[Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries

Martin Babinsky mbabinsk at redhat.com
Thu Jul 2 12:37:57 UTC 2015 

On 07/02/2015 11:28 AM, Martin Babinsky wrote:
> On 07/02/2015 11:12 AM, Martin Babinsky wrote:
>> On 07/01/2015 03:05 PM, Martin Babinsky wrote:
>>> On 06/30/2015 02:45 PM, Martin Babinsky wrote:
>>>> On 06/30/2015 01:11 PM, Martin Babinsky wrote:
>>>>> On 06/30/2015 12:04 PM, Jan Cholasta wrote:
>>>>>> Dne 29.6.2015 v 10:36 Martin Babinsky napsal(a):
>>>>>>> On 06/23/2015 01:49 PM, Martin Babinsky wrote:
>>>>>>>> This patchset implements new API commands for manipulating
>>>>>>>> user/host/service userCertificate attribute alongside some
>>>>>>>> underlying
>>>>>>>> plumbing.
>>>>>>>>
>>>>>>>> PATCH 0045 is a small test suite that I slapped together since
>>>>>>>> manual
>>>>>>>> testing of this stuff is very cumbersome. It requires my PATCH
>>>>>>>> 0040 to
>>>>>>>> apply and work which was pushed to master recently
>>>>>>>> (commit 74883bbc959058c8bfafd9f63e8fad0e3792ac28).
>>>>>>>>
>>>>>>>> The work is related to
>>>>>>>> http://www.freeipa.org/page/V4/User_Certificates
>>>>>>>> and https://fedorahosted.org/freeipa/ticket/4238
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Attaching updated patches.
>>>>>>>
>>>>>>> Here are some notes for Jan because I did some things differently
>>>>>>> than
>>>>>>> we agreed on during review:
>>>>>>>
>>>>>>>
>>>>>>> 1.) I chose not to rename 'usercertificate' to
>>>>>>> 'usercertificate;binary'
>>>>>>> and back in pre/post callbacks. Despite the fact that the correct
>>>>>>> way to
>>>>>>> name the certificate attribute is 'usercertificate;binary', I feel
>>>>>>> that
>>>>>>> suddenly renaming it in the new code is asking for trouble.
>>>>>>
>>>>>> New code is new, there is no renaming, there is naming, and that
>>>>>> naming
>>>>>> should follow standards, and the standard is userCertificate;binary.
>>>>>>
>>>>>> (For the record I did not ask for any renaming in *old* host and
>>>>>> service
>>>>>> code.)
>>>>>>
>>>>> OK I will then use 'usercertificate;binary' and try to not break
>>>>> things.
>>>>>>>
>>>>>>> I'm all for changing the mapping between CLI options and actual
>>>>>>> attribute names but it should be done in a systematic fashion.
>>>>>>
>>>>>> +1, shall I post a patch?
>>>>>>
>>>>> That would be great, but I'm not sure if there is time for it.
>>>>> Maybe we
>>>>> can create a ticket for tracking?
>>>>>>>
>>>>>>> 2.) I have kept the `normalize_certs` function. It has the
>>>>>>> potential to
>>>>>>> catch incorrectly formatted/encoded certificates and in a way
>>>>>>> circumvents the slightly demented way the framework deals with
>>>>>>> supposedly binary data.
>>>>>>
>>>>>> One sentence above you asked for doing things in systematic fashion.
>>>>>> This is exactly what it isn't. A systematic solution would be a new
>>>>>> parameter type for certificates.
>>>>>>
>>>>> Ha I didn't notice that incorrect encoding is caught by validator.
>>>>>
>>>>> But I think that we still need to catch malformed certificates that
>>>>> can
>>>>> not be decoded to DER and AFAIK we don't do that anywhere (failing
>>>>> tests
>>>>> when adding a random Base64-encoded string confirm this).
>>>>>
>>>>> All this probably stems from my confusion about the way IPA framework
>>>>> guesses binary data. For example, if I call
>>>>> `api.Command.user_add_cert`
>>>>> and fill 'certificate' option with Base64 blob reencoded to Unicode,
>>>>> everything works as expected.
>>>>>
>>>>> However, filling this option with 'str' leads to another round of
>>>>> Base64
>>>>> encoding in the framework, leading to 'userCertificate;binary'
>>>>> which is
>>>>> filled by original Base64 blob instead of DER encoded cert.
>>>>>
>>>>>>>
>>>>>>> I have also added two negative test cases which deal with
>>>>>>> incorrectly
>>>>>>> encoded and formatted certificates.
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>> Attaching updated patches (actually only 44 is updated, I added the
>>>> rename to/from 'usercertificate;binary' to user pre/post callbacks).
>>>>
>>>>
>>>>
>>> Another patch update attached (mainly fixing pep8 complaints and
>>> reworking certificate validation).
>>>
>>>
>>>
>>
>> Updated patches attached.
>>
>>
>>
>
> I left a a bug in PATCH 0043. Attaching updated version.
>
>
>
Attaching updated patches.

-- 
Martin^3 Babinsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0045.2-test-suite-for-user-host-service-certificate-managem.patch
Type: text/x-patch
Size: 12207 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150702/458d8f72/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0044.3-new-commands-to-manage-user-host-service-certificate.patch
Type: text/x-patch
Size: 14792 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150702/458d8f72/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0043.5-reworked-certificate-normalization-and-revocation.patch
Type: text/x-patch
Size: 13406 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150702/458d8f72/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0042.2-baseldap-add-support-for-API-commands-managing-only-.patch
Type: text/x-patch
Size: 4804 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150702/458d8f72/attachment-0003.bin>

More information about the Freeipa-devel mailing list