[Pki-devel] [PATCH] TRAC Ticket #667 - provide option for ca-less drm install [20131001]

Ade Lee alee at redhat.com
Thu Oct 3 21:21:37 UTC 2013 

Initial comments ..

1. ConfigurationUtils.java- I think we can simplify this code a bit.

Instead of:

                    boolean standalone = false;
                    if (sysType.equals("KRA")) {
                        standalone = config.getBoolean("kra.standalone", false);
                    } else if (sysType.equals("OCSP")) {
                        standalone = config.getBoolean("ocsp.standalone", false);
                    }

                    if ((sysType.equals("KRA")  && standalone) ||
                        (sysType.equals("OCSP") && standalone)) {
                        // Treat Standalone KRA/OCSP the same as "otherca"
                        config.putString(subsystem + "." + certTag + ".cert",
                                         "...paste certificate here...");
                    } else {

we could just have: 
                    boolean standalone = config.getBoolean(sysType.lower() + ".standalone", false);
                    if (standalone) {
                        // Treat standalone subsystem the same as "otherca"
                        config.putString(subsystem + "." + certTag + ".cert",
                                         "...paste certificate here...");
                    } else {

2. In SystemConfigService.java, you use a config entry to determine
whether the system is a standalone parameter or not. That means reading
the CS.cfg in validateData().  I think it makes better sense to add a
field to ConfigurationRequest to indicate that the system being
installed is a standalone system.  This also eliminates the need for a
global variable standalone.  Instead, you can just reference
data.getStandalone()

3.  Its a little weird in the validateData() to be putting the
validation under the check for new_domain.  What happens if someone
selects standalone and existing domain?

4. After validateData() has run, its not necessary to check whether we
are an OCSP or KRA when running standalone.  That check should have been
done by validateData()

5.  At the beginning of the configuration, in step 2, you append
"signing" to the beginning of the cert.list.  That will not work for
OCSP - which already contains "signing" as the first parameter in its
list.  Maybe you want something unique like "external_signing" ?

6.  Did you confirm that all these servlets/mappings are actually needed
to be exposed in web.xml?

To be continued ..

On Tue, 2013-10-01 at 16:52 -0700, Matthew Harmsen wrote:
> RESENT  to include the DATE of this PATCH in the Subject line.
> 
> The attached patch addresses the following TRAC ticket:
>       * https://fedorahosted.org/pki/ticket/667 TRAC Ticket #667 -
>         provide option for ca-less drm install
> 
> Unlike the previous patch which did not utilize a security domain and
> utilized the legacy GUI panel configuration, this patch only pertains
> to the non-GUI 'pkispawn' installation/configuration process as
> documented at:
> 
> 
>       * http://pki.fedoraproject.org/wiki/Stand-alone_PKI_Subsystems
> 
> Using this code, I have successfully installed a stand-alone DRM
> utilizing a separate PKI CA as my external CA for testing purposes.
> 
> 
> Should this code be approved, I will add the following:
> 
> 
>       * update the 'pkispawn' man page
>       * add similar default values as parameters to OCSP
> 
> At this stage, this code has not been tested to see if a DRM can be
> successfully cloned from a Stand-Alone DRM.
> 
> 
> -- Matt
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list