-612d-7138-3f43-5b1e4ba8749b@redhat.com> References: <20160628025203.GW4200@dhcp-40-8.bne.redhat.com> <9cb95875-612d-7138-3f43-5b1e4ba8749b@redhat.com> Message-ID: <20160701003643.GX4200@dhcp-40-8.bne.redhat.com> On Thu, Jun 30, 2016 at 10:49:12AM -0500, Endi Sukma Dewata wrote: > On 6/27/2016 9:52 PM, Fraser Tweedale wrote: > > The attached patch fixes https://fedorahosted.org/pki/ticket/2388. > > Wanted for 10.3.4. > > > > Thanks, > > Fraser > > Two things: > > 1. I don't think the patch author is correct :) > Hah, yikes! I think I accidentally squashed something and didn't notice the author had changed after I fixed it up :) > 2. Existing issue, but while you're there could you chain the original > exception to the ECAException? > Yep, done. Pushed to master (c7f9e6c4e0711dfafc81d201dcfadee3e0efa335) Cheers, Fraser > Assuming they're addressed, ACK. > From ftweedal at redhat.com Fri Jul 1 00:52:03 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 1 Jul 2016 10:52:03 +1000 Subject: [Pki-devel] [PATCH] 0125 AuthInfoAccess: use default OCSP URI if configured In-Reply-To: <2f30c098-e820-3a54-4b1a-c5b662a7f5eb@redhat.com> References: <20160627063810.GT4200@dhcp-40-8.bne.redhat.com> <2f30c098-e820-3a54-4b1a-c5b662a7f5eb@redhat.com> Message-ID: <20160701005203.GY4200@dhcp-40-8.bne.redhat.com> On Thu, Jun 30, 2016 at 10:30:53AM -0500, Endi Sukma Dewata wrote: > On 6/27/2016 1:38 AM, Fraser Tweedale wrote: > > Attached patch fixes https://fedorahosted.org/pki/ticket/2387 > > (wanted for 10.3.4). > > > > Thanks, > > Fraser > > Just one thing, maybe we should add a blank pki_default_ocsp_uri under the > [CA] section in the default.cfg so people knows about this parameter? > > Regardless, it's ACKed. > Thanks Endi. I added the blank config to default.cfg along with some commentary. Pushed to master (ca8edcd504ab81dbc30547c3c59a51fe98ff21cf). Cheers, Fraser From ftweedal at redhat.com Fri Jul 1 01:19:05 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 1 Jul 2016 11:19:05 +1000 Subject: [Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing In-Reply-To: <4c87b044-bf00-8de0-ac99-27866b67eac5@redhat.com> References: <20160622095315.GI4200@dhcp-40-8.bne.redhat.com> <4c87b044-bf00-8de0-ac99-27866b67eac5@redhat.com> Message-ID: <20160701011905.GZ4200@dhcp-40-8.bne.redhat.com> On Thu, Jun 30, 2016 at 10:10:32AM -0500, Endi Sukma Dewata wrote: > On 6/22/2016 4:53 AM, Fraser Tweedale wrote: > > The attached patch fixes https://fedorahosted.org/pki/ticket/2285. > > See commit message and bz1323400[1] for full history and details. > > > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1323400 > > > > The fix should be merged to master and DOGTAG_10_2_BRANCH, and a new > > 10.2.x release cut for f23. > > > > I have an f23 COPR build containing the fix for anyone wishing to > > test: > > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/packages/ > > > > Huge props to Adam Williamson for doing a lot of legwork in tracking > > down the cause of this issue. > > > > Thanks, > > Fraser > > ACK. When we have a proper database upgrade method we should consider > converting this code into an upgrade script. > Thanks; pushed: master 2dea243d51765e3a8f01f7680592143c842921ce DOGTAG_10_2_BRANCH c34d326712940524419d65c6cb6cc9653221362b DOGTAG_10_2_6_BRANCH f0d036feb9604cc656b3b8ae46c822bec14e6ac8 From edewata at redhat.com Fri Jul 1 01:38:57 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2016 20:38:57 -0500 Subject: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands. Message-ID: The pki-server ca-* commands have been modified to validate the instance and the CA subsystem before proceeding with the operation. The usage() methods and invocations have been renamed into print_help() for consistency. https://fedorahosted.org/pki/ticket/2364 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0781-Added-instance-and-subsystem-validation-for-pki-serv.patch Type: text/x-patch Size: 4925 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 1 02:17:07 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 Jun 2016 21:17:07 -0500 Subject: [Pki-devel] [PATCH] 782 Removed excessive error message in pki CLI. Message-ID: A recent change in the pki CLI caused excessive error message in normal usage. The change has been reverted. https://fedorahosted.org/pki/ticket/2390 Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0782-Removed-excessive-error-message-in-pki-CLI.patch Type: text/x-patch Size: 965 bytes Desc: not available URL: From ftweedal at redhat.com Fri Jul 1 04:07:47 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 1 Jul 2016 14:07:47 +1000 Subject: [Pki-devel] [PATCH] 780 Fixed pki-server subsystem-cert-update. In-Reply-To: References: Message-ID: <20160701040747.GD4200@dhcp-40-8.bne.redhat.com> On Wed, Jun 29, 2016 at 11:19:46AM -0500, Endi Sukma Dewata wrote: > The pki-server subsystem-cert-update is supposed to restore the > system certificate data and requests into CS.cfg. The command was > broken since the CASubsystem class that contains the code to find > the certificate requests from database was not loaded correctly. > To fix the problem the CASubsystem class has been moved into the > pki/server/__init__.py. > > All pki-server subsystem-* commands have been modified to check > the validity of the instance. > > An option has been added to the pki-server subsystem-cert-show > command to display the data and request of a particular system > certificate. > > The redundant output of the pki-server subsystem-cert-update has > been removed. The updated certificate data and request can be > obtained using the pki-server subsystem-cert-show command. > > https://fedorahosted.org/pki/ticket/2385 > ACK; pushed to master (67bbdc5edd1404f89e638037599b4231f50490f8). Thanks, Fraser From ftweedal at redhat.com Fri Jul 1 04:13:23 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 1 Jul 2016 14:13:23 +1000 Subject: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands. In-Reply-To: References: Message-ID: <20160701041323.GE4200@dhcp-40-8.bne.redhat.com> On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote: > The pki-server ca-* commands have been modified to validate > the instance and the CA subsystem before proceeding with the > operation. > > The usage() methods and invocations have been renamed into > print_help() for consistency. > > https://fedorahosted.org/pki/ticket/2364 > > -- > Endi S. Dewata > ACK; pushed to master (f8310a4ff306d28cf25ec71693a2e89c5323564d). There are still lots of pki-server commands that fail if invalid subsystem given, e.g.: # pki-server subsystem-cert-find kra AttributeError: 'NoneType' object has no attribute 'find_system_certs' But that can be addressed separately in future patch. Thanks, Fraser From akasurde at redhat.com Fri Jul 1 04:15:27 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Fri, 1 Jul 2016 09:45:27 +0530 Subject: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands. In-Reply-To: <20160701041323.GE4200@dhcp-40-8.bne.redhat.com> References: <20160701041323.GE4200@dhcp-40-8.bne.redhat.com> Message-ID: Hi Fraser, All, I am working on some of the error messages in pki-* , you can track this under this BZ - https://bugzilla.redhat.com/show_bug.cgi?id=1351295 On 07/01/2016 09:43 AM, Fraser Tweedale wrote: > On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote: >> The pki-server ca-* commands have been modified to validate >> the instance and the CA subsystem before proceeding with the >> operation. >> >> The usage() methods and invocations have been renamed into >> print_help() for consistency. >> >> https://fedorahosted.org/pki/ticket/2364 >> >> -- >> Endi S. Dewata >> > ACK; pushed to master (f8310a4ff306d28cf25ec71693a2e89c5323564d). > > There are still lots of pki-server commands that fail if invalid > subsystem given, e.g.: > > # pki-server subsystem-cert-find kra > > AttributeError: 'NoneType' object has no attribute 'find_system_certs' > > But that can be addressed separately in future patch. > > Thanks, > Fraser > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: From akasurde at redhat.com Fri Jul 1 05:32:48 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Fri, 1 Jul 2016 11:02:48 +0530 Subject: [Pki-devel] [PATCH 0005-0008] Misc. fixes for pki-server commands Message-ID: Hi All, Please review these patches. Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295 -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akasurde-0008-Updated-notification-message-for-TPS-subsystem-comma.patch Type: text/x-patch Size: 3754 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akasurde-0007-Updated-notification-message-for-TKS-subsystem-comma.patch Type: text/x-patch Size: 1268 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akasurde-0006-Updated-notification-message-for-OCSP-subsystem-comm.patch Type: text/x-patch Size: 1274 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akasurde-0005-Updated-notification-message-for-kra-db-vlv-command.patch Type: text/x-patch Size: 3906 bytes Desc: not available URL: From mharmsen at redhat.com Fri Jul 1 06:50:47 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 1 Jul 2016 00:50:47 -0600 Subject: [Pki-devel] Karma Request for Dogtag 10.2.6 on Fedora 23 Message-ID: <577612C7.3080101@redhat.com> The following bug has been addressed in Fedora 23: * Bugzilla Bug #1323400 - freeipa fails to start correctly after pki-core update on upgraded system Please provide Karma for the following Fedora 23 build located in Bodhi at: * https://bodhi.fedoraproject.org/updates/FEDORA-2016-188c172b10 pki-core-10.2.6-20.fc23 Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From akasurde at redhat.com Fri Jul 1 09:25:51 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Fri, 1 Jul 2016 14:55:51 +0530 Subject: [Pki-devel] [PATCH 0005-0008] Misc. fixes for pki-server commands In-Reply-To: References: Message-ID: <55387bda-e6f5-6cbd-bec9-6fd49fa32f48@redhat.com> Hi All, Please find the updated PATCH 0005. On 07/01/2016 11:02 AM, Abhijeet Kasurde wrote: > > Hi All, > > Please review these patches. > > Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295 > > -- > Thanks, > Abhijeet Kasurde > > IRC: akasurde > http://akasurde.github.io > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akasurde-0005-1-Updated-notification-message-for-kra-db-vlv-command.patch Type: text/x-patch Size: 3929 bytes Desc: not available URL: From akasurde at redhat.com Fri Jul 1 10:03:56 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Fri, 1 Jul 2016 15:33:56 +0530 Subject: [Pki-devel] [PATCH 0009] More misc. fixes for pki-server commands Message-ID: Hi All, Please find the patch for review. Partially fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351295 -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akasurde-0009-Updated-notification-message-for-DB-subsystem-comman.patch Type: text/x-patch Size: 2651 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 1 14:42:17 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 1 Jul 2016 09:42:17 -0500 Subject: [Pki-devel] [PATCH] 780 Fixed pki-server subsystem-cert-update. In-Reply-To: <20160701040747.GD4200@dhcp-40-8.bne.redhat.com> References: <20160701040747.GD4200@dhcp-40-8.bne.redhat.com> Message-ID: <0d83f10c-0eaa-a803-09dd-d8d3170f327f@redhat.com> On 6/30/2016 11:07 PM, Fraser Tweedale wrote: > ACK; pushed to master (67bbdc5edd1404f89e638037599b4231f50490f8). Thanks! -- Endi S. Dewata From edewata at redhat.com Fri Jul 1 14:42:20 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 1 Jul 2016 09:42:20 -0500 Subject: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands. In-Reply-To: <20160701041323.GE4200@dhcp-40-8.bne.redhat.com> References: <20160701041323.GE4200@dhcp-40-8.bne.redhat.com> Message-ID: On 6/30/2016 11:13 PM, Fraser Tweedale wrote: > ACK; pushed to master (f8310a4ff306d28cf25ec71693a2e89c5323564d). > > There are still lots of pki-server commands that fail if invalid > subsystem given, e.g.: > > # pki-server subsystem-cert-find kra > > AttributeError: 'NoneType' object has no attribute 'find_system_certs' > > But that can be addressed separately in future patch. > > Thanks, > Fraser Thanks! I'll be looking at Abhijeet's patches. -- Endi S. Dewata From edewata at redhat.com Fri Jul 1 17:20:52 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 1 Jul 2016 12:20:52 -0500 Subject: [Pki-devel] [PATCH 0005-0008] Misc. fixes for pki-server commands In-Reply-To: <55387bda-e6f5-6cbd-bec9-6fd49fa32f48@redhat.com> References: <55387bda-e6f5-6cbd-bec9-6fd49fa32f48@redhat.com> Message-ID: <1eb70855-13ca-24a2-15ae-1333db2efe8d@redhat.com> On 7/1/2016 4:25 AM, Abhijeet Kasurde wrote: > Hi All, > > Please find the updated PATCH 0005. > > On 07/01/2016 11:02 AM, Abhijeet Kasurde wrote: >> >> Hi All, >> >> Please review these patches. >> >> Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295 Thanks! Pushed to master with some changes: 1. We haven't defined how to use the Signed-off-by field, so for now I removed them from patch descriptions. 2. The exception handler in patch #5 was changed to handle all LDAP errors and return error code 1. -- Endi S. Dewata From edewata at redhat.com Fri Jul 1 17:21:17 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 1 Jul 2016 12:21:17 -0500 Subject: [Pki-devel] [PATCH 0009] More misc. fixes for pki-server commands In-Reply-To: References: Message-ID: <6041ad7a-4ca7-7fc1-1264-f8167da61838@redhat.com> On 7/1/2016 5:03 AM, Abhijeet Kasurde wrote: > Hi All, > > Please find the patch for review. > > Partially fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351295 > > -- > Thanks, > Abhijeet Kasurde Thanks! Pushed to master with some changes: 1. The instance.subsystems contains non-empty elements, so "not subsystem" will always be False. The db-schema-upgrade command requires that there is at least one subsystem in the instance, so the check is changed to "not instance.subsystems". 2. The bind password prompt is a nice addition. I moved it down after checking the instance and subsystem so we don't have to enter the password if the instance/subsystem is invalid. -- Endi S. Dewata From mharmsen at redhat.com Fri Jul 1 20:52:02 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 1 Jul 2016 14:52:02 -0600 Subject: [Pki-devel] [Patch] Add HSM information Message-ID: <5776D7F2.2030006@redhat.com> Please review the attached patch which addresses the following ticket: * PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to 'pki_default.cfg' & 'pkispawn' man pages This ticket adds text to the pki_default.cfg.5 and pkispawn.8 man pages to more adequatey describe the use of hardware security modules (HSM) with PKI subsystems. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20160701-Add-HSM-information.patch Type: text/x-patch Size: 8772 bytes Desc: not available URL: From jmagne at redhat.com Fri Jul 1 21:36:14 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 1 Jul 2016 17:36:14 -0400 (EDT) Subject: [Pki-devel] [Patch] Add HSM information In-Reply-To: <5776D7F2.2030006@redhat.com> References: <5776D7F2.2030006@redhat.com> Message-ID: <841152295.4434060.1467408974964.JavaMail.zimbra@redhat.com> Tried it out the man pages, looks good. ACK ----- Original Message ----- > From: "Matthew Harmsen" > To: "pki-devel" > Sent: Friday, July 1, 2016 1:52:02 PM > Subject: [Pki-devel] [Patch] Add HSM information > > Please review the attached patch which addresses the following ticket: > > > * PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to > 'pki_default.cfg' & 'pkispawn' man pages > > > This ticket adds text to the pki_default.cfg.5 and pkispawn.8 man pages to > more adequatey describe the > use of hardware security modules (HSM) with PKI subsystems. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From jmagne at redhat.com Fri Jul 1 22:45:00 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 1 Jul 2016 18:45:00 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0075-Generting-Symmetric-key-fails-with-key-generate-when.patch In-Reply-To: <57759515.30103@redhat.com> References: <926945076.2205852.1466814205230.JavaMail.zimbra@redhat.com> <57759515.30103@redhat.com> Message-ID: <502487438.4440580.1467413100902.JavaMail.zimbra@redhat.com> Pushed to master, ACK from mharmsen Closing #1114 commit cfab57d057c7ada71ea9c360c278249d14e018d9 Author: Jack Magne Date: Fri Jun 24 17:04:15 2016 -0700 Generting Symmetric key fails with key-generate when --usages verify is passed Ticket #1114 Minor adjustment to the man page for the key management commands to say which usages are appropriate for sym keys and those appropriate for asym keys. ----- Original Message ----- From: "Matthew Harmsen" To: "John Magne" , "pki-devel" Sent: Thursday, June 30, 2016 2:54:29 PM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0075-Generting-Symmetric-key-fails-with-key-generate-when.patch On 06/24/2016 06:23 PM, John Magne wrote: > Generting Symmetric key fails with key-generate when --usages verify is passed > > Ticket #1114 > > Minor adjustment to the man page for the key management commands to say > which usages are appropriate for sym keys and those appropriate for asym keys. > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK From jmagne at redhat.com Sat Jul 2 00:11:58 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 1 Jul 2016 20:11:58 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0073-Separated-TPS-does-not-automatically-receive-shared-.patch In-Reply-To: <1551493855.1800384.1466721224768.JavaMail.zimbra@redhat.com> References: <1551493855.1800384.1466721224768.JavaMail.zimbra@redhat.com> Message-ID: <431154231.4446185.1467418318356.JavaMail.zimbra@redhat.com> ACKED verbally by cfu, with some very minor changes. Pushed to master: commit 0f056221d096a30307834265ecd1c527087bb0f7 Author: Jack Magne Date: Mon Jun 13 11:27:59 2016 -0700 Separated TPS does not automatically receive shared secret from remote TKS. .... .... Closing ticket # 2349 ----- Original Message ----- From: "John Magne" To: "pki-devel" Sent: Thursday, June 23, 2016 3:33:44 PM Subject: [pki-devel][PATCH] 0073-Separated-TPS-does-not-automatically-receive-shared-.patch [PATCH] Separated TPS does not automatically receive shared secret from remote TKS. Support to allow the TPS to do the following: 1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS. 2. Have the TKS securely return the shared secret back to the TPS during the end of configuration. 3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and. 4. Given a name that is mapped to the TPS's id string. Additional fixes: 1. The TKS was modified to actually be able to use multiple shared secrets registered by multiple TPS instances. Caveat: At this point if the same remote TPS instance is created over and over again, the TPS's user in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret not functional. At this point we need to assume that the TPS user has ONE "userCert" registered at this time. Tested with a remote TPS talking to a shared TMS system consisting of a TPS, TKS, and KRA . The shared secret was imported successfully after manually deleting the user representing the TPS from previous installs. This way I was assured one cert stored for the user, since it had to be created fresh. Also tested that the TKS can work successfully with the new TPS AND the prior shared TPS on the original instance. The TKS can now host more than one shared secret in it's db and address the correct one when a given TPS makes a request of it. Please forgive some spurious changes that happened when formatting a couple of the files in question. Every legit change is related to the shared secret and can be found easily. From akasurde at redhat.com Sat Jul 2 05:48:50 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Sat, 2 Jul 2016 11:18:50 +0530 Subject: [Pki-devel] [PATCH 0010] Added instance and subsystem validation for pki-server subsystem-* commands. Message-ID: <1f545c5a-a6e3-b760-c44e-ffd60d9e2429@redhat.com> Hi All, Please review the patch. Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295 -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akasurde-0010-Added-instance-and-subsystem-validation-for-pki-serv.patch Type: text/x-patch Size: 6861 bytes Desc: not available URL: From alee at redhat.com Mon Jul 4 14:24:05 2016 From: alee at redhat.com (Ade Lee) Date: Mon, 04 Jul 2016 15:24:05 +0100 Subject: [Pki-devel] [DRAFT] general migration procedure to RHCS 9 Message-ID: <1467642245.22477.5.camel@redhat.com> Hi all, In CS 9.1, there are a number of mechanisms that have been added to allow administrators to migrate from RHCS8 -> CS 9.1. These have been detailed here: http://pki.fedoraproject.org/wiki/Migrating_a_CA_using_e xisting_CA_mechanism In CS 9.0, many of the same mechanisms do not exist. I have written a simple guide on how to do a migration in this case. http://pki.fedoraproject.org/wiki/Migrating_a_CA_using_general_mechanis m Please review and provide comments. Ade From mharmsen at redhat.com Tue Jul 5 14:58:58 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 5 Jul 2016 08:58:58 -0600 Subject: [Pki-devel] Karma Request for Dogtag 10.3.3-3 on Fedora 24 Message-ID: <577BCB32.9070205@redhat.com> The following candidate build of Dogtag 10.3.3-3 for Fedora 24 consists of the following: * pki-core-10.3.3-3.fc24 Please provide Karma for this build in Bodhi located at: * https://bodhi.fedoraproject.org/updates/FEDORA-2016-af639eaba8 pki-core-10.3.3-3.fc24 Additionally, the following build has been provided for Fedora 25 (rawhide): * pki-core-10.3.3-3.fc25 Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Jul 5 22:15:53 2016 From: cfu at redhat.com (Christina Fu) Date: Tue, 5 Jul 2016 15:15:53 -0700 Subject: [Pki-devel] Karma Request for tomcatjss-7.1.4-1 on on Fedora 24 Message-ID: <577C3199.4010006@redhat.com> The following candidate build of tomcatjss-7.1.4-1 on on Fedora 24 consists of the following: tomcatjss-7.1.4-1.fc24 Please provide Karma for this build in Bodhi located at: https://bodhi.fedoraproject.org/updates/FEDORA-2016-167163e928 Additionally, the following build has been provided for Fedora 25 (rawhide): tomcatjss-7.1.4-1.fc25 thanks, Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Jul 5 22:20:00 2016 From: cfu at redhat.com (Christina Fu) Date: Tue, 5 Jul 2016 15:20:00 -0700 Subject: [Pki-devel] Karma Request for jss-4.2.6-41 on Fedora24 Message-ID: <577C3290.80307@redhat.com> The following candidate build of jss-4.2.6-41 on Fedora24 consists of the following: jss-4.2.6-41.fc24 Please provide Karma for this build in Bodhi located at: https://bodhi.fedoraproject.org/updates/FEDORA-2016-113d8c06f5 Additionally, the following build has been provided for Fedora 25 (rawhide): jss-4.2.6-41.fc25 Thanks, Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Jul 6 15:30:25 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Jul 2016 10:30:25 -0500 Subject: [Pki-devel] [PATCH 0010] Added instance and subsystem validation for pki-server subsystem-* commands. In-Reply-To: <1f545c5a-a6e3-b760-c44e-ffd60d9e2429@redhat.com> References: <1f545c5a-a6e3-b760-c44e-ffd60d9e2429@redhat.com> Message-ID: On 7/2/2016 12:48 AM, Abhijeet Kasurde wrote: > Hi All, > > Please review the patch. > > Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295 Thanks! Pushed to master under this ticket: https://fedorahosted.org/pki/ticket/2399 -- Endi S. Dewata From mharmsen at redhat.com Wed Jul 6 15:54:24 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 6 Jul 2016 09:54:24 -0600 Subject: [Pki-devel] [PATCH 0010] Added instance and subsystem validation for pki-server subsystem-* commands. In-Reply-To: References: <1f545c5a-a6e3-b760-c44e-ffd60d9e2429@redhat.com> Message-ID: <577D29B0.60507@redhat.com> On 07/06/2016 09:30 AM, Endi Sukma Dewata wrote: > On 7/2/2016 12:48 AM, Abhijeet Kasurde wrote: >> Hi All, >> >> Please review the patch. >> >> Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295 > > Thanks! Pushed to master under this ticket: > https://fedorahosted.org/pki/ticket/2399 > Abhijeet, Since we are now on the 10.3.5 milestone, please begin referencing the following bug: * Bugzilla Bug #1353245 - Dogtag 10.3.5: Miscellaneous Enhancements This was cloned from PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements which Endi correctly identified; I have added the check-in hash to both the bug and the ticket. Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Jul 6 17:05:20 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Jul 2016 12:05:20 -0500 Subject: [Pki-devel] [PATCH] 783 Fixed exception chain in SigningUnit.init(). Message-ID: The SigningUnit.init() has been modified to chain the exceptions to help troubleshooting. https://fedorahosted.org/pki/ticket/2399 Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0783-Fixed-exception-chain-in-SigningUnit.init.patch Type: text/x-patch Size: 7429 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 6 19:23:01 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Jul 2016 14:23:01 -0500 Subject: [Pki-devel] [PATCH] 784 Fixed CLI error message on connection problems Message-ID: <45fcc09c-c300-3516-50c8-b4d364f05cab@redhat.com> The CLI has been modified to display the actual error message instead of generic ProcessingException. https://fedorahosted.org/pki/ticket/2377 Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0784-Fixed-CLI-error-message-on-connection-problems.patch Type: text/x-patch Size: 1969 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 6 20:15:14 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Jul 2016 15:15:14 -0500 Subject: [Pki-devel] [PATCH] 785 Added validation for pki client-cert-request extractable parameter. Message-ID: The pki client-cert-request CLI has been modified to validate the boolean extractable parameter. https://fedorahosted.org/pki/ticket/2383 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0785-Added-validation-for-pki-client-cert-request-extract.patch Type: text/x-patch Size: 1334 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 6 20:34:57 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Jul 2016 15:34:57 -0500 Subject: [Pki-devel] [PATCH] 786 Added validation for pki client-cert-request sensitive parameter. Message-ID: <127a95e3-3402-211e-5a81-5e74b9b3e319@redhat.com> The pki client-cert-request CLI has been modified to validate the boolean sensitive parameter. https://fedorahosted.org/pki/ticket/2383 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0786-Added-validation-for-pki-client-cert-request-sensiti.patch Type: text/x-patch Size: 1324 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 6 21:31:57 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Jul 2016 16:31:57 -0500 Subject: [Pki-devel] [PATCH] 787 Added general exception handling for pki-server CLI. Message-ID: <1fe04077-88f0-cf5a-9f91-fa1207fed8b7@redhat.com> The pki-server CLI has been modified to catch all exceptions and display a simple exception message. In verbose mode it will display the stack trace. https://fedorahosted.org/pki/ticket/2381 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0787-Added-general-exception-handling-for-pki-server-CLI.patch Type: text/x-patch Size: 1061 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 7 02:54:56 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Jul 2016 21:54:56 -0500 Subject: [Pki-devel] [PATCH] 788 Fixed problem with pki pkcs12-import --no-trust-flags. Message-ID: The pki pkcs12-import CLI has been fixed such that when it calls pki pkcs12-cert-find internally it does not add --no-trust-flags option. https://fedorahosted.org/pki/ticket/2399 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0788-Fixed-problem-with-pki-pkcs12-import-no-trust-flags.patch Type: text/x-patch Size: 1114 bytes Desc: not available URL: From edewata at redhat.com Thu Jul 7 02:55:01 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 6 Jul 2016 21:55:01 -0500 Subject: [Pki-devel] [PATCH] 789 Fixed pki pkcs12-import output. Message-ID: <0e56d392-0160-ea2d-897c-d3f9f27d2ec1@redhat.com> The pki pkcs12-import has been modified to suppress the output of external command execution and display a completion message more consistently. https://fedorahosted.org/pki/ticket/2399 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0789-Fixed-pki-pkcs12-import-output.patch Type: text/x-patch Size: 1057 bytes Desc: not available URL: From akasurde at redhat.com Thu Jul 7 04:07:33 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Thu, 7 Jul 2016 09:37:33 +0530 Subject: [Pki-devel] [PATCH 0010] Added instance and subsystem validation for pki-server subsystem-* commands. In-Reply-To: <577D29B0.60507@redhat.com> References: <1f545c5a-a6e3-b760-c44e-ffd60d9e2429@redhat.com> <577D29B0.60507@redhat.com> Message-ID: <27544bd1-262a-a8aa-aebd-d6783e6ba908@redhat.com> Sure, Matthew. I will take a note of that. On 07/06/2016 09:24 PM, Matthew Harmsen wrote: > On 07/06/2016 09:30 AM, Endi Sukma Dewata wrote: >> On 7/2/2016 12:48 AM, Abhijeet Kasurde wrote: >>> Hi All, >>> >>> Please review the patch. >>> >>> Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295 >> >> Thanks! Pushed to master under this ticket: >> https://fedorahosted.org/pki/ticket/2399 >> > Abhijeet, > > Since we are now on the 10.3.5 milestone, please begin referencing the > following bug: > > * Bugzilla Bug #1353245 - Dogtag 10.3.5: Miscellaneous Enhancements > > > This was cloned from PKI TRAC Ticket #2399 - Dogtag 10.3.5: > Miscellaneous Enhancements > which Endi correctly identified; I have added the check-in hash to > both the bug and the ticket. > > Thanks, > -- Matt > -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Thu Jul 7 21:04:37 2016 From: cfu at redhat.com (Christina Fu) Date: Thu, 7 Jul 2016 14:04:37 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0146-Ticket-978-PS-connector-man-page-add-revocation-rout.patch Message-ID: <577EC3E5.2010507@redhat.com> Attached please find the patch that addresses: https://fedorahosted.org/pki/ticket/978 TPS connector man page: add revocation routing info thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0146-Ticket-978-PS-connector-man-page-add-revocation-rout.patch Type: text/x-patch Size: 2461 bytes Desc: not available URL: From jmagne at redhat.com Fri Jul 8 20:20:46 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 8 Jul 2016 16:20:46 -0400 (EDT) Subject: [Pki-devel] [PATCH] pki-cfu-0146-Ticket-978-PS-connector-man-page-add-revocation-rout.patch In-Reply-To: <577EC3E5.2010507@redhat.com> References: <577EC3E5.2010507@redhat.com> Message-ID: <1226753266.6375698.1468009246992.JavaMail.zimbra@redhat.com> ACK: One optional minor suggestion. All over the place we now have stuff like this: tps.connector.ca Maybe just somewhere make it clear that represents an integer between 1 and whatever we support. Maybe just say that in the section talking about the ca list : "ca1,ca2" ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Thursday, 7 July, 2016 2:04:37 PM Subject: [Pki-devel] [PATCH] pki-cfu-0146-Ticket-978-PS-connector-man-page-add-revocation-rout.patch Attached please find the patch that addresses: https://fedorahosted.org/pki/ticket/978 TPS connector man page: add revocation routing info thanks, Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Sat Jul 9 00:24:02 2016 From: cfu at redhat.com (Christina Fu) Date: Fri, 8 Jul 2016 17:24:02 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0146-Ticket-978-PS-connector-man-page-add-revocation-rout.patch In-Reply-To: <1226753266.6375698.1468009246992.JavaMail.zimbra@redhat.com> References: <577EC3E5.2010507@redhat.com> <1226753266.6375698.1468009246992.JavaMail.zimbra@redhat.com> Message-ID: <57804422.7030009@redhat.com> It's in the first paragraph under "CA Connector". Pushed to master: commit 79555bd4bfd74a97af8cf8d674f0a7df62a8a98e thanks! Christina On 07/08/2016 01:20 PM, John Magne wrote: > ACK: > > One optional minor suggestion. > All over the place we now have stuff like this: > > tps.connector.ca > > Maybe just somewhere make it clear that represents an integer between 1 and whatever we support. > Maybe just say that in the section talking about the ca list : "ca1,ca2" > > ----- Original Message ----- > From: "Christina Fu" > To: "pki-devel" > Sent: Thursday, 7 July, 2016 2:04:37 PM > Subject: [Pki-devel] [PATCH] pki-cfu-0146-Ticket-978-PS-connector-man-page-add-revocation-rout.patch > > Attached please find the patch that addresses: > https://fedorahosted.org/pki/ticket/978 TPS connector man page: add > revocation routing info > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Sun Jul 10 23:37:29 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 11 Jul 2016 09:37:29 +1000 Subject: [Pki-devel] [Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install In-Reply-To: <623db5fe-03af-c5d2-c48c-58ca6b2584ce@redhat.com> References: <577DE18F.4050103@redhat.com> <577E561C.3070208@redhat.com> <577E62EB.4010706@redhat.com> <20160708034248.GH10771@dhcp-40-8.bne.redhat.com> <623db5fe-03af-c5d2-c48c-58ca6b2584ce@redhat.com> Message-ID: <20160710233729.GN10771@dhcp-40-8.bne.redhat.com> On Fri, Jul 08, 2016 at 01:18:23PM +0200, Petr Spacek wrote: > On 8.7.2016 05:42, Fraser Tweedale wrote: > > > > 2. If argument contains CN but it is not the "most specific" > > RDN, move it to the front (to satisfy requirement of Dogtag > > profile). > > I wonder if we can relax the requirement in Dogtag so no reordering is needed. > After all, DN is just a name, isn't it? Why Dogtag requires particular field > in DN? > Cc pki-devel at . The subject name constraint in the caCAcert profile is: policyset.caCertSet.1.constraint.params.pattern=CN=.* What do you think? Can we relax or remove this constraint - or if not, why is it required? Thanks, Fraser From cfu at redhat.com Tue Jul 12 01:19:20 2016 From: cfu at redhat.com (Christina Fu) Date: Mon, 11 Jul 2016 18:19:20 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0148-Ticket-2389-fix-for-regular-CA-installation.patch Message-ID: <33feb62f-e6ed-75c2-b7fb-c7712ea8f3f3@redhat.com> This patch addresses the issue that with the previous patch, the regular (non-external and non-existing) CA installation fails. https://fedorahosted.org/pki/ticket/2389 thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0148-Ticket-2389-fix-for-regular-CA-installation.patch Type: text/x-patch Size: 2604 bytes Desc: not available URL: From cfu at redhat.com Tue Jul 12 01:32:21 2016 From: cfu at redhat.com (Christina Fu) Date: Mon, 11 Jul 2016 18:32:21 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0148-Ticket-2389-fix-for-regular-CA-installation.patch In-Reply-To: <33feb62f-e6ed-75c2-b7fb-c7712ea8f3f3@redhat.com> References: <33feb62f-e6ed-75c2-b7fb-c7712ea8f3f3@redhat.com> Message-ID: received verbal ACK from edewata. Pushed to master: commit ee68baccc5510184ff67b903288410d3ccc6a831 thanks! Christina On 07/11/2016 06:19 PM, Christina Fu wrote: > This patch > addresses the issue that with the previous patch, the regular > (non-external > and non-existing) CA installation fails. > > https://fedorahosted.org/pki/ticket/2389 > > > thanks, > > Christina > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed Jul 13 01:27:04 2016 From: cfu at redhat.com (Christina Fu) Date: Tue, 12 Jul 2016 18:27:04 -0700 Subject: [Pki-devel] [PATCH]pki-cfu-0149-Ticket-2246-MAN-Man-Page-AuditVerify.patch Message-ID: man page for AuditVerify https://fedorahosted.org/pki/ticket/2246 thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0149-Ticket-2246-MAN-Man-Page-AuditVerify.patch Type: text/x-patch Size: 7537 bytes Desc: not available URL: From gkapoor at redhat.com Wed Jul 13 11:06:26 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Wed, 13 Jul 2016 16:36:26 +0530 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update Message-ID: <578620B2.8020203@redhat.com> Hi, Please review this patch.Below is a small summary about this fix and what we are trying to achieve. CLI : pki-server db-upgrade what it should be doing is if it sees that issuerName doesn't exist,NULL it will add it itself. Operation 1 : Search for the empty cn value for issuerName ------------------------------------------------------------------------------- Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I tried this it didn't show data even if i have record with empty issuerName Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- This solves the purpose as it shows all the certs without issuerName Operation 2 : If we see a empty cn value , we are replacing it with value we get from code ------------------------------------------------------------------------------------------------------------------ < code> cert = nss.Certificate(bytearray(attr_cert[0])) issuer_name = str(cert.issuer) Current : we are updating the list it the format as mentioned 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security Domain'] Do we want to keep this behavior or we want to overwrite it in first place? I believe in place of we do it MOD_REPLACE. Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', issuer_name)]) Thanks Geetika -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-fix-for-pki-server-for-db-update.patch Type: text/x-patch Size: 1467 bytes Desc: not available URL: From ftweedal at redhat.com Thu Jul 14 04:36:42 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 14 Jul 2016 14:36:42 +1000 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <578620B2.8020203@redhat.com> References: <578620B2.8020203@redhat.com> Message-ID: <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: > Hi, > > Please review this patch.Below is a small summary about this fix and > what we are trying to achieve. > > CLI : pki-server db-upgrade > > what it should be doing is if it sees that issuerName doesn't exist,NULL > it will add it itself. > > Operation 1 : Search for the empty cn value for issuerName > ------------------------------------------------------------------------------- > > Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I > tried this it didn't show data even if i have record with empty issuerName > Hi Geetika, The current filter is actually: '(&(objectclass=certificateRecord)(!(issuerName=*)))', This should match entries missing the issuerName attribute. You talk about an entry with "empty issuerName" but empty strings are not allowed for the Directory String attribute type. Could you please clarify exactly what data is in the offending entry/entries and how it got there? > Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- > This solves the purpose as it shows all the certs without issuerName > This filter is wrong - it does match entries without issuerName (as intended), but also matches entries with issuerName set but not starting with "cn". > > Operation 2 : If we see a empty cn value , we are replacing it with > value we get from code > ------------------------------------------------------------------------------------------------------------------ > < code> > > cert = nss.Certificate(bytearray(attr_cert[0])) > issuer_name = str(cert.issuer) > > > > Current : we are updating the list it the format as mentioned > 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security > Domain'] > > Do we want to keep this behavior or we want to overwrite it in first > place? I believe in place of we do it MOD_REPLACE. > > conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', > issuer_name)]) > > > > Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', > issuer_name)]) > This change is OK. From gkapoor at redhat.com Thu Jul 14 06:08:05 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Thu, 14 Jul 2016 11:38:05 +0530 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> References: <578620B2.8020203@redhat.com> <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> Message-ID: <57872C45.4080907@redhat.com> On 07/14/2016 10:06 AM, Fraser Tweedale wrote: > On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: >> Hi, >> >> Please review this patch.Below is a small summary about this fix and >> what we are trying to achieve. >> >> CLI : pki-server db-upgrade >> >> what it should be doing is if it sees that issuerName doesn't exist,NULL >> it will add it itself. >> >> Operation 1 : Search for the empty cn value for issuerName >> ------------------------------------------------------------------------------- >> >> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I >> tried this it didn't show data even if i have record with empty issuerName >> > Hi Geetika, > > The current filter is actually: > > '(&(objectclass=certificateRecord)(!(issuerName=*)))', > > This should match entries missing the issuerName attribute. You > talk about an entry with "empty issuerName" but empty strings are > not allowed for the Directory String attribute type. Could you > please clarify exactly what data is in the offending entry/entries > and how it got there? Hi Fraser, If we disable syntax check in ldap dse.ldif , it will accept empty data as well.So if a end user disable syntax check,issuerName can be empty in that case.(a test case that i tried) So in that case db-update will never happen because that condition is not considered.This scenario can be reproduced using below ldif file. dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA objectClass: certificateRecord objectClass: top cn: 106 algorithmId: 1.2.840.113549.1.1.1 autoRenew: ENABLED certStatus: VALID dateOfCreate: 20160712084443Z dateOfModify: 20160712084443Z duration: 1131536000000 issuedBy: geetika20 *issuerName: * metaInfo: requestId:100 notAfter: 20170712084205Z notBefore: 20160712084205Z publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq serialno: 100 signingAlgorithmId: 1.2.840.113549.1.1.11 subjectName: CN=CS Administrator,C=US userCertificate;binary:: MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY version: 2 So in such a case using '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to search for such entries.I tried and it gives me empty data .I believe using (&(objectclass=certificateRecord) (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. Thanks Geetika > >> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- >> This solves the purpose as it shows all the certs without issuerName >> > This filter is wrong - it does match entries without issuerName (as > intended), but also matches entries with issuerName set but not > starting with "cn". > >> Operation 2 : If we see a empty cn value , we are replacing it with >> value we get from code >> ------------------------------------------------------------------------------------------------------------------ >> < code> >> >> cert = nss.Certificate(bytearray(attr_cert[0])) >> issuer_name = str(cert.issuer) >> >> >> >> Current : we are updating the list it the format as mentioned >> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security >> Domain'] >> >> Do we want to keep this behavior or we want to overwrite it in first >> place? I believe in place of we do it MOD_REPLACE. >> >> > conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', >> issuer_name)]) >> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', >> issuer_name)]) >> > This change is OK. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gkapoor at redhat.com Thu Jul 14 07:35:18 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Thu, 14 Jul 2016 13:05:18 +0530 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <57872C45.4080907@redhat.com> References: <578620B2.8020203@redhat.com> <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> <57872C45.4080907@redhat.com> Message-ID: <578740B6.90103@redhat.com> On 07/14/2016 11:38 AM, Geetika Kapoor wrote: > > > On 07/14/2016 10:06 AM, Fraser Tweedale wrote: >> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: >>> Hi, >>> >>> Please review this patch.Below is a small summary about this fix and >>> what we are trying to achieve. >>> >>> CLI : pki-server db-upgrade >>> >>> what it should be doing is if it sees that issuerName doesn't exist,NULL >>> it will add it itself. >>> >>> Operation 1 : Search for the empty cn value for issuerName >>> ------------------------------------------------------------------------------- >>> >>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I >>> tried this it didn't show data even if i have record with empty issuerName >>> >> Hi Geetika, >> >> The current filter is actually: >> >> '(&(objectclass=certificateRecord)(!(issuerName=*)))', >> >> This should match entries missing the issuerName attribute. You >> talk about an entry with "empty issuerName" but empty strings are >> not allowed for the Directory String attribute type. Could you >> please clarify exactly what data is in the offending entry/entries >> and how it got there? > Hi Fraser, > > If we disable syntax check in ldap dse.ldif , it will accept empty > data as well.So if a end user disable syntax check,issuerName can be > empty in that case.(a test case that i tried) > So in that case db-update will never happen because that condition is > not considered.This scenario can be reproduced using below ldif file. > > > > dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA > objectClass: certificateRecord > objectClass: top > cn: 106 > algorithmId: 1.2.840.113549.1.1.1 > autoRenew: ENABLED > certStatus: VALID > dateOfCreate: 20160712084443Z > dateOfModify: 20160712084443Z > duration: 1131536000000 > issuedBy: geetika20 > *issuerName: * > metaInfo: requestId:100 > notAfter: 20170712084205Z > notBefore: 20160712084205Z > publicKeyData:: > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq > serialno: 100 > signingAlgorithmId: 1.2.840.113549.1.1.11 > subjectName: CN=CS Administrator,C=US > userCertificate;binary:: > MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY > version: 2 > > > > So in such a case using > '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to > search for such entries.I tried and it gives me empty data .I believe > using (&(objectclass=certificateRecord) > (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. > > Thanks > Geetika Hi Frazer, I just did one quick round of testing .If we have '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in both cases : 1. When issuerName doesn't exist. 2. When issuserName field exist but has empty value. Thanks Geetika >>> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- >>> This solves the purpose as it shows all the certs without issuerName >>> >> This filter is wrong - it does match entries without issuerName (as >> intended), but also matches entries with issuerName set but not >> starting with "cn". >> >>> Operation 2 : If we see a empty cn value , we are replacing it with >>> value we get from code >>> ------------------------------------------------------------------------------------------------------------------ >>> < code> >>> >>> cert = nss.Certificate(bytearray(attr_cert[0])) >>> issuer_name = str(cert.issuer) >>> >>> >>> >>> Current : we are updating the list it the format as mentioned >>> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security >>> Domain'] >>> >>> Do we want to keep this behavior or we want to overwrite it in first >>> place? I believe in place of we do it MOD_REPLACE. >>> >>> >> conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', >>> issuer_name)]) >>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', >>> issuer_name)]) >>> >> This change is OK. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu Jul 14 08:01:51 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 14 Jul 2016 18:01:51 +1000 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <578740B6.90103@redhat.com> References: <578620B2.8020203@redhat.com> <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> <57872C45.4080907@redhat.com> <578740B6.90103@redhat.com> Message-ID: <20160714080151.GY10771@dhcp-40-8.bne.redhat.com> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: > > > On 07/14/2016 11:38 AM, Geetika Kapoor wrote: > > > > > > On 07/14/2016 10:06 AM, Fraser Tweedale wrote: > >> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: > >>> Hi, > >>> > >>> Please review this patch.Below is a small summary about this fix and > >>> what we are trying to achieve. > >>> > >>> CLI : pki-server db-upgrade > >>> > >>> what it should be doing is if it sees that issuerName doesn't exist,NULL > >>> it will add it itself. > >>> > >>> Operation 1 : Search for the empty cn value for issuerName > >>> ------------------------------------------------------------------------------- > >>> > >>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I > >>> tried this it didn't show data even if i have record with empty issuerName > >>> > >> Hi Geetika, > >> > >> The current filter is actually: > >> > >> '(&(objectclass=certificateRecord)(!(issuerName=*)))', > >> > >> This should match entries missing the issuerName attribute. You > >> talk about an entry with "empty issuerName" but empty strings are > >> not allowed for the Directory String attribute type. Could you > >> please clarify exactly what data is in the offending entry/entries > >> and how it got there? > > Hi Fraser, > > > > If we disable syntax check in ldap dse.ldif , it will accept empty > > data as well.So if a end user disable syntax check,issuerName can be > > empty in that case.(a test case that i tried) > > So in that case db-update will never happen because that condition is > > not considered.This scenario can be reproduced using below ldif file. > > > > > > > > dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA > > objectClass: certificateRecord > > objectClass: top > > cn: 106 > > algorithmId: 1.2.840.113549.1.1.1 > > autoRenew: ENABLED > > certStatus: VALID > > dateOfCreate: 20160712084443Z > > dateOfModify: 20160712084443Z > > duration: 1131536000000 > > issuedBy: geetika20 > > *issuerName: * > > metaInfo: requestId:100 > > notAfter: 20170712084205Z > > notBefore: 20160712084205Z > > publicKeyData:: > > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq > > serialno: 100 > > signingAlgorithmId: 1.2.840.113549.1.1.11 > > subjectName: CN=CS Administrator,C=US > > userCertificate;binary:: > > MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY > > version: 2 > > > > > > > > So in such a case using > > '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to > > search for such entries.I tried and it gives me empty data .I believe > > using (&(objectclass=certificateRecord) > > (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. > > > > Thanks > > Geetika > Hi Frazer, > > I just did one quick round of testing .If we have > '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in > both cases : > > 1. When issuerName doesn't exist. > 2. When issuserName field exist but has empty value. > > Thanks > Geetika > I still disagree that it is the right approach, because it may do unnecessary work for records that already have an issuerName that does not start with "cn". Is it even necessary to support cases where customer has disabled syntax checking? Nevertheless, let me disable syntax checking on one of my instances and see if I can find a better filter. Thanks, Fraser > >>> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- > >>> This solves the purpose as it shows all the certs without issuerName > >>> > >> This filter is wrong - it does match entries without issuerName (as > >> intended), but also matches entries with issuerName set but not > >> starting with "cn". > >> > >>> Operation 2 : If we see a empty cn value , we are replacing it with > >>> value we get from code > >>> ------------------------------------------------------------------------------------------------------------------ > >>> < code> > >>> > >>> cert = nss.Certificate(bytearray(attr_cert[0])) > >>> issuer_name = str(cert.issuer) > >>> > >>> > >>> > >>> Current : we are updating the list it the format as mentioned > >>> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security > >>> Domain'] > >>> > >>> Do we want to keep this behavior or we want to overwrite it in first > >>> place? I believe in place of we do it MOD_REPLACE. > >>> > >>> >>> conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', > >>> issuer_name)]) > >>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', > >>> issuer_name)]) > >>> > >> This change is OK. > > > From ftweedal at redhat.com Thu Jul 14 08:23:27 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 14 Jul 2016 18:23:27 +1000 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <20160714080151.GY10771@dhcp-40-8.bne.redhat.com> References: <578620B2.8020203@redhat.com> <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> <57872C45.4080907@redhat.com> <578740B6.90103@redhat.com> <20160714080151.GY10771@dhcp-40-8.bne.redhat.com> Message-ID: <20160714082327.GA10771@dhcp-40-8.bne.redhat.com> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: > On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: > > > > > > On 07/14/2016 11:38 AM, Geetika Kapoor wrote: > > > > > > > > > On 07/14/2016 10:06 AM, Fraser Tweedale wrote: > > >> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: > > >>> Hi, > > >>> > > >>> Please review this patch.Below is a small summary about this fix and > > >>> what we are trying to achieve. > > >>> > > >>> CLI : pki-server db-upgrade > > >>> > > >>> what it should be doing is if it sees that issuerName doesn't exist,NULL > > >>> it will add it itself. > > >>> > > >>> Operation 1 : Search for the empty cn value for issuerName > > >>> ------------------------------------------------------------------------------- > > >>> > > >>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I > > >>> tried this it didn't show data even if i have record with empty issuerName > > >>> > > >> Hi Geetika, > > >> > > >> The current filter is actually: > > >> > > >> '(&(objectclass=certificateRecord)(!(issuerName=*)))', > > >> > > >> This should match entries missing the issuerName attribute. You > > >> talk about an entry with "empty issuerName" but empty strings are > > >> not allowed for the Directory String attribute type. Could you > > >> please clarify exactly what data is in the offending entry/entries > > >> and how it got there? > > > Hi Fraser, > > > > > > If we disable syntax check in ldap dse.ldif , it will accept empty > > > data as well.So if a end user disable syntax check,issuerName can be > > > empty in that case.(a test case that i tried) > > > So in that case db-update will never happen because that condition is > > > not considered.This scenario can be reproduced using below ldif file. > > > > > > > > > > > > dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA > > > objectClass: certificateRecord > > > objectClass: top > > > cn: 106 > > > algorithmId: 1.2.840.113549.1.1.1 > > > autoRenew: ENABLED > > > certStatus: VALID > > > dateOfCreate: 20160712084443Z > > > dateOfModify: 20160712084443Z > > > duration: 1131536000000 > > > issuedBy: geetika20 > > > *issuerName: * > > > metaInfo: requestId:100 > > > notAfter: 20170712084205Z > > > notBefore: 20160712084205Z > > > publicKeyData:: > > > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq > > > serialno: 100 > > > signingAlgorithmId: 1.2.840.113549.1.1.11 > > > subjectName: CN=CS Administrator,C=US > > > userCertificate;binary:: > > > MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY > > > version: 2 > > > > > > > > > > > > So in such a case using > > > '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to > > > search for such entries.I tried and it gives me empty data .I believe > > > using (&(objectclass=certificateRecord) > > > (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. > > > > > > Thanks > > > Geetika > > Hi Frazer, > > > > I just did one quick round of testing .If we have > > '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in > > both cases : > > > > 1. When issuerName doesn't exist. > > 2. When issuserName field exist but has empty value. > > > > Thanks > > Geetika > > > I still disagree that it is the right approach, because it may do > unnecessary work for records that already have an issuerName that > does not start with "cn". > > Is it even necessary to support cases where customer has disabled > syntax checking? Nevertheless, let me disable syntax checking on > one of my instances and see if I can find a better filter. > Please try this filter: (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=))) It will find only certificates with missing or empty issuername attribute. Does it work as expected for you, Geetika? > > > >>> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- > > >>> This solves the purpose as it shows all the certs without issuerName > > >>> > > >> This filter is wrong - it does match entries without issuerName (as > > >> intended), but also matches entries with issuerName set but not > > >> starting with "cn". > > >> > > >>> Operation 2 : If we see a empty cn value , we are replacing it with > > >>> value we get from code > > >>> ------------------------------------------------------------------------------------------------------------------ > > >>> < code> > > >>> > > >>> cert = nss.Certificate(bytearray(attr_cert[0])) > > >>> issuer_name = str(cert.issuer) > > >>> > > >>> > > >>> > > >>> Current : we are updating the list it the format as mentioned > > >>> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security > > >>> Domain'] > > >>> > > >>> Do we want to keep this behavior or we want to overwrite it in first > > >>> place? I believe in place of we do it MOD_REPLACE. > > >>> > > >>> > >>> conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', > > >>> issuer_name)]) > > >>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', > > >>> issuer_name)]) > > >>> > > >> This change is OK. > > > > > From gkapoor at redhat.com Thu Jul 14 09:32:21 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Thu, 14 Jul 2016 15:02:21 +0530 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <20160714082327.GA10771@dhcp-40-8.bne.redhat.com> References: <578620B2.8020203@redhat.com> <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> <57872C45.4080907@redhat.com> <578740B6.90103@redhat.com> <20160714080151.GY10771@dhcp-40-8.bne.redhat.com> <20160714082327.GA10771@dhcp-40-8.bne.redhat.com> Message-ID: <57875C25.40203@redhat.com> On 07/14/2016 01:53 PM, Fraser Tweedale wrote: > On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: >> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: >>> >>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote: >>>> >>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote: >>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: >>>>>> Hi, >>>>>> >>>>>> Please review this patch.Below is a small summary about this fix and >>>>>> what we are trying to achieve. >>>>>> >>>>>> CLI : pki-server db-upgrade >>>>>> >>>>>> what it should be doing is if it sees that issuerName doesn't exist,NULL >>>>>> it will add it itself. >>>>>> >>>>>> Operation 1 : Search for the empty cn value for issuerName >>>>>> ------------------------------------------------------------------------------- >>>>>> >>>>>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I >>>>>> tried this it didn't show data even if i have record with empty issuerName >>>>>> >>>>> Hi Geetika, >>>>> >>>>> The current filter is actually: >>>>> >>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))', >>>>> >>>>> This should match entries missing the issuerName attribute. You >>>>> talk about an entry with "empty issuerName" but empty strings are >>>>> not allowed for the Directory String attribute type. Could you >>>>> please clarify exactly what data is in the offending entry/entries >>>>> and how it got there? >>>> Hi Fraser, >>>> >>>> If we disable syntax check in ldap dse.ldif , it will accept empty >>>> data as well.So if a end user disable syntax check,issuerName can be >>>> empty in that case.(a test case that i tried) >>>> So in that case db-update will never happen because that condition is >>>> not considered.This scenario can be reproduced using below ldif file. >>>> >>>> >>>> >>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA >>>> objectClass: certificateRecord >>>> objectClass: top >>>> cn: 106 >>>> algorithmId: 1.2.840.113549.1.1.1 >>>> autoRenew: ENABLED >>>> certStatus: VALID >>>> dateOfCreate: 20160712084443Z >>>> dateOfModify: 20160712084443Z >>>> duration: 1131536000000 >>>> issuedBy: geetika20 >>>> *issuerName: * >>>> metaInfo: requestId:100 >>>> notAfter: 20170712084205Z >>>> notBefore: 20160712084205Z >>>> publicKeyData:: >>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq >>>> serialno: 100 >>>> signingAlgorithmId: 1.2.840.113549.1.1.11 >>>> subjectName: CN=CS Administrator,C=US >>>> userCertificate;binary:: >>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY >>>> version: 2 >>>> >>>> >>>> >>>> So in such a case using >>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to >>>> search for such entries.I tried and it gives me empty data .I believe >>>> using (&(objectclass=certificateRecord) >>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. >>>> >>>> Thanks >>>> Geetika >>> Hi Frazer, >>> >>> I just did one quick round of testing .If we have >>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in >>> both cases : >>> >>> 1. When issuerName doesn't exist. >>> 2. When issuserName field exist but has empty value. >>> >>> Thanks >>> Geetika >>> >> I still disagree that it is the right approach, because it may do >> unnecessary work for records that already have an issuerName that >> does not start with "cn". >> >> Is it even necessary to support cases where customer has disabled >> syntax checking? Nevertheless, let me disable syntax checking on >> one of my instances and see if I can find a better filter. >> > Please try this filter: > > (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=))) > > It will find only certificates with missing or empty issuername > attribute. Does it work as expected for you, Geetika? Let me try Frazer.. Thanks > >>>>>> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- >>>>>> This solves the purpose as it shows all the certs without issuerName >>>>>> >>>>> This filter is wrong - it does match entries without issuerName (as >>>>> intended), but also matches entries with issuerName set but not >>>>> starting with "cn". >>>>> >>>>>> Operation 2 : If we see a empty cn value , we are replacing it with >>>>>> value we get from code >>>>>> ------------------------------------------------------------------------------------------------------------------ >>>>>> < code> >>>>>> >>>>>> cert = nss.Certificate(bytearray(attr_cert[0])) >>>>>> issuer_name = str(cert.issuer) >>>>>> >>>>>> >>>>>> >>>>>> Current : we are updating the list it the format as mentioned >>>>>> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security >>>>>> Domain'] >>>>>> >>>>>> Do we want to keep this behavior or we want to overwrite it in first >>>>>> place? I believe in place of we do it MOD_REPLACE. >>>>>> >>>>>> >>>>> conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', >>>>>> issuer_name)]) >>>>>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', >>>>>> issuer_name)]) >>>>>> >>>>> This change is OK. From gkapoor at redhat.com Thu Jul 14 09:34:54 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Thu, 14 Jul 2016 15:04:54 +0530 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <57875C25.40203@redhat.com> References: <578620B2.8020203@redhat.com> <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> <57872C45.4080907@redhat.com> <578740B6.90103@redhat.com> <20160714080151.GY10771@dhcp-40-8.bne.redhat.com> <20160714082327.GA10771@dhcp-40-8.bne.redhat.com> <57875C25.40203@redhat.com> Message-ID: <57875CBE.1000107@redhat.com> On 07/14/2016 03:02 PM, Geetika Kapoor wrote: > > On 07/14/2016 01:53 PM, Fraser Tweedale wrote: >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: >>> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: >>>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote: >>>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote: >>>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Please review this patch.Below is a small summary about this fix and >>>>>>> what we are trying to achieve. >>>>>>> >>>>>>> CLI : pki-server db-upgrade >>>>>>> >>>>>>> what it should be doing is if it sees that issuerName doesn't exist,NULL >>>>>>> it will add it itself. >>>>>>> >>>>>>> Operation 1 : Search for the empty cn value for issuerName >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I >>>>>>> tried this it didn't show data even if i have record with empty issuerName >>>>>>> >>>>>> Hi Geetika, >>>>>> >>>>>> The current filter is actually: >>>>>> >>>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))', >>>>>> >>>>>> This should match entries missing the issuerName attribute. You >>>>>> talk about an entry with "empty issuerName" but empty strings are >>>>>> not allowed for the Directory String attribute type. Could you >>>>>> please clarify exactly what data is in the offending entry/entries >>>>>> and how it got there? >>>>> Hi Fraser, >>>>> >>>>> If we disable syntax check in ldap dse.ldif , it will accept empty >>>>> data as well.So if a end user disable syntax check,issuerName can be >>>>> empty in that case.(a test case that i tried) >>>>> So in that case db-update will never happen because that condition is >>>>> not considered.This scenario can be reproduced using below ldif file. >>>>> >>>>> >>>>> >>>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA >>>>> objectClass: certificateRecord >>>>> objectClass: top >>>>> cn: 106 >>>>> algorithmId: 1.2.840.113549.1.1.1 >>>>> autoRenew: ENABLED >>>>> certStatus: VALID >>>>> dateOfCreate: 20160712084443Z >>>>> dateOfModify: 20160712084443Z >>>>> duration: 1131536000000 >>>>> issuedBy: geetika20 >>>>> *issuerName: * >>>>> metaInfo: requestId:100 >>>>> notAfter: 20170712084205Z >>>>> notBefore: 20160712084205Z >>>>> publicKeyData:: >>>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq >>>>> serialno: 100 >>>>> signingAlgorithmId: 1.2.840.113549.1.1.11 >>>>> subjectName: CN=CS Administrator,C=US >>>>> userCertificate;binary:: >>>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY >>>>> version: 2 >>>>> >>>>> >>>>> >>>>> So in such a case using >>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to >>>>> search for such entries.I tried and it gives me empty data .I believe >>>>> using (&(objectclass=certificateRecord) >>>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. >>>>> >>>>> Thanks >>>>> Geetika >>>> Hi Frazer, >>>> >>>> I just did one quick round of testing .If we have >>>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in >>>> both cases : >>>> >>>> 1. When issuerName doesn't exist. >>>> 2. When issuserName field exist but has empty value. >>>> >>>> Thanks >>>> Geetika >>>> >>> I still disagree that it is the right approach, because it may do >>> unnecessary work for records that already have an issuerName that >>> does not start with "cn". >>> >>> Is it even necessary to support cases where customer has disabled >>> syntax checking? Nevertheless, let me disable syntax checking on >>> one of my instances and see if I can find a better filter. >>> >> Please try this filter: >> >> (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=))) >> >> It will find only certificates with missing or empty issuername >> attribute. Does it work as expected for you, Geetika? > Let me try Frazer.. > > Thanks Yes that works for both test cases. >>>>>>> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- >>>>>>> This solves the purpose as it shows all the certs without issuerName >>>>>>> >>>>>> This filter is wrong - it does match entries without issuerName (as >>>>>> intended), but also matches entries with issuerName set but not >>>>>> starting with "cn". >>>>>> >>>>>>> Operation 2 : If we see a empty cn value , we are replacing it with >>>>>>> value we get from code >>>>>>> ------------------------------------------------------------------------------------------------------------------ >>>>>>> < code> >>>>>>> >>>>>>> cert = nss.Certificate(bytearray(attr_cert[0])) >>>>>>> issuer_name = str(cert.issuer) >>>>>>> >>>>>>> >>>>>>> >>>>>>> Current : we are updating the list it the format as mentioned >>>>>>> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security >>>>>>> Domain'] >>>>>>> >>>>>>> Do we want to keep this behavior or we want to overwrite it in first >>>>>>> place? I believe in place of we do it MOD_REPLACE. >>>>>>> >>>>>>> >>>>>> conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', >>>>>>> issuer_name)]) >>>>>>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', >>>>>>> issuer_name)]) >>>>>>> >>>>>> This change is OK. > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From gkapoor at redhat.com Thu Jul 14 10:21:18 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Thu, 14 Jul 2016 15:51:18 +0530 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <57875C25.40203@redhat.com> References: <578620B2.8020203@redhat.com> <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> <57872C45.4080907@redhat.com> <578740B6.90103@redhat.com> <20160714080151.GY10771@dhcp-40-8.bne.redhat.com> <20160714082327.GA10771@dhcp-40-8.bne.redhat.com> <57875C25.40203@redhat.com> Message-ID: <5787679E.4030608@redhat.com> On 07/14/2016 03:02 PM, Geetika Kapoor wrote: > > On 07/14/2016 01:53 PM, Fraser Tweedale wrote: >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: >>> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: >>>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote: >>>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote: >>>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Please review this patch.Below is a small summary about this fix and >>>>>>> what we are trying to achieve. >>>>>>> >>>>>>> CLI : pki-server db-upgrade >>>>>>> >>>>>>> what it should be doing is if it sees that issuerName doesn't exist,NULL >>>>>>> it will add it itself. >>>>>>> >>>>>>> Operation 1 : Search for the empty cn value for issuerName >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I >>>>>>> tried this it didn't show data even if i have record with empty issuerName >>>>>>> >>>>>> Hi Geetika, >>>>>> >>>>>> The current filter is actually: >>>>>> >>>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))', >>>>>> >>>>>> This should match entries missing the issuerName attribute. You >>>>>> talk about an entry with "empty issuerName" but empty strings are >>>>>> not allowed for the Directory String attribute type. Could you >>>>>> please clarify exactly what data is in the offending entry/entries >>>>>> and how it got there? >>>>> Hi Fraser, >>>>> >>>>> If we disable syntax check in ldap dse.ldif , it will accept empty >>>>> data as well.So if a end user disable syntax check,issuerName can be >>>>> empty in that case.(a test case that i tried) >>>>> So in that case db-update will never happen because that condition is >>>>> not considered.This scenario can be reproduced using below ldif file. >>>>> >>>>> >>>>> >>>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA >>>>> objectClass: certificateRecord >>>>> objectClass: top >>>>> cn: 106 >>>>> algorithmId: 1.2.840.113549.1.1.1 >>>>> autoRenew: ENABLED >>>>> certStatus: VALID >>>>> dateOfCreate: 20160712084443Z >>>>> dateOfModify: 20160712084443Z >>>>> duration: 1131536000000 >>>>> issuedBy: geetika20 >>>>> *issuerName: * >>>>> metaInfo: requestId:100 >>>>> notAfter: 20170712084205Z >>>>> notBefore: 20160712084205Z >>>>> publicKeyData:: >>>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq >>>>> serialno: 100 >>>>> signingAlgorithmId: 1.2.840.113549.1.1.11 >>>>> subjectName: CN=CS Administrator,C=US >>>>> userCertificate;binary:: >>>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY >>>>> version: 2 >>>>> >>>>> >>>>> >>>>> So in such a case using >>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to >>>>> search for such entries.I tried and it gives me empty data .I believe >>>>> using (&(objectclass=certificateRecord) >>>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. >>>>> >>>>> Thanks >>>>> Geetika >>>> Hi Frazer, >>>> >>>> I just did one quick round of testing .If we have >>>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in >>>> both cases : >>>> >>>> 1. When issuerName doesn't exist. >>>> 2. When issuserName field exist but has empty value. >>>> >>>> Thanks >>>> Geetika >>>> >>> I still disagree that it is the right approach, because it may do >>> unnecessary work for records that already have an issuerName that >>> does not start with "cn". >>> >>> Is it even necessary to support cases where customer has disabled >>> syntax checking? Nevertheless, let me disable syntax checking on >>> one of my instances and see if I can find a better filter. >>> >> Please try this filter: >> >> (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=))) >> >> It will find only certificates with missing or empty issuername >> attribute. Does it work as expected for you, Geetika? > Let me try Frazer.. > > Thanks Thanks Frazer for helping in giving a better solution . >>>>>>> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- >>>>>>> This solves the purpose as it shows all the certs without issuerName >>>>>>> >>>>>> This filter is wrong - it does match entries without issuerName (as >>>>>> intended), but also matches entries with issuerName set but not >>>>>> starting with "cn". >>>>>> >>>>>>> Operation 2 : If we see a empty cn value , we are replacing it with >>>>>>> value we get from code >>>>>>> ------------------------------------------------------------------------------------------------------------------ >>>>>>> < code> >>>>>>> >>>>>>> cert = nss.Certificate(bytearray(attr_cert[0])) >>>>>>> issuer_name = str(cert.issuer) >>>>>>> >>>>>>> >>>>>>> >>>>>>> Current : we are updating the list it the format as mentioned >>>>>>> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security >>>>>>> Domain'] >>>>>>> >>>>>>> Do we want to keep this behavior or we want to overwrite it in first >>>>>>> place? I believe in place of we do it MOD_REPLACE. >>>>>>> >>>>>>> >>>>>> conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', >>>>>>> issuer_name)]) >>>>>>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', >>>>>>> issuer_name)]) >>>>>>> >>>>>> This change is OK. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-fix-for-pki-server-for-db-update.patch Type: text/x-patch Size: 1481 bytes Desc: not available URL: From ftweedal at redhat.com Thu Jul 14 11:51:34 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 14 Jul 2016 21:51:34 +1000 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <5787679E.4030608@redhat.com> References: <578620B2.8020203@redhat.com> <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> <57872C45.4080907@redhat.com> <578740B6.90103@redhat.com> <20160714080151.GY10771@dhcp-40-8.bne.redhat.com> <20160714082327.GA10771@dhcp-40-8.bne.redhat.com> <57875C25.40203@redhat.com> <5787679E.4030608@redhat.com> Message-ID: <20160714115134.GC10771@dhcp-40-8.bne.redhat.com> On Thu, Jul 14, 2016 at 03:51:18PM +0530, Geetika Kapoor wrote: > > > On 07/14/2016 03:02 PM, Geetika Kapoor wrote: > > > > On 07/14/2016 01:53 PM, Fraser Tweedale wrote: > >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: > >>> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: > >>>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote: > >>>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote: > >>>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> Please review this patch.Below is a small summary about this fix and > >>>>>>> what we are trying to achieve. > >>>>>>> > >>>>>>> CLI : pki-server db-upgrade > >>>>>>> > >>>>>>> what it should be doing is if it sees that issuerName doesn't exist,NULL > >>>>>>> it will add it itself. > >>>>>>> > >>>>>>> Operation 1 : Search for the empty cn value for issuerName > >>>>>>> ------------------------------------------------------------------------------- > >>>>>>> > >>>>>>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I > >>>>>>> tried this it didn't show data even if i have record with empty issuerName > >>>>>>> > >>>>>> Hi Geetika, > >>>>>> > >>>>>> The current filter is actually: > >>>>>> > >>>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))', > >>>>>> > >>>>>> This should match entries missing the issuerName attribute. You > >>>>>> talk about an entry with "empty issuerName" but empty strings are > >>>>>> not allowed for the Directory String attribute type. Could you > >>>>>> please clarify exactly what data is in the offending entry/entries > >>>>>> and how it got there? > >>>>> Hi Fraser, > >>>>> > >>>>> If we disable syntax check in ldap dse.ldif , it will accept empty > >>>>> data as well.So if a end user disable syntax check,issuerName can be > >>>>> empty in that case.(a test case that i tried) > >>>>> So in that case db-update will never happen because that condition is > >>>>> not considered.This scenario can be reproduced using below ldif file. > >>>>> > >>>>> > >>>>> > >>>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA > >>>>> objectClass: certificateRecord > >>>>> objectClass: top > >>>>> cn: 106 > >>>>> algorithmId: 1.2.840.113549.1.1.1 > >>>>> autoRenew: ENABLED > >>>>> certStatus: VALID > >>>>> dateOfCreate: 20160712084443Z > >>>>> dateOfModify: 20160712084443Z > >>>>> duration: 1131536000000 > >>>>> issuedBy: geetika20 > >>>>> *issuerName: * > >>>>> metaInfo: requestId:100 > >>>>> notAfter: 20170712084205Z > >>>>> notBefore: 20160712084205Z > >>>>> publicKeyData:: > >>>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq > >>>>> serialno: 100 > >>>>> signingAlgorithmId: 1.2.840.113549.1.1.11 > >>>>> subjectName: CN=CS Administrator,C=US > >>>>> userCertificate;binary:: > >>>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY > >>>>> version: 2 > >>>>> > >>>>> > >>>>> > >>>>> So in such a case using > >>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to > >>>>> search for such entries.I tried and it gives me empty data .I believe > >>>>> using (&(objectclass=certificateRecord) > >>>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. > >>>>> > >>>>> Thanks > >>>>> Geetika > >>>> Hi Frazer, > >>>> > >>>> I just did one quick round of testing .If we have > >>>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in > >>>> both cases : > >>>> > >>>> 1. When issuerName doesn't exist. > >>>> 2. When issuserName field exist but has empty value. > >>>> > >>>> Thanks > >>>> Geetika > >>>> > >>> I still disagree that it is the right approach, because it may do > >>> unnecessary work for records that already have an issuerName that > >>> does not start with "cn". > >>> > >>> Is it even necessary to support cases where customer has disabled > >>> syntax checking? Nevertheless, let me disable syntax checking on > >>> one of my instances and see if I can find a better filter. > >>> > >> Please try this filter: > >> > >> (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=))) > >> > >> It will find only certificates with missing or empty issuername > >> attribute. Does it work as expected for you, Geetika? > > Let me try Frazer.. > > > > Thanks > > Thanks Frazer for helping in giving a better solution . > You're welcome. ACK, and pushed to master: c3ff087bd07cde4cd272defad499fd4d8367e5c1 From edewata at redhat.com Thu Jul 14 17:55:07 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 14 Jul 2016 12:55:07 -0500 Subject: [Pki-devel] [PATCH] Added fix for pki-server for db-update In-Reply-To: <20160714115134.GC10771@dhcp-40-8.bne.redhat.com> References: <578620B2.8020203@redhat.com> <20160714043642.GV10771@dhcp-40-8.bne.redhat.com> <57872C45.4080907@redhat.com> <578740B6.90103@redhat.com> <20160714080151.GY10771@dhcp-40-8.bne.redhat.com> <20160714082327.GA10771@dhcp-40-8.bne.redhat.com> <57875C25.40203@redhat.com> <5787679E.4030608@redhat.com> <20160714115134.GC10771@dhcp-40-8.bne.redhat.com> Message-ID: On 7/14/2016 6:51 AM, Fraser Tweedale wrote: > You're welcome. ACK, and pushed to master: > > c3ff087bd07cde4cd272defad499fd4d8367e5c1 I added this commit into this ticket to ensure it's included in the next build: https://fedorahosted.org/pki/ticket/2399 -- Endi S. Dewata From edewata at redhat.com Thu Jul 14 18:02:18 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 14 Jul 2016 13:02:18 -0500 Subject: [Pki-devel] [PATCH] 790 Fixed certificate validation error message. Message-ID: <5d53a147-19d2-5927-152a-bd234bf59121@redhat.com> The pkihelper.py has been modified to display the correct external command name on system certificate validation error. https://fedorahosted.org/pki/ticket/2399 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0790-Fixed-certificate-validation-error-message.patch Type: text/x-patch Size: 1302 bytes Desc: not available URL: From jmagne at redhat.com Thu Jul 14 18:42:36 2016 From: jmagne at redhat.com (John Magne) Date: Thu, 14 Jul 2016 14:42:36 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0076-MAN-Apply-generateCRMFRequest-removed-from-Firefox-w.patch In-Reply-To: <429874666.8087941.1468521510536.JavaMail.zimbra@redhat.com> Message-ID: <1888644176.8088812.1468521756920.JavaMail.zimbra@redhat.com> [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page Ticket #1285 This fix will involve the following changes to the source tree. 1. Fixes to the CS.cfg to add two new cert profiles. 2. Make the caDualCert.cfg profile invisible since it has little chance of working any more in Firefox. 3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI to have convenient profiles from which to enroll signing ONLY certificates. To go along with this I have filed a downstream release note bug that shows exactly how to deploy the new profile to separately create one signing cert and one encryption cert (with archival), which allows one to accomplish what the formater caDualCert profile used to do when Firefox supported it. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0076-MAN-Apply-generateCRMFRequest-removed-from-Firefox-w.patch Type: text/x-patch Size: 16735 bytes Desc: not available URL: From jmagne at redhat.com Fri Jul 15 01:29:16 2016 From: jmagne at redhat.com (John Magne) Date: Thu, 14 Jul 2016 21:29:16 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0076-MAN-Apply-generateCRMFRequest-removed-from-Firefox-w.patch In-Reply-To: <1888644176.8088812.1468521756920.JavaMail.zimbra@redhat.com> References: <1888644176.8088812.1468521756920.JavaMail.zimbra@redhat.com> Message-ID: <2095258981.8138247.1468546156619.JavaMail.zimbra@redhat.com> Conditionally ACKED by cfu. She wanted me to test the new ECC signing cert only profile I added: Test was a success. Pushed to master Closing ticket #1285 Also release note bug on how to use the new profiles here: https://bugzilla.redhat.com/show_bug.cgi?id=1355849 ----- Original Message ----- From: "John Magne" To: "pki-devel" , pki-devel at redhat.com Cc: cfu at redhat.com Sent: Thursday, July 14, 2016 11:42:36 AM Subject: [pki-devel][PATCH] 0076-MAN-Apply-generateCRMFRequest-removed-from-Firefox-w.patch [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page Ticket #1285 This fix will involve the following changes to the source tree. 1. Fixes to the CS.cfg to add two new cert profiles. 2. Make the caDualCert.cfg profile invisible since it has little chance of working any more in Firefox. 3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI to have convenient profiles from which to enroll signing ONLY certificates. To go along with this I have filed a downstream release note bug that shows exactly how to deploy the new profile to separately create one signing cert and one encryption cert (with archival), which allows one to accomplish what the formater caDualCert profile used to do when Firefox supported it. From edewata at redhat.com Fri Jul 15 02:04:03 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 14 Jul 2016 21:04:03 -0500 Subject: [Pki-devel] [PATCH] 791 Fixed cert usage list in pki client-cert-validate. Message-ID: <9373d227-1a1d-bfbe-b50f-88cfc1023f28@redhat.com> The pki client-cert-validate has been modified to add the missing EmailRecipient and to list the supported cert usages. https://fedorahosted.org/pki/ticket/2376 https://fedorahosted.org/pki/ticket/2399 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0791-Fixed-cert-usage-list-in-pki-client-cert-validate.patch Type: text/x-patch Size: 2862 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 15 03:45:55 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 14 Jul 2016 22:45:55 -0500 Subject: [Pki-devel] [PATCH]pki-cfu-0149-Ticket-2246-MAN-Man-Page-AuditVerify.patch In-Reply-To: References: Message-ID: On 7/12/2016 8:27 PM, Christina Fu wrote: > man page for AuditVerify > > https://fedorahosted.org/pki/ticket/2246 Some comments/questions: 1. I think the -P option would unlikely be used. Can we remove this option in the future? 2. In the description for the -a option, there's a missing space before the left parenthesis: ... paths(in chronological order) ... 3. Do we assume the auditor to have an access to the machine running the PKI server? Does the auditor have a read access to the files in the instance folder? 4. Normally the server does not export the system certificate into files, so the admin has to do that before the auditor can import the file with this command: certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txt I think we should replace the path with "-i cacert.txt". Here we're assuming the auditor already has the certificate file. 5. Similarly, the path to the audit certificate file should be replaced with "-i logsigncert.txt": certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate"-t ",,P" -a -i /var/lib/instance_ID/alias/logsigncert.txt 6. There should be a space before the -t in #5. 7. The following phrase assumes the auditor has a write access to /etc/audit, is that the case? Or do we expect someone else to prepare the file for the auditor? ... this file could be logListFile in the /etc/audit directory ... 8. The database path in the description does not match the command: ... in the user home directory, such as /home/smith/.mozilla, ... AuditVerify -d ~jsmith/auitVerifyDir ... 9. The "auditVerifyDir" is misspelled in #8. 10. When viewed using the man tool, the quotes surrounding "auditsigningcert" disappear causing an extra space before the comma: ... and the signing certificate nickname is auditsigningcert , ... 11. The "auditsigningcert" nickname is inconsistent with the "Log Signing Certificate" used in #5. 12. The explanation for the verification failure in the following ticket is not included yet: https://fedorahosted.org/pki/ticket/2217 Is it going to be added in a separate patch? -- Endi S. Dewata From cfu at redhat.com Fri Jul 15 18:04:59 2016 From: cfu at redhat.com (Christina Fu) Date: Fri, 15 Jul 2016 11:04:59 -0700 Subject: [Pki-devel] [PATCH]pki-cfu-0149-Ticket-2246-MAN-Man-Page-AuditVerify.patch In-Reply-To: References: Message-ID: <781355f7-4d7e-bf35-a1b8-20228471e42d@redhat.com> pushed per Endi's verbal conditional ack: commit 078dfc1f01dea30800f19eed6df4ed547edffee3 thanks!! Christina On 07/14/2016 08:45 PM, Endi Sukma Dewata wrote: > On 7/12/2016 8:27 PM, Christina Fu wrote: >> man page for AuditVerify >> >> https://fedorahosted.org/pki/ticket/2246 > > Some comments/questions: > > 1. I think the -P option would unlikely be used. Can we remove this > option in the future? > > 2. In the description for the -a option, there's a missing space > before the left parenthesis: > > ... paths(in chronological order) ... > > 3. Do we assume the auditor to have an access to the machine running > the PKI server? Does the auditor have a read access to the files in > the instance folder? > > 4. Normally the server does not export the system certificate into > files, so the admin has to do that before the auditor can import the > file with this command: > > certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t > "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txt > > I think we should replace the path with "-i cacert.txt". Here we're > assuming the auditor already has the certificate file. > > 5. Similarly, the path to the audit certificate file should be > replaced with "-i logsigncert.txt": > > certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate"-t > ",,P" -a -i /var/lib/instance_ID/alias/logsigncert.txt > > 6. There should be a space before the -t in #5. > > 7. The following phrase assumes the auditor has a write access to > /etc/audit, is that the case? Or do we expect someone else to prepare > the file for the auditor? > > ... this file could be logListFile in the /etc/audit directory ... > > 8. The database path in the description does not match the command: > > ... in the user home directory, such as /home/smith/.mozilla, ... > > AuditVerify -d ~jsmith/auitVerifyDir ... > > 9. The "auditVerifyDir" is misspelled in #8. > > 10. When viewed using the man tool, the quotes surrounding > "auditsigningcert" disappear causing an extra space before the comma: > > ... and the signing certificate nickname is auditsigningcert , ... > > 11. The "auditsigningcert" nickname is inconsistent with the "Log > Signing Certificate" used in #5. > > 12. The explanation for the verification failure in the following > ticket is not included yet: > https://fedorahosted.org/pki/ticket/2217 > > Is it going to be added in a separate patch? > From edewata at redhat.com Tue Jul 19 23:09:47 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Jul 2016 18:09:47 -0500 Subject: [Pki-devel] [PATCH] 792 Removed redundant question in interactive pkispawn. Message-ID: <2e0cb594-c8d8-01cb-88d4-22e2fefd4380@redhat.com> The pkispawn has been modified such that if the admin selects to import the admin certificate the admin will not be asked where to export the certificate. https://fedorahosted.org/pki/ticket/2399 Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0792-Removed-redundant-question-in-interactive-pkispawn.patch Type: text/x-patch Size: 1631 bytes Desc: not available URL: From edewata at redhat.com Tue Jul 19 23:10:03 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Jul 2016 18:10:03 -0500 Subject: [Pki-devel] [PATCH] 793 Fixed pkispawn installation summary. Message-ID: <9566743c-c477-f081-a45e-74a791f79934@redhat.com> The pkispawn installation summary has been modified not to show the admin certificate nickname and NSS database if pki_client_database_purge or pki_clone is set to true since the NSS database will not be created in those cases. https://fedorahosted.org/pki/ticket/2399 Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0793-Fixed-pkispawn-installation-summary.patch Type: text/x-patch Size: 1686 bytes Desc: not available URL: From edewata at redhat.com Tue Jul 19 23:12:34 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 19 Jul 2016 18:12:34 -0500 Subject: [Pki-devel] [PATCH] 794 Fixed error handling in SystemConfigService. Message-ID: <853a21e2-9ce4-1bce-eaad-f172da520357@redhat.com> To help troubleshooting the SystemConfigService has been modified to chain the original exception and to log stack trace into the debug log. https://fedorahosted.org/pki/ticket/2399 Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0794-Fixed-error-handling-in-SystemConfigService.patch Type: text/x-patch Size: 2485 bytes Desc: not available URL: From bbhavsar at redhat.com Wed Jul 20 14:55:28 2016 From: bbhavsar at redhat.com (Bhavik Bhavsar) Date: Wed, 20 Jul 2016 20:25:28 +0530 Subject: [Pki-devel] [PATCH] Fixes for BZ 1330755. Message-ID: Hello All, Attached patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=1330755 Kindly review this patch. Regards Bhavik Bhavsar -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-bz1330755-Fix-bashisms-in-tests-bash-to-sh.patch Type: text/x-patch Size: 241541 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-bz1330755-Fix-bashisms-in-tests-source-to-dot.patch Type: text/x-patch Size: 16216 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 22 18:16:11 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2016 13:16:11 -0500 Subject: [Pki-devel] [PATCH] 795 Fixed param substitution problem. Message-ID: <5a881b75-e9ee-a766-1ecc-a39b91bae56f@redhat.com> The string splice operation in substitute_deployment_params() has been fixed to include the rest of the string. https://fedorahosted.org/pki/ticket/2399 Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0795-Fixed-param-substitution-problem.patch Type: text/x-patch Size: 1318 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 22 19:16:40 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2016 14:16:40 -0500 Subject: [Pki-devel] [PATCH] 796 Added CMake target dependencies. Message-ID: <3b46f651-6b85-eb4a-bb40-66deb8378329@redhat.com> To help troubleshooting build issues, some CMake dependencies have been added to some targets even though the actual codes do not require those dependencies. This will ensure the targets are built sequentially so build failures can be found more easily at the end of the build log. https://fedorahosted.org/pki/ticket/2403 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0796-Added-CMake-target-dependencies.patch Type: text/x-patch Size: 5163 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 22 19:16:48 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 22 Jul 2016 14:16:48 -0500 Subject: [Pki-devel] [PATCH] 797 Removed hard-coded paths in pki.policy. Message-ID: <675f8efb-47af-5706-a66a-da1e0da5171a@redhat.com> The operations script has been modified to generate pki.policy dynamically from links in the /common/lib directory. This allows the pki.policy to match the actual paths in different platforms. https://fedorahosted.org/pki/ticket/2403 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0797-Removed-hard-coded-paths-in-pki.policy.patch Type: text/x-patch Size: 7795 bytes Desc: not available URL: From mharmsen at redhat.com Sat Jul 23 02:58:12 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 22 Jul 2016 20:58:12 -0600 Subject: [Pki-devel] [PATCH] pki-tools man pages Message-ID: <0c89171f-c757-61b4-a976-6634464cd289@redhat.com> Please review the following patch which includes a batch of man pages for: * PKI TRAC Ticket #690 - [MAN] pki-tools man pages which includes new man pages for the following: * AtoB * BtoA * KRATool * PrettyPrintCert * PrettyPrintCrl I have also included the patch for the spec file which adds a compatibility symlink from DRMTool.1.gz -> KRATool.1.gz, and packaging for the AuditVerify.1.gz tool. -- Matt P. S. - I am currently at work on the man pages for the various CMC tools. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20160722-pki-tools-man-pages.patch Type: text/x-patch Size: 50051 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20160722-pki-tools-man-pages-spec-file.patch Type: text/x-patch Size: 2006 bytes Desc: not available URL: From edewata at redhat.com Sun Jul 24 18:40:43 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 24 Jul 2016 13:40:43 -0500 Subject: [Pki-devel] [PATCH] 798-799 Removed hard-coded paths in pki CLI. Message-ID: The pki CLI has been modified to use the java.ext.dirs property to load the dependencies instead of listing them one-by-one. The dependencies are stored as links in /usr/share/pki/lib folder. This allows the RPM spec to customize the links for different platforms. https://fedorahosted.org/pki/ticket/2403 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0798-Removed-hard-coded-paths-in-pki-CLI.patch Type: text/x-patch Size: 8100 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0799-RPM-spec-changes-for-removing-hard-coded-paths-in-pk.patch Type: text/x-patch Size: 3748 bytes Desc: not available URL: From edewata at redhat.com Sun Jul 24 18:40:49 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 24 Jul 2016 13:40:49 -0500 Subject: [Pki-devel] [PATCH] 800-801 Removed hard-coded paths in deployment tool. Message-ID: <02e00ec0-33fe-8ebf-9337-7402ca8a401a@redhat.com> The deployment tool has been modified to link /common to /usr/share/pki/server/common instead of creating separate links for each dependency. This allows the RPM spec to customize the links for different platforms. https://fedorahosted.org/pki/ticket/2403 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0800-Removed-hard-coded-paths-in-deployment-tool.patch Type: text/x-patch Size: 25167 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0801-RPM-spec-changes-for-removing-hard-coded-paths-in-de.patch Type: text/x-patch Size: 3480 bytes Desc: not available URL: From edewata at redhat.com Tue Jul 26 19:22:44 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jul 2016 14:22:44 -0500 Subject: [Pki-devel] [PATCH] 796 Added CMake target dependencies. In-Reply-To: <3b46f651-6b85-eb4a-bb40-66deb8378329@redhat.com> References: <3b46f651-6b85-eb4a-bb40-66deb8378329@redhat.com> Message-ID: On 7/22/2016 2:16 PM, Endi Sukma Dewata wrote: > To help troubleshooting build issues, some CMake dependencies have > been added to some targets even though the actual codes do not > require those dependencies. This will ensure the targets are built > sequentially so build failures can be found more easily at the end > of the build log. > > https://fedorahosted.org/pki/ticket/2403 ACKed by alee (Thanks!). Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Jul 26 19:23:26 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jul 2016 14:23:26 -0500 Subject: [Pki-devel] [PATCH] 797 Removed hard-coded paths in pki.policy. In-Reply-To: <675f8efb-47af-5706-a66a-da1e0da5171a@redhat.com> References: <675f8efb-47af-5706-a66a-da1e0da5171a@redhat.com> Message-ID: On 7/22/2016 2:16 PM, Endi Sukma Dewata wrote: > The operations script has been modified to generate pki.policy > dynamically from links in the /common/lib directory. > This allows the pki.policy to match the actual paths in different > platforms. > > https://fedorahosted.org/pki/ticket/2403 ACKed by alee (Thanks!). Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Jul 26 19:23:36 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jul 2016 14:23:36 -0500 Subject: [Pki-devel] [PATCH] 798-799 Removed hard-coded paths in pki CLI. In-Reply-To: References: Message-ID: <8e0a6572-10f1-4c9e-1542-73317e086b92@redhat.com> On 7/24/2016 1:40 PM, Endi Sukma Dewata wrote: > The pki CLI has been modified to use the java.ext.dirs property > to load the dependencies instead of listing them one-by-one. The > dependencies are stored as links in /usr/share/pki/lib folder. > This allows the RPM spec to customize the links for different > platforms. > > https://fedorahosted.org/pki/ticket/2403 ACKed by alee (Thanks!). Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Jul 26 19:23:43 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 26 Jul 2016 14:23:43 -0500 Subject: [Pki-devel] [PATCH] 800-801 Removed hard-coded paths in deployment tool. In-Reply-To: <02e00ec0-33fe-8ebf-9337-7402ca8a401a@redhat.com> References: <02e00ec0-33fe-8ebf-9337-7402ca8a401a@redhat.com> Message-ID: <7167eb01-e920-97e3-bec1-c1370e295ff7@redhat.com> On 7/24/2016 1:40 PM, Endi Sukma Dewata wrote: > The deployment tool has been modified to link /common > to /usr/share/pki/server/common instead of creating separate links > for each dependency. This allows the RPM spec to customize the > links for different platforms. > > https://fedorahosted.org/pki/ticket/2403 ACKed by alee (Thanks!). Pushed to master. -- Endi S. Dewata From ftweedal at redhat.com Wed Jul 27 01:32:50 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 27 Jul 2016 11:32:50 +1000 Subject: [Pki-devel] [PATCH] 0128 Fix CA OCSP responder when LWCA's are not in use Message-ID: <20160727013250.GV10771@dhcp-40-8.bne.redhat.com> Hi team, The attached patch fixes https://fedorahosted.org/pki/ticket/2420. Thanks, Fraser -------------- next part -------------- From 86030eb0c231734a3020b201a9be60e84d023e75 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 26 Jul 2016 14:07:10 +1000 Subject: [PATCH] Fix CA OCSP responder when LWCAs are not in use The CA subsystem OCSP responder was updated to handle dispatching OCSP requests to the relevant CertificateAuthority instance, according to the issuer of the certificates identified in the request. Unfortunately, the updated routine assumes that the database updates that enable lightweight CAs have occurred. If they have not, the OCSP responder always fails. Fix the issue by inferring that if 'caMap' is empty, lightweight CAs are not in use, the current instance is the one and only CA, and proceed straight to validation. Fixes: https://fedorahosted.org/pki/ticket/2420 --- base/ca/src/com/netscape/ca/CertificateAuthority.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 502ab1856352fb26ed480a3a54d59ffca5facdb3..a5397da0c0dcea654a15f16e5becc5c430a1bb29 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -2240,6 +2240,10 @@ public class CertificateAuthority * employ some heuristic to deal with this case. Our * heuristic is: * + * 0. If caMap contains no CAs, then lightweight CAs are not + * enabled. There is only one CA, and 'this' is it. Go + * straight to validation. + * * 1. Find the issuer of the cert identified by the first * CertID in the request. * @@ -2254,7 +2258,7 @@ public class CertificateAuthority * aggregate OCSP response. */ ICertificateAuthority ocspCA = this; - if (tbsReq.getRequestCount() > 0) { + if (caMap.size() > 0 && tbsReq.getRequestCount() > 0) { com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(0); BigInteger serialNo = req.getCertID().getSerialNumber(); X509CertImpl cert = mCertRepot.getX509Certificate(serialNo); -- 2.5.5 From gkapoor at redhat.com Wed Jul 27 12:37:39 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Wed, 27 Jul 2016 18:07:39 +0530 Subject: [Pki-devel] [PATCH] Fix NumberFormatException for tps-cert-find when given non integer value to size and start option Message-ID: <5798AB13.90501@redhat.com> Hi, I tried to fix NumberFormatException when i did tps-cert-find with non-integer/invalid range value for size and start.I was doing testing for tps-cert and then i came across this.I thought giving some additional info to users inplace of numberformat.I have done similar fix on rhel7 compile it and make a jar and test on rhel7 .I can share that patch if needed. Below are the test result. Before fix testing: 1. pki -h pki1.example.com -p 25080 tps-cert-find --start "gy" NumberFormatException: For input string: "gy" 2. pki -h pki1.example.com -p 25080 tps-cert-find --size "gy" NumberFormatException: For input string: "gy" 3. pki -p 25080 tps-cert-find --start 1789999999999999999999999999999999999999999999 NumberFormatException: For input string: "1789999999999999999999999999999999999999999999" After fix testing: 1. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 tps-cert-find --start "gy" Error: Enter valid integer value for size/start option usage: tps-cert-find [FILTER] [OPTIONS...] --help Show help options --size Page size --start Page start --token Token ID 2. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 tps-cert-find --size "hy" Error: Enter valid integer value for size/start option usage: tps-cert-find [FILTER] [OPTIONS...] --help Show help options --size Page size --start Page start --token Token ID 3. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 tps-cert-find --start 1 ----------------- 2 entries matched ----------------- Cert ID: 3d.20160720042931 Serial Number: 0x3d Subject: UID=ldapuser7,O=Token Key User Token ID: 40906145C76224192D78 Key Type: encryption Status: active User ID: ldapuser7 Create Time: Wed Jul 20 04:29:31 EDT 2016 ---------------------------- Number of entries returned 1 ---------------------------- 4. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 tps-cert-find --size 1 ----------------- 2 entries matched ----------------- Cert ID: 3c.20160720042931 Serial Number: 0x3c Subject: UID=ldapuser7,O=Token Key User Token ID: 40906145C76224192D78 Key Type: signing Status: active User ID: ldapuser7 Create Time: Wed Jul 20 04:29:31 EDT 2016 ---------------------------- Number of entries returned 1 ---------------------------- 5. [root at pki1 cert]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 tps-cert-find --start 1789999999999999999999999999999999999999999999 Error: Enter valid integer value for size/start option usage: tps-cert-find [FILTER] [OPTIONS...] --help Show help options --size Page size --start Page start --token Token ID Thanks Geetika -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Added-logging-inplace-of-NumberFormatException-for-t.patch Type: text/x-patch Size: 3166 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 27 18:22:58 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Jul 2016 13:22:58 -0500 Subject: [Pki-devel] [PATCH] 802 Added upgrade scripts to fix server library. Message-ID: <8793c65c-9a73-0ab6-a7d0-9e987cdefd7d@redhat.com> An upgrade script has been added to replace the /common in existing instances with a link to /usr/share/pki/server/common which contains links to server dependencies. https://fedorahosted.org/pki/ticket/2403 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0802-Added-upgrade-scripts-to-fix-server-library.patch Type: text/x-patch Size: 3934 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 27 18:23:43 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Jul 2016 13:23:43 -0500 Subject: [Pki-devel] [PATCH] 803 Fixed SELinux contexts. Message-ID: <7c19e5fb-e7e4-54c0-4590-d46d908c662d@redhat.com> The deployment tool has been modified to set up SELinux contexts after all instance files have been created to ensure they have the correct contexts. An upgrade script has been added to fix existing instances. https://fedorahosted.org/pki/ticket/2421 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0803-Fixed-SELinux-contexts.patch Type: text/x-patch Size: 3929 bytes Desc: not available URL: From edewata at redhat.com Wed Jul 27 18:51:16 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 27 Jul 2016 13:51:16 -0500 Subject: [Pki-devel] [PATCH] Fix NumberFormatException for tps-cert-find when given non integer value to size and start option In-Reply-To: <5798AB13.90501@redhat.com> References: <5798AB13.90501@redhat.com> Message-ID: Geetika, Yes, more info would be helpful. I have some comments below. On 7/27/2016 7:37 AM, Geetika Kapoor wrote: > Hi, > > I tried to fix NumberFormatException when i did tps-cert-find with > non-integer/invalid range value for size and start.I was doing testing > for tps-cert and then i came across this.I thought giving some > additional info to users inplace of numberformat.I have done similar > fix on rhel7 compile it and make a jar and test on rhel7 .I can share > that patch if needed. Below are the test result. > > Before fix testing: > > 1. pki -h pki1.example.com -p 25080 tps-cert-find --start "gy" > NumberFormatException: For input string: "gy" > > 2. pki -h pki1.example.com -p 25080 tps-cert-find --size "gy" > NumberFormatException: For input string: "gy" > > 3. pki -p 25080 tps-cert-find --start > 1789999999999999999999999999999999999999999999 > NumberFormatException: For input string: > "1789999999999999999999999999999999999999999999" > > > After fix testing: > > 1. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h > pki1.example.com -p 25080 tps-cert-find --start "gy" > Error: Enter valid integer value for size/start option > usage: tps-cert-find [FILTER] [OPTIONS...] > --help Show help options > --size Page size > --start Page start > --token Token ID I think it would be useful to show the user which the parameter has the invalid value and also the invalid value itself, so something like this: Error: Invalid value for --start parameter: gy > 2. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h > pki1.example.com -p 25080 tps-cert-find --size "hy" > Error: Enter valid integer value for size/start option > usage: tps-cert-find [FILTER] [OPTIONS...] > --help Show help options > --size Page size > --start Page start > --token Token ID Same thing here: Error: Invalid value for --size parameter: hy So you may need to create separate try-catch blocks for each parameter. Another thing, I'm not sure if we should display the command usage after the failure. The usage could be very long and it may obscure the error message. The error message itself should be sufficient to fix the problem, and if needed the user can see the usage using --help parameter. We probably can display something like this after the error message (replace with the actual command name): Try 'pki --help' for more information. One more thing, please preserve the formatting of the existing code. We use 4 spaces instead of tabs for indentation. Thanks. -- Endi S. Dewata From jmagne at redhat.com Wed Jul 27 18:53:34 2016 From: jmagne at redhat.com (John Magne) Date: Wed, 27 Jul 2016 14:53:34 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0077-Make-starting-CRL-Number-configurable.patch In-Reply-To: <584353371.1602541.1469645587496.JavaMail.zimbra@redhat.com> Message-ID: <1380682720.1602610.1469645614300.JavaMail.zimbra@redhat.com> Make starting CRL Number configurable. Ticket #2406 Make starting CRL Number configurable This simple patch provides a pkispawn config param that passes some starting crl number value to the config process. Here is a sample: [CA] pki_ca_starting_crl_number=4000 After the CA comes up the value of "crlNumber" in the db will reflect that value of 4000. Currently no other values are changed. We can talk about if we need more values reset in the given case. Also, this creates a setting in the CS.cfg ca.crl.MasterCrl.startingCrlNumber=4000 This setting is only consulted when the crl Issuing Point record is created for the first time. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0077-Make-starting-CRL-Number-configurable.patch Type: text/x-patch Size: 9818 bytes Desc: not available URL: From jmagne at redhat.com Wed Jul 27 21:23:25 2016 From: jmagne at redhat.com (John Magne) Date: Wed, 27 Jul 2016 17:23:25 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0077-Make-starting-CRL-Number-configurable.patch In-Reply-To: <1380682720.1602610.1469645614300.JavaMail.zimbra@redhat.com> References: <1380682720.1602610.1469645614300.JavaMail.zimbra@redhat.com> Message-ID: <1276468403.1628781.1469654605714.JavaMail.zimbra@redhat.com> Verbally acked by edewata thanks! : pushed to master Closing ticket: #2406 ----- Original Message ----- > From: "John Magne" > To: "pki-devel" > Sent: Wednesday, July 27, 2016 11:53:34 AM > Subject: [Pki-devel] [pki-devel][PATCH] 0077-Make-starting-CRL-Number-configurable.patch > > Make starting CRL Number configurable. > > Ticket #2406 Make starting CRL Number configurable > > This simple patch provides a pkispawn config param that passes > some starting crl number value to the config process. > > Here is a sample: > > [CA] > pki_ca_starting_crl_number=4000 > > After the CA comes up the value of "crlNumber" in the db will > reflect that value of 4000. > > Currently no other values are changed. We can talk about if we > need more values reset in the given case. > > Also, this creates a setting in the CS.cfg > > ca.crl.MasterCrl.startingCrlNumber=4000 > > This setting is only consulted when the crl Issuing Point record is > created > for the first time. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From gkapoor at redhat.com Thu Jul 28 07:14:00 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Thu, 28 Jul 2016 12:44:00 +0530 Subject: [Pki-devel] [PATCH] Fix NumberFormatException for tps-cert-find when given non integer value to size and start option In-Reply-To: References: <5798AB13.90501@redhat.com> Message-ID: <5799B0B8.6020108@redhat.com> Hi Endi, I am attaching java code file as well with this patch that i have used for same testing on rhel7.I thought it will be helpful.I did a quick test similar ones and nothing looks like breaking with new piece of code. On 07/28/2016 12:21 AM, Endi Sukma Dewata wrote: > Geetika, > > Yes, more info would be helpful. I have some comments below. > > On 7/27/2016 7:37 AM, Geetika Kapoor wrote: >> Hi, >> >> I tried to fix NumberFormatException when i did tps-cert-find with >> non-integer/invalid range value for size and start.I was doing testing >> for tps-cert and then i came across this.I thought giving some >> additional info to users inplace of numberformat.I have done similar >> fix on rhel7 compile it and make a jar and test on rhel7 .I can share >> that patch if needed. Below are the test result. >> >> Before fix testing: >> >> 1. pki -h pki1.example.com -p 25080 tps-cert-find --start "gy" >> NumberFormatException: For input string: "gy" >> >> 2. pki -h pki1.example.com -p 25080 tps-cert-find --size "gy" >> NumberFormatException: For input string: "gy" >> >> 3. pki -p 25080 tps-cert-find --start >> 1789999999999999999999999999999999999999999999 >> NumberFormatException: For input string: >> "1789999999999999999999999999999999999999999999" >> >> >> After fix testing: >> >> 1. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h >> pki1.example.com -p 25080 tps-cert-find --start "gy" >> Error: Enter valid integer value for size/start option >> usage: tps-cert-find [FILTER] [OPTIONS...] >> --help Show help options >> --size Page size >> --start Page start >> --token Token ID > > I think it would be useful to show the user which the parameter has > the invalid value and also the invalid value itself, so something like > this: > > Error: Invalid value for --start parameter: gy Fixed : Now it is showing [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 tps-cert-find --size tyu Error: Invalid value for --size parameter:tyu [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 tps-cert-find --start tyu Error: Invalid value for --start parameter:tyu > >> 2. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h >> pki1.example.com -p 25080 tps-cert-find --size "hy" >> Error: Enter valid integer value for size/start option >> usage: tps-cert-find [FILTER] [OPTIONS...] >> --help Show help options >> --size Page size >> --start Page start >> --token Token ID > > Same thing here: > > Error: Invalid value for --size parameter: hy > > So you may need to create separate try-catch blocks for each parameter. > > Another thing, I'm not sure if we should display the command usage > after the failure. The usage could be very long and it may obscure the > error message. The error message itself should be sufficient to fix > the problem, and if needed the user can see the usage using --help > parameter. We probably can display something like this after the error > message (replace with the actual command name): Removed the printhelp() each time because command typed is correct only values are invalid so that message we have displayed > > Try 'pki --help' for more information. > > One more thing, please preserve the formatting of the existing code. > We use 4 spaces instead of tabs for indentation. Thanks. I have removed tabs. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fixed-NumberFormatException-in-tps-cert-find.patch Type: text/x-patch Size: 2668 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: TPSCertFindCLI.java Type: text/x-java Size: 3801 bytes Desc: not available URL: From alee at redhat.com Thu Jul 28 18:18:09 2016 From: alee at redhat.com (Ade Lee) Date: Thu, 28 Jul 2016 19:18:09 +0100 Subject: [Pki-devel] [PATCH] 326 - re-license the python client code Message-ID: <1469729889.16581.40.camel@redhat.com> In order to keep the Dogtag plugin in the Openstack Barbican source tree, it is necessarily to re-license the Python client code to be LGPLv3 as opposed to GPLv2, to comply with Openstack rules for licensing of dependencies. http://governance.openstack.org/reference/licensing.html This patch makes the relevant changes. Please review. Thanks, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0326-Re-license-the-python-client-files-to-LGPLv3.patch Type: text/x-patch Size: 36518 bytes Desc: not available URL: From alee at redhat.com Fri Jul 29 11:30:28 2016 From: alee at redhat.com (Ade Lee) Date: Fri, 29 Jul 2016 12:30:28 +0100 Subject: [Pki-devel] [PATCH] 327 - small fix for SERVER_KEYGEN slot substitution Message-ID: <1469791828.30238.4.camel@redhat.com> Addresses Ticket 2418 - Some template substitution didn't happen during installation (specifically SERVER_KEYGEN) Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0327-Do-slot-substitution-for-SERVER_KEYGEN.patch Type: text/x-patch Size: 1742 bytes Desc: not available URL: From alee at redhat.com Fri Jul 29 11:54:09 2016 From: alee at redhat.com (Ade Lee) Date: Fri, 29 Jul 2016 12:54:09 +0100 Subject: [Pki-devel] [PATCH] 326 - re-license the python client code In-Reply-To: <1469729889.16581.40.camel@redhat.com> References: <1469729889.16581.40.camel@redhat.com> Message-ID: <1469793249.24507.1.camel@redhat.com> Small mod on wording (from legal) to allow v3+, and modify spec file to include the new license file. Ade On Thu, 2016-07-28 at 19:18 +0100, Ade Lee wrote: > In order to keep the Dogtag plugin in the Openstack Barbican source > tree, it is necessarily to re-license the Python client code to be > LGPLv3 as opposed to GPLv2, to comply with Openstack rules for > licensing of dependencies. > > http://governance.openstack.org/reference/licensing.html > > This patch makes the relevant changes. Please review. > Thanks, > > Ade > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0326-2-Re-license-the-python-client-files-to-LGPLv3.patch Type: text/x-patch Size: 39254 bytes Desc: not available URL: From alee at redhat.com Fri Jul 29 13:48:03 2016 From: alee at redhat.com (Ade Lee) Date: Fri, 29 Jul 2016 14:48:03 +0100 Subject: [Pki-devel] [PATCH] 328 - fix trust settingd for pki client-cert-import Message-ID: <1469800083.17372.1.camel@redhat.com> Fix client-cert-import to set provided trust bits Ticket 2412 -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0328-Fix-client-cert-import-to-set-provided-trust-bits.patch Type: text/x-patch Size: 3029 bytes Desc: not available URL: From edewata at redhat.com Fri Jul 29 20:17:36 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 29 Jul 2016 15:17:36 -0500 Subject: [Pki-devel] [PATCH] Updated RESTEasy dependency on Fedora 24. Message-ID: The RPM spec for Fedora 24 has been updated to use RESTEasy 3.0.17 as in Fedora 25. https://fedorahosted.org/pki/ticket/2403 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0804-Updated-RESTEasy-dependency-on-Fedora-24.patch Type: text/x-patch Size: 2026 bytes Desc: not available URL: From jmagne at redhat.com Fri Jul 29 20:44:49 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 29 Jul 2016 16:44:49 -0400 (EDT) Subject: [Pki-devel] [PATCH] 327 - small fix for SERVER_KEYGEN slot substitution In-Reply-To: <1469791828.30238.4.camel@redhat.com> References: <1469791828.30238.4.camel@redhat.com> Message-ID: <780593728.2304327.1469825089760.JavaMail.zimbra@redhat.com> Tried this out myself, seems to work just fine. ACK. ----- Original Message ----- From: "Ade Lee" To: pki-devel at redhat.com Sent: Friday, July 29, 2016 4:30:28 AM Subject: [Pki-devel] [PATCH] 327 - small fix for SERVER_KEYGEN slot substitution Addresses Ticket 2418 - Some template substitution didn't happen during installation (specifically SERVER_KEYGEN) Please review, Ade _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Fri Jul 29 22:34:58 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 29 Jul 2016 17:34:58 -0500 Subject: [Pki-devel] [PATCH] 805 Added log message in PKIClient. Message-ID: To help troubleshooting the PKIClient class has been modified to log the certificate chain retrieved from the CA. https://fedorahosted.org/pki/ticket/2399 Pushed under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0805-Added-log-message-in-PKIClient.patch Type: text/x-patch Size: 1838 bytes Desc: not available URL: