From alee at redhat.com Mon Aug 3 18:13:47 2015 From: alee at redhat.com (Ade Lee) Date: Mon, 03 Aug 2015 14:13:47 -0400 Subject: [Pki-devel] [PATCH] 0267-Add-code-to-reindex-data-during-cloning-without-replication In-Reply-To: <1438378479.5361.34.camel@redhat.com> References: <1438229428.3621.3.camel@redhat.com> <1438272202.5361.1.camel@redhat.com> <1438376635.5361.31.camel@redhat.com> <1438378479.5361.34.camel@redhat.com> Message-ID: <1438625627.24372.46.camel@redhat.com> acked by Endi, pushed to master. On Fri, 2015-07-31 at 17:34 -0400, Ade Lee wrote: > patch 267-3 same as previous with just a man page update as well. > > Ade > On Fri, 2015-07-31 at 17:03 -0400, Ade Lee wrote: > > One more time, this time with a config option to not re-index. > > > > > > On Thu, 2015-07-30 at 12:03 -0400, Ade Lee wrote: > > > New patch attached -- added code to check for errors when > > > creating > > > the > > > indexing task, as well as fixing errors in the indexing task > > > ldif. > > > > > > Please review, > > > Ade > > > > > > On Thu, 2015-07-30 at 00:10 -0400, Ade Lee wrote: > > > > Add code to reindex data during cloning without replication > > > > > > > > When setting up a clone, indexes are added before the > > > > replication agreements are set up and the consumer is > > > > initialized. > > > > Thus, as data is replicated and added to the clone db, the > > > > data is indexed. > > > > > > > > When cloning is done with the replication agreements > > > > already > > > > set > > > > up and the data replicated, the existing data is not > > > > indexed > > > > and > > > > cannot be accessed in searches. The data needs to be > > > > reindexed. > > > > > > > > Related to ticket 1414 > > > > > > > > Please review, > > > > Ade > > > > _______________________________________________ > > > > Pki-devel mailing list > > > > Pki-devel at redhat.com > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cheimes at redhat.com Tue Aug 4 11:42:53 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 4 Aug 2015 13:42:53 +0200 Subject: [Pki-devel] PKI client: Utilize system-wide crypto-policies Message-ID: <55C0A53D.6070906@redhat.com> Hi, this ticket in FreeIPA came to my attention: https://fedorahosted.org/freeipa/ticket/4853 https://bugzilla.redhat.com/show_bug.cgi?id=1179220 FreeIPA isn't directly affected by the issue. But the Python client library of Dogtag PKI uses OpenSSL and therefore indirectly affects FreeIPA. It's also a bit related to #1253. Depending on how we want to solve #1253 we can fix FreeIPA's #4853 at the same time. I see two solutions: 1) Use NSS for TLS/SSL. That would delay crypto-policies, because NSS doesn't support it yet. 2) Write another SSL adapter for python-requests that allows us to use the system certs as well as specify the cipher list. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mharmsen at redhat.com Tue Aug 4 22:43:19 2015 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 04 Aug 2015 16:43:19 -0600 Subject: [Pki-devel] [PATCH] Removed more inaccessible URLs from server.xml Message-ID: <55C14007.4000306@redhat.com> Please review the attached patch which addresses the following two tickets: * PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI subsystems which are not accessible * PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat shows an error page These were tested by installing four new instances and running 'pkidaemon status tomcat pki-tomcat'. The following four inaccessible URLs no longer showed up: * *Unsecure URL = http://pki.example.com:8080/kra/ee/kra* (1443) * *Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp* (1518) * *Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp* (1518) * *Unsecure URL = http://pki.example.com:8080/tks/ee/tks* (1443) Additionally, a test was run which showed that the upgrade code worked successfully: # pkidaemon status tomcat pki-tomcat Status for pki-tomcat: pki-tomcat is running .. [CA Status Definitions] Unsecure URL = http://pki.example.com:8080/ca/ee/ca Secure Agent URL = https://pki.example.com:8443/ca/agent/ca Secure EE URL = https://pki.example.com:8443/ca/ee/ca Secure Admin URL = https://pki.example.com:8443/ca/services PKI Console Command = pkiconsole https://pki.example.com:8443/ca Tomcat Port = 8005 (for shutdown) [DRM Status Definitions] * Unsecure URL = http://pki.example.com:8080/kra/ee/kra* Secure Agent URL = https://pki.example.com:8443/kra/agent/kra Secure Admin URL = https://pki.example.com:8443/kra/services PKI Console Command = pkiconsole https://pki.example.com:8443/kra Tomcat Port = 8005 (for shutdown) [OCSP Status Definitions] * Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp* Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp * Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp* Secure Admin URL = https://pki.example.com:8443/ocsp/services PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp Tomcat Port = 8005 (for shutdown) [TKS Status Definitions] * Unsecure URL = http://pki.example.com:8080/tks/ee/tks* Secure Agent URL = https://pki.example.com:8443/tks/agent/tks Secure Admin URL = https://pki.example.com:8443/tks/services PKI Console Command = pkiconsole https://pki.example.com:8443/tks Tomcat Port = 8005 (for shutdown) [CA Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [DRM Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: DRM Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [OCSP Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: OCSP Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [TKS Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: TKS Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== After running the upgrade script, the inaccessible URLs were removed: # pkidaemon status tomcat pki-tomcat Status for pki-tomcat: pki-tomcat is running .. [CA Status Definitions] Unsecure URL = http://pki.example.com:8080/ca/ee/ca Secure Agent URL = https://pki.example.com:8443/ca/agent/ca Secure EE URL = https://pki.example.com:8443/ca/ee/ca Secure Admin URL = https://pki.example.com:8443/ca/services PKI Console Command = pkiconsole https://pki.example.com:8443/ca Tomcat Port = 8005 (for shutdown) [DRM Status Definitions] Secure Agent URL = https://pki.example.com:8443/kra/agent/kra Secure Admin URL = https://pki.example.com:8443/kra/services PKI Console Command = pkiconsole https://pki.example.com:8443/kra Tomcat Port = 8005 (for shutdown) [OCSP Status Definitions] Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp Secure Admin URL = https://pki.example.com:8443/ocsp/services PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp Tomcat Port = 8005 (for shutdown) [TKS Status Definitions] Secure Agent URL = https://pki.example.com:8443/tks/agent/tks Secure Admin URL = https://pki.example.com:8443/tks/services PKI Console Command = pkiconsole https://pki.example.com:8443/tks Tomcat Port = 8005 (for shutdown) [CA Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [DRM Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: DRM Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [OCSP Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: OCSP Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [TKS Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: TKS Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20150804-remove-more-inaccessible-URLs-from-server.xml.patch Type: text/x-patch Size: 4877 bytes Desc: not available URL: From cheimes at redhat.com Wed Aug 5 15:11:44 2015 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 5 Aug 2015 17:11:44 +0200 Subject: [Pki-devel] PKIConnection cert validation #1253 Message-ID: <55C227B0.6000507@redhat.com> Hi, this mail is about my take on issue https://fedorahosted.org/pki/ticket/1253 Yesterday night I had a long conversation with Ade on #dogtag-pki. He explained the install process in great detail to me. Thanks Ade! :) Do we have a logging bot in the channel or another way to store discussions for the future? Today I took the scenic route and explored the implementation of pkispawn as well as how it interacts with Tomcat over HTTPS. Ade already pointed three distinct cases. There might be a couple more case, though. I haven't tried them all yet. Case #1: creation of security domain ------------------------------------ The first case occurs during the initial installation of the security domain, when no CA cert is imported. During the installation pkispawn setups up a Tomcat instances and creates a CA. Because no CA exists in the beginning of the process, the installer uses a temporary self-signed cert for the Tomcat server instance. The self-signed cert is stored in PKI's NSS database. The name of the certificate for instance 'pki-tomcat' is 'Server-Cert cert-pki-tomcat'. This certificate is used throughout the entire installation until Tomcat is restarted. # certutil -d /etc/pki/pki-tomcat/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-tomcat CTu,Cu,Cu # certutil -d /etc/pki/pki-tomcat/alias/ -L \ -a -n 'Server-Cert cert-pki-tomcat' | openssl x509 -text Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: O=2015-08-05 14:11:10, CN=vm-089.example.com Validity Not Before: Aug 5 12:13:05 2015 GMT Not After : Aug 5 12:13:05 2016 GMT Subject: O=2015-08-05 14:11:10, CN=vm-089.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: After pkispawn has successfully spawned the CA, the trust anchor is available in NSS database, too. Its name is 'caSigningCert cert-pki-tomcat CA' for 'pki-tomcat'. 'Server-Cert cert-pki-tomcat' is replaced with a signed cert. # certutil -d /etc/pki/pki-tomcat/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-tomcat CA CTu,Cu,Cu Server-Cert cert-pki-tomcat u,u,u auditSigningCert cert-pki-tomcat CA u,u,Pu ocspSigningCert cert-pki-tomcat CA u,u,u subsystemCert cert-pki-tomcat u,u,u # certutil -d /etc/pki/pki-tomcat/alias/ -L -a -n \ 'caSigningCert cert-pki-tomcat CA' | openssl x509 -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O=example.com Security Domain, CN=CA Signing Certificate Validity Not Before: Aug 5 12:26:52 2015 GMT Not After : Aug 5 12:26:52 2035 GMT Subject: O=example.com Security Domain, CN=CA Signing Certificate # certutil -d /etc/pki/pki-tomcat/alias/ -L -a -n \ 'Server-Cert cert-pki-tomcat' | openssl x509 -text Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: sha256WithRSAEncryption Issuer: O=example.com Security Domain, CN=CA Signing Certificate Validity Not Before: Aug 5 12:26:52 2015 GMT Not After : Jul 25 12:26:52 2017 GMT Subject: O=example.com Security Domain, CN=vm-089.example.com Case #2: new subsystem on the same host --------------------------------------- For new subsystems on the same host, pkispawn simply has to trust the CA Signing Certificate from #1. The same is true for the 389-DS server cert. Case #3: subsystem on different host ------------------------------------ When a new subsystem is installed on a different host, the user must provide the trust anchor for 389-DS out-of-band. A user could also use plain LDAP, but let's not go there. The trust anchor for the LDAP cert might be the same as the trust anchor for the security domain -- or it might be a different one. In both cases it's probably easier to grab the trust anchor from LDAP. The LDAP connection is set up before pkispawn does the first HTTPS request. Case #4: clone on different host -------------------------------- For installations of a clone or subsystem, the trust anchor must be provided out-of-band. For a cloning setup http://pki.fedoraproject.org/wiki/Cloning_Setup the PKCS#12 file should contain all necessary information. It might also be possible to grab the cert from LDAP like in case #3. Case #5: security domain with imported CA ----------------------------------------- I haven't tried to configure a CA with an externally managed and imported trust anchor yet. Does anybody happen to know the nickname of the cert and its trust anchor? Conclusion ========== In case #1 pkispawn should dump the self-signed cert from NSS DB to PEM file. requests can then load the self-signed cert as CA cert. For self-signed certs this makes the cert trusted. The file should be removed at the end of the installation. In case #2 pkispawn should dump the trust anchor from the NSS database to a PEM file, too. I suggest to put the PEM file in a location where it can be read by everybody. /etc/pki/pki-tomcat is only accessible by root and members of the pkiuser group. It has no X bit for other. In case #3 the cert must either be provided out-of-band or grabbed from LDAP. I like the idea to grab it from LDAP and have an official API to do so. Other systems like FreeIPA could use the same API, too. Like in case #2 the cert should be dumped to a public-readable location. We could handle case #2 and #3 the same way and always grab the trust anchor from LDAP. It's less code and more robust, too. Open question ------------- 1) Is there a stable and easy way to find the trust anchor in LDAP? In my test setup the trust anchor has subjectName='CN=CA Signing Certificate,O=example.com Security Domain'. Is the name always similar? 2) Does anybody know how case #5 affects the nickname or subjectName attribute of the trust anchor? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From edewata at redhat.com Wed Aug 5 16:53:45 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 5 Aug 2015 11:53:45 -0500 Subject: [Pki-devel] PKIConnection cert validation #1253 In-Reply-To: <55C227B0.6000507@redhat.com> References: <55C227B0.6000507@redhat.com> Message-ID: <55C23F99.8040703@redhat.com> On 8/5/2015 10:11 AM, Christian Heimes wrote: > Hi, > > this mail is about my take on issue https://fedorahosted.org/pki/ticket/1253 > > Yesterday night I had a long conversation with Ade on #dogtag-pki. He > explained the install process in great detail to me. Thanks Ade! :) Do > we have a logging bot in the channel or another way to store discussions > for the future? > > Today I took the scenic route and explored the implementation of > pkispawn as well as how it interacts with Tomcat over HTTPS. I hope you enjoyed the view :) > Ade already > pointed three distinct cases. There might be a couple more case, though. > I haven't tried them all yet. I'm not fully familiar with the process, but I have some comments below. > Case #1: creation of security domain > ------------------------------------ > > The first case occurs during the initial installation of the security > domain, when no CA cert is imported. During the installation pkispawn > setups up a Tomcat instances and creates a CA. Because no CA exists in > the beginning of the process, the installer uses a temporary self-signed > cert for the Tomcat server instance. The self-signed cert is stored in > PKI's NSS database. The name of the certificate for instance > 'pki-tomcat' is 'Server-Cert cert-pki-tomcat'. This certificate is used > throughout the entire installation until Tomcat is restarted. > > # certutil -d /etc/pki/pki-tomcat/alias/ -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert cert-pki-tomcat CTu,Cu,Cu > > > # certutil -d /etc/pki/pki-tomcat/alias/ -L \ > -a -n 'Server-Cert cert-pki-tomcat' | openssl x509 -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 0 (0x0) > Signature Algorithm: sha256WithRSAEncryption > Issuer: O=2015-08-05 14:11:10, CN=vm-089.example.com > Validity > Not Before: Aug 5 12:13:05 2015 GMT > Not After : Aug 5 12:13:05 2016 GMT > Subject: O=2015-08-05 14:11:10, CN=vm-089.example.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > > > After pkispawn has successfully spawned the CA, the trust anchor is > available in NSS database, too. Its name is 'caSigningCert > cert-pki-tomcat CA' for 'pki-tomcat'. 'Server-Cert cert-pki-tomcat' is > replaced with a signed cert. > > # certutil -d /etc/pki/pki-tomcat/alias/ -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-tomcat CA CTu,Cu,Cu > Server-Cert cert-pki-tomcat u,u,u > auditSigningCert cert-pki-tomcat CA u,u,Pu > ocspSigningCert cert-pki-tomcat CA u,u,u > subsystemCert cert-pki-tomcat u,u,u > > > # certutil -d /etc/pki/pki-tomcat/alias/ -L -a -n \ > 'caSigningCert cert-pki-tomcat CA' | openssl x509 -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha256WithRSAEncryption > Issuer: O=example.com Security Domain, CN=CA Signing Certificate > Validity > Not Before: Aug 5 12:26:52 2015 GMT > Not After : Aug 5 12:26:52 2035 GMT > Subject: O=example.com Security Domain, CN=CA Signing Certificate > > > # certutil -d /etc/pki/pki-tomcat/alias/ -L -a -n \ > 'Server-Cert cert-pki-tomcat' | openssl x509 -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: sha256WithRSAEncryption > Issuer: O=example.com Security Domain, CN=CA Signing Certificate > Validity > Not Before: Aug 5 12:26:52 2015 GMT > Not After : Jul 25 12:26:52 2017 GMT > Subject: O=example.com Security Domain, CN=vm-089.example.com I suppose if LDAPS is required, the DS trust anchor would have to be provided before running pkispawn. > Case #2: new subsystem on the same host > --------------------------------------- > > For new subsystems on the same host, pkispawn simply has to trust the CA > Signing Certificate from #1. The same is true for the 389-DS server cert. If the new subsystem is in the same instance as the CA, they will share the same NSS database, so I suppose there's no additional steps required to trust the CA/DS certs. If the new subsystem is in a different instance, it will require exporting into PKCS #12 file as in case #3. > Case #3: subsystem on different host > ------------------------------------ > > When a new subsystem is installed on a different host, the user must > provide the trust anchor for 389-DS out-of-band. And some other CA certs too. > A user could also use > plain LDAP, but let's not go there. To my understanding LDAPS is optional. The DS might be local and secured in some ways that a plain LDAP connection is acceptable. > The trust anchor for the LDAP cert > might be the same as the trust anchor for the security domain -- or it > might be a different one. In both cases it's probably easier to grab the > trust anchor from LDAP. The LDAP connection is set up before pkispawn > does the first HTTPS request. Do you want to get the trust anchors with LDAPS or a plain LDAP? If LDAPS, doesn't it mean you need to have the trust anchors already? Since we will be transporting some CA certs & keys via PKCS #12 anyway, we might as well include the DS trust anchor there. > Case #4: clone on different host > -------------------------------- > > For installations of a clone or subsystem, the trust anchor must be > provided out-of-band. For a cloning setup > http://pki.fedoraproject.org/wiki/Cloning_Setup the PKCS#12 file should > contain all necessary information. It might also be possible to grab the > cert from LDAP like in case #3. I think this is identical to case #3. > Case #5: security domain with imported CA > ----------------------------------------- > > I haven't tried to configure a CA with an externally managed and > imported trust anchor yet. Does anybody happen to know the nickname of > the cert and its trust anchor? Not sure, but I think an external CA cert can be included in the same PKCS #12 file. > Conclusion > ========== > > In case #1 pkispawn should dump the self-signed cert from NSS DB to PEM > file. requests can then load the self-signed cert as CA cert. For > self-signed certs this makes the cert trusted. The file should be > removed at the end of the installation. Right. Additionally, at the end of installation we probably should export the trust anchors into PEM and store it at a standard location (e.g. SSL_CERT_DIR) so all applications can use it immediately. > In case #2 pkispawn should dump the trust anchor from the NSS database > to a PEM file, too. I suggest to put the PEM file in a location where it > can be read by everybody. /etc/pki/pki-tomcat is only accessible by root > and members of the pkiuser group. It has no X bit for other. If the subsystem is installed on the same host, the trust anchors should already be available in the default location. > In case #3 the cert must either be provided out-of-band or grabbed from > LDAP. I like the idea to grab it from LDAP and have an official API to > do so. Other systems like FreeIPA could use the same API, too. Like in > case #2 the cert should be dumped to a public-readable location. If the subsystem is installed on a different host, the trust anchors should be exported from the PKCS #12 into the standard location on that host. > We could handle case #2 and #3 the same way and always grab the trust > anchor from LDAP. It's less code and more robust, too. As mentioned above, since we'll be transporting PKCS #12 file anyway, I'm not sure if we should/can use LDAP. > Open question > ------------- > > 1) Is there a stable and easy way to find the trust anchor in LDAP? In > my test setup the trust anchor has subjectName='CN=CA Signing > Certificate,O=example.com Security Domain'. Is the name always similar? I'm not sure if that is guaranteed. A better way would be to retrieve the actual cert used by the subsystem by its tag/nickname: https://fedorahosted.org/pki/ticket/1473 > 2) Does anybody know how case #5 affects the nickname or subjectName > attribute of the trust anchor? Not very familiar with this case. > Christian -- Endi S. Dewata From edewata at redhat.com Wed Aug 5 17:42:36 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 5 Aug 2015 12:42:36 -0500 Subject: [Pki-devel] [PATCH] 638 Fixed missing cert request hostname and address. Message-ID: <55C24B0C.3080300@redhat.com> The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535 -- Endi S. Dewata -------------- next part -------------- From c1c4cfd8a6815a88123956a45fa10e3446dae01e Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 5 Aug 2015 19:10:19 +0200 Subject: [PATCH] Fixed missing cert request hostname and address. The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535 --- .../server/ca/rest/CertRequestService.java | 15 +++++-------- .../certsrv/cert/CertEnrollmentRequest.java | 8 +++++++ .../netscape/certsrv/cert/CertRequestResource.java | 10 --------- .../servlet/cert/CertEnrollmentRequestFactory.java | 14 ++++++++---- .../netscape/cms/servlet/cert/CertProcessor.java | 25 +++++++++++----------- .../cms/servlet/cert/EnrollmentProcessor.java | 12 +++++------ .../cms/servlet/processors/CAProcessor.java | 9 ++++---- 7 files changed, 46 insertions(+), 47 deletions(-) diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java index a11cb470b21240127b405a694c92fc665dd9ed69..95f1f4c20086ddb45846f65b1db157bff238708a 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java @@ -27,7 +27,6 @@ import javax.servlet.http.HttpServletRequest; import javax.ws.rs.PathParam; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Request; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; @@ -113,13 +112,6 @@ public class CertRequestService extends PKIService implements CertRequestResourc return createOKResponse(info); } - // Enrollment - used to test integration with a browser - @Override - public Response enrollCert(MultivaluedMap form) { - CertEnrollmentRequest data = new CertEnrollmentRequest(form); - return enrollCert(data); - } - @Override public Response enrollCert(CertEnrollmentRequest data) { @@ -128,6 +120,9 @@ public class CertRequestService extends PKIService implements CertRequestResourc throw new BadRequestException("Unable to create enrollment reequest: Invalid input data"); } + data.setRemoteHost(servletRequest.getRemoteHost()); + data.setRemoteAddr(servletRequest.getRemoteAddr()); + CertRequestDAO dao = new CertRequestDAO(); CertRequestInfos infos; @@ -143,10 +138,10 @@ public class CertRequestService extends PKIService implements CertRequestResourc CMS.debug("enrollCert: bad request data: " + e); throw new BadRequestException(e.toString()); } catch (EBaseException e) { - throw new PKIException(e.toString()); + throw new PKIException(e); } catch (Exception e) { CMS.debug(e); - throw new PKIException(e.toString()); + throw new PKIException(e); } // this will return an error code of 200, instead of 201 diff --git a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java index 72aad330fecc63290c9e6d82e576971df499028e..d55b5b4e1007516fef8fa6f9820c44d522f4bde4 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java +++ b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java @@ -275,6 +275,14 @@ public class CertEnrollmentRequest { return sw.toString(); } + public String toString() { + try { + return toXML(); + } catch (JAXBException e) { + throw new RuntimeException(e); + } + } + @Override public int hashCode() { final int prime = 31; diff --git a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java index b9ae1f1fe0592bbcc4a7b64baa2ef4fecbe52749..7f08b4af392e3e56419abdad7cb66bd191688222 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java +++ b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java @@ -17,14 +17,11 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.cert; -import javax.ws.rs.Consumes; import javax.ws.rs.GET; import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.QueryParam; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; @@ -37,13 +34,6 @@ import com.netscape.certsrv.request.RequestId; @Path("") public interface CertRequestResource { - // Enrollment - used to test integration with a browser - @POST - @Path("certrequests") - @ClientResponseType(entityType=CertRequestInfos.class) - @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) - public Response enrollCert(MultivaluedMap form); - @POST @Path("certrequests") @ClientResponseType(entityType=CertRequestInfos.class) diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java index 7a26e8e21482bc066184305d56eb953e25903696..d74a285f391ecf4fdbafe219d02f20e86ccf1848 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java @@ -20,6 +20,8 @@ package com.netscape.cms.servlet.cert; import java.util.Enumeration; import java.util.Locale; +import javax.servlet.http.HttpServletRequest; + import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.cert.CertEnrollmentRequest; import com.netscape.certsrv.profile.EProfileException; @@ -35,18 +37,22 @@ public class CertEnrollmentRequestFactory { throws EProfileException { IArgBlock params = cmsReq.getHttpParams(); - CertEnrollmentRequest ret = new CertEnrollmentRequest(); - ret.setProfileId(profile.getId()); + CertEnrollmentRequest request = new CertEnrollmentRequest(); + request.setProfileId(profile.getId()); // populate profile inputs Enumeration inputIds = profile.getProfileInputIds(); while (inputIds.hasMoreElements()) { IProfileInput input = profile.getProfileInput(inputIds.nextElement()); ProfileInput addInput = ProfileInputFactory.create(input, params, locale); - ret.addInput(addInput); + request.addInput(addInput); } - return ret; + HttpServletRequest httpRequest = cmsReq.getHttpReq(); + request.setRemoteHost(httpRequest.getRemoteHost()); + request.setRemoteAddr(httpRequest.getRemoteAddr()); + + return request; } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java index 4cd54a25719bcd82728ef803f225bac481211584..f1a147eb475a8a1378cac829dcaee765ab2c3e70 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java @@ -172,13 +172,14 @@ public class CertProcessor extends CAProcessor { auditRequesterID = auditRequesterID(req); // print request debug + CMS.debug("CertProcessor: Request:"); if (req != null) { Enumeration reqKeys = req.getExtDataKeys(); while (reqKeys.hasMoreElements()) { String reqKey = reqKeys.nextElement(); String reqVal = req.getExtDataInString(reqKey); if (reqVal != null) { - CMS.debug("CertRequestSubmitter: key=$request." + reqKey + "$ value=" + reqVal); + CMS.debug("CertProcessor: - " + reqKey + ": " + reqVal); } } } @@ -213,7 +214,7 @@ public class CertProcessor extends CAProcessor { notify.notify(req); } - CMS.debug("CertRequestSubmitter: submit " + e.toString()); + CMS.debug("CertProcessor: submit " + e); errorCode = "2"; errorReason = CMS.getUserMessage(locale, "CMS_PROFILE_DEFERRED", e.toString()); @@ -223,7 +224,7 @@ public class CertProcessor extends CAProcessor { } catch (ERejectException e) { // return error to the user req.setRequestStatus(RequestStatus.REJECTED); - CMS.debug("CertRequestSubmitter: submit " + e.toString()); + CMS.debug("CertProcessor: submit " + e); errorCode = "3"; errorReason = CMS.getUserMessage(locale, "CMS_PROFILE_REJECTED", e.toString()); @@ -239,8 +240,8 @@ public class CertProcessor extends CAProcessor { audit(auditMessage); } catch (Throwable e) { // return error to the user - e.printStackTrace(); - CMS.debug("CertRequestSubmitter: submit " + e.toString()); + CMS.debug(e); + CMS.debug("CertProcessor: submit " + e); errorCode = "1"; errorReason = CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"); auditMessage = CMS.getLogMessage( @@ -261,8 +262,8 @@ public class CertProcessor extends CAProcessor { profile.getRequestQueue().updateRequest(req); } } catch (EBaseException e) { - e.printStackTrace(); - CMS.debug("CertRequestSubmitter: updateRequest " + e.toString()); + CMS.debug(e); + CMS.debug("CertProcessor: updateRequest " + e); } } return errorCode; @@ -312,7 +313,7 @@ public class CertProcessor extends CAProcessor { } if (fromRA) { - CMS.debug("CertRequestSubmitter: request from RA: " + uid); + CMS.debug("CertProcessor: request from RA: " + uid); req.setExtData(ARG_REQUEST_OWNER, uid); } @@ -326,18 +327,18 @@ public class CertProcessor extends CAProcessor { if (setId == null) { // no profile set found - CMS.debug("CertRequestSubmitter: no profile policy set found"); + CMS.debug("CertProcessor: no profile policy set found"); throw new EBaseException(CMS.getUserMessage(locale, "CMS_PROFILE_NO_POLICY_SET_FOUND")); } - CMS.debug("CertRequestSubmitter profileSetid=" + setId); + CMS.debug("CertProcessor: profileSetid=" + setId); req.setExtData(ARG_PROFILE_SET_ID, setId); req.setExtData(ARG_PROFILE_REMOTE_HOST, data.getRemoteHost()); req.setExtData(ARG_PROFILE_REMOTE_ADDR, data.getRemoteAddr()); - CMS.debug("CertRequestSubmitter: request " + req.getRequestId().toString()); + CMS.debug("CertProcessor: request " + req.getRequestId()); - CMS.debug("CertRequestSubmitter: populating request inputs"); + CMS.debug("CertProcessor: populating request inputs"); // give authenticator a chance to populate the request if (authenticator != null) { authenticator.populate(authToken, req); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java index 8d9d05cb7676f012eed8ef199f4e65f34d5e6ebe..960f997cd4badd18bdd25393e9175fc935d52edb 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java @@ -127,13 +127,13 @@ public class EnrollmentProcessor extends CertProcessor { printParameterValues(params); } - CMS.debug("EnrollmentSubmitter: isRenewal false"); + CMS.debug("EnrollmentProcessor: isRenewal false"); startTiming("enrollment"); // if we did not configure profileId in xml file, // then accept the user-provided one String profileId = (this.profileID == null) ? data.getProfileId() : this.profileID; - CMS.debug("EnrollmentSubmitter: profileId " + profileId); + CMS.debug("EnrollmentProcessor: profileId " + profileId); IProfile profile = ps.getProfile(profileId); if (profile == null) { @@ -141,17 +141,17 @@ public class EnrollmentProcessor extends CertProcessor { throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId))); } if (!ps.isProfileEnable(profileId)) { - CMS.debug("EnrollmentSubmitter: Profile " + profileId + " not enabled"); + CMS.debug("EnrollmentProcessor: Profile " + profileId + " not enabled"); throw new BadRequestDataException("Profile " + profileId + " not enabled"); } IProfileContext ctx = profile.createContext(); - CMS.debug("EnrollmentSubmitter: set Inputs into profile Context"); + CMS.debug("EnrollmentProcessor: set Inputs into profile Context"); setInputsIntoContext(data, profile, ctx); IProfileAuthenticator authenticator = profile.getAuthenticator(); if (authenticator != null) { - CMS.debug("EnrollmentSubmitter: authenticator " + authenticator.getName() + " found"); + CMS.debug("EnrollmentProcessor: authenticator " + authenticator.getName() + " found"); setCredentialsIntoContext(request, authenticator, ctx); } @@ -160,7 +160,7 @@ public class EnrollmentProcessor extends CertProcessor { SessionContext context = SessionContext.getContext(); context.put("profileContext", ctx); context.put("sslClientCertProvider", new SSLClientCertProvider(request)); - CMS.debug("EnrollmentSubmitter: set sslClientCertProvider"); + CMS.debug("EnrollmentProcessor: set sslClientCertProvider"); // before creating the request, authenticate the request IAuthToken authToken = authenticate(request, null, authenticator, context, false); diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java index 28b1b5130901297ad6eac199f32f5de588bee94d..b9af84bc9b5b878f895707c266b1df1fa5b1e26f 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java @@ -257,7 +257,8 @@ public class CAProcessor extends Processor { } protected void printParameterValues(HashMap data) { - CMS.debug("Start of CertProcessor Input Parameters"); + + CMS.debug("CAProcessor: Input Parameters:"); for (Entry entry : data.entrySet()) { String paramName = entry.getKey(); @@ -280,13 +281,11 @@ public class CAProcessor extends Processor { paramName.equalsIgnoreCase("pwd") || paramName.equalsIgnoreCase("pwdagain") || paramName.equalsIgnoreCase("uPasswd")) { - CMS.debug("CertProcessor Input Parameter " + paramName + "='(sensitive)'"); + CMS.debug("CAProcessor: - " + paramName + ": (sensitive)"); } else { - CMS.debug("CertProcessor Input Parameter " + paramName + "='" + entry.getValue() + "'"); + CMS.debug("CAProcessor: - " + paramName + ": " + entry.getValue()); } } - - CMS.debug("End of CertProcessor Input Parameters"); } /** -- 2.4.3 From edewata at redhat.com Wed Aug 5 20:30:02 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 5 Aug 2015 15:30:02 -0500 Subject: [Pki-devel] [PATCH] 638 Fixed missing cert request hostname and address. In-Reply-To: <55C24B0C.3080300@redhat.com> References: <55C24B0C.3080300@redhat.com> Message-ID: <55C2724A.7040003@redhat.com> On 8/5/2015 12:42 PM, Endi Sukma Dewata wrote: > The CA services have been modified to inject request hostname and > address into the certificate request object such that they will be > stored in the database. This fixes the problem with requests > submitted either via the UI or the CLI. > > An unused method in CertRequestResource has been removed. Some > debug messages have been cleaned as well. > > https://fedorahosted.org/pki/ticket/1535 ACKed by jmagne. Pushed to master. -- Endi S. Dewata From cfu at redhat.com Wed Aug 5 23:43:16 2015 From: cfu at redhat.com (Christina Fu) Date: Wed, 05 Aug 2015 16:43:16 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch Message-ID: <55C29F94.9030902@redhat.com> This patch is for ticket https://fedorahosted.org/pki/ticket/1531 Directory auth plugin requires LDAP anonymous binds This patch adds a feature to allow a directory based authentication plugin to use bound ldap conneciton instead of anonymous. Two files need to be edited 1. /conf/password.conf add a "tag" and the password of the binding user dn to the file e.g. externalLDAP=password123 2. /ca/CS.cfg add the tag to cms.passwordlist: e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP add the prefix of the auths entry for the authentication instance e.g. externalLDAP.prefix=auths.instance.UserDirEnrollment add relevant entries to the authenticaiton instance e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP The code has been tested to work. The code (in its plugin form) has also been tested to work successfully with an ldap server that has its anonymous bind turned off. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch Type: text/x-patch Size: 8270 bytes Desc: not available URL: From jmagne at redhat.com Thu Aug 6 00:02:37 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 5 Aug 2015 20:02:37 -0400 (EDT) Subject: [Pki-devel] [PATCH] Removed more inaccessible URLs from server.xml In-Reply-To: <55C14007.4000306@redhat.com> References: <55C14007.4000306@redhat.com> Message-ID: <1178169327.7363038.1438819357478.JavaMail.zimbra@redhat.com> The fixes here look good and to what is intended. Allow me to counter propose though. Those OCSP URLs, at least on my system with an OCSP responder actually do something: For instance: http://host:8080/ee/ocsp/ee/ blob actually works. It works with wget or with the browser if you append "/" on the end. The server actually processes the request and send a file with the binary ocsp response. The proposal is: Can we just put the dummy on the end to tell the user that these URLs are in fact used to verify certificates? For those that report that going to the URL with the browser results in an error, I do not understand. On my box, if you go straight to the URL with no request on the end, it just greets you with a blank page and does not error out. ----- Original Message ----- > From: "Matthew Harmsen" > To: "pki-devel" > Sent: Tuesday, August 4, 2015 3:43:19 PM > Subject: [Pki-devel] [PATCH] Removed more inaccessible URLs from server.xml > > Please review the attached patch which addresses the following two tickets: > > > * PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI > subsystems which are not accessible > * PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat > shows an error page > > > These were tested by installing four new instances and running 'pkidaemon > status tomcat pki-tomcat'. The following four inaccessible URLs no longer > showed up: > > > * Unsecure URL = http://pki.example.com:8080/kra/ee/kra (1443) > * Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp (1518) > * Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp (1518) > * Unsecure URL = http://pki.example.com:8080/tks/ee/tks (1443) > > > Additionally, a test was run which showed that the upgrade code worked > successfully: > > > # pkidaemon status tomcat pki-tomcat > Status for pki-tomcat: pki-tomcat is running .. > > [CA Status Definitions] > Unsecure URL = http://pki.example.com:8080/ca/ee/ca > Secure Agent URL = https://pki.example.com:8443/ca/agent/ca > Secure EE URL = https://pki.example.com:8443/ca/ee/ca > Secure Admin URL = https://pki.example.com:8443/ca/services > PKI Console Command = pkiconsole https://pki.example.com:8443/ca > Tomcat Port = 8005 (for shutdown) > > [DRM Status Definitions] > Unsecure URL = http://pki.example.com:8080/kra/ee/kra > Secure Agent URL = https://pki.example.com:8443/kra/agent/kra > Secure Admin URL = https://pki.example.com:8443/kra/services > PKI Console Command = pkiconsole https://pki.example.com:8443/kra > Tomcat Port = 8005 (for shutdown) > > [OCSP Status Definitions] > Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp > Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp > Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp > Secure Admin URL = https://pki.example.com:8443/ocsp/services > PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp > Tomcat Port = 8005 (for shutdown) > > [TKS Status Definitions] > Unsecure URL = http://pki.example.com:8080/tks/ee/tks > Secure Agent URL = https://pki.example.com:8443/tks/agent/tks > Secure Admin URL = https://pki.example.com:8443/tks/services > PKI Console Command = pkiconsole https://pki.example.com:8443/tks > Tomcat Port = 8005 (for shutdown) > > [CA Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [DRM Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: DRM > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [OCSP Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: OCSP > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [TKS Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: TKS > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > After running the upgrade script, the inaccessible URLs were removed: > > > # pkidaemon status tomcat pki-tomcat > Status for pki-tomcat: pki-tomcat is running .. > > [CA Status Definitions] > Unsecure URL = http://pki.example.com:8080/ca/ee/ca > Secure Agent URL = https://pki.example.com:8443/ca/agent/ca > Secure EE URL = https://pki.example.com:8443/ca/ee/ca > Secure Admin URL = https://pki.example.com:8443/ca/services > PKI Console Command = pkiconsole https://pki.example.com:8443/ca > Tomcat Port = 8005 (for shutdown) > > [DRM Status Definitions] > Secure Agent URL = https://pki.example.com:8443/kra/agent/kra > Secure Admin URL = https://pki.example.com:8443/kra/services > PKI Console Command = pkiconsole https://pki.example.com:8443/kra > Tomcat Port = 8005 (for shutdown) > > [OCSP Status Definitions] > Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp > Secure Admin URL = https://pki.example.com:8443/ocsp/services > PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp > Tomcat Port = 8005 (for shutdown) > > [TKS Status Definitions] > Secure Agent URL = https://pki.example.com:8443/tks/agent/tks > Secure Admin URL = https://pki.example.com:8443/tks/services > PKI Console Command = pkiconsole https://pki.example.com:8443/tks > Tomcat Port = 8005 (for shutdown) > > [CA Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [DRM Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: DRM > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [OCSP Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: OCSP > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [TKS Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: TKS > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From jmagne at redhat.com Thu Aug 6 00:57:34 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 5 Aug 2015 20:57:34 -0400 (EDT) Subject: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch In-Reply-To: <55C29F94.9030902@redhat.com> References: <55C29F94.9030902@redhat.com> Message-ID: <1616920711.7372205.1438822654209.JavaMail.zimbra@redhat.com> This looks fine , with the caveat of tested to work of course, which you have already stated. Just a couple of minor things, and then a conditional ACK 1. In CMSEngine: this bloc: if (tag.equals("internaldb")) { authType = config.getString("internaldb.ldapauth.authtype", "BasicAuth"); @@ -382,8 +384,35 @@ public class CMSEngine implements ICMSEngine { binddn = config.getString("ca.publish.ldappublish.ldap.ldapauth.bindDN"); } else { - // ignore any others for now - continue; + /* + * This section assumes a generic format of + * .ldap.xxx + * where is specified under the tag substore + * + * e.g. if tag = "externalLDAP" + * cms.passwordlist=...,externalLDAP + * externalLDAP.prefix=auths.instance.UserDirEnrollment + * + * auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Corporate Directory Manager + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP + * auths.instance.UserDirEnrollment.ldap.ldapconn.host=host.example.com + * auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 + * auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false + */ + String prefix = config.getString(tag + ".prefix"); + System.out.println("CMSEngine.initializePasswordStore(): prefix=" + prefix); + authType = config.getString(prefix +".ldap.ldapauth.authtype", "BasicAuth"); + System.out.println("CMSEngine.initializePasswordStore(): authType " + authType); + if (!authType.equals("BasicAuth")) + continue; In the else clause could we short circuit processing earlier if we find something we don't like for instance: String prefix = config.getString(tag + ".prefix"); No need to go on if that fails. The same for the rest of the values checked. 2. Can we rename "prefix" to something more friendly to the user like "auths-prefix" to it is clearer to the user what the exact purpose of that setting is. ----- Original Message ----- > From: "Christina Fu" > To: "pki-devel" > Sent: Wednesday, August 5, 2015 4:43:16 PM > Subject: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch > > This patch is for ticket > https://fedorahosted.org/pki/ticket/1531 Directory auth plugin requires > LDAP anonymous binds > > This patch adds a feature to allow a directory based authentication > plugin > to use bound ldap conneciton instead of anonymous. > Two files need to be edited > 1. /conf/password.conf > add a "tag" and the password of the binding user dn to the file > e.g. externalLDAP=password123 > 2. /ca/CS.cfg > add the tag to cms.passwordlist: > e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP > add the prefix of the auths entry for the authentication instance > e.g. externalLDAP.prefix=auths.instance.UserDirEnrollment > add relevant entries to the authenticaiton instance > e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true > auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth > auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com > auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP > > The code has been tested to work. > The code (in its plugin form) has also been tested to work successfully > with an ldap server that has its anonymous bind turned off. > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cheimes at redhat.com Thu Aug 6 11:16:49 2015 From: cheimes at redhat.com (Christian Heimes) Date: Thu, 6 Aug 2015 13:16:49 +0200 Subject: [Pki-devel] PKIConnection cert validation #1253 In-Reply-To: <55C23F99.8040703@redhat.com> References: <55C227B0.6000507@redhat.com> <55C23F99.8040703@redhat.com> Message-ID: <55C34221.6020402@redhat.com> On 2015-08-05 18:53, Endi Sukma Dewata wrote: > I'm not fully familiar with the process, but I have some comments below. Thanks :) > I suppose if LDAPS is required, the DS trust anchor would have to be > provided before running pkispawn. Correct, pkispawn even asks for the trust anchor. By the way the X.509 cert for LDAPS may not necessarily have the same trust anchor as the PKI security domain. >> Case #2: new subsystem on the same host >> --------------------------------------- >> >> For new subsystems on the same host, pkispawn simply has to trust the CA >> Signing Certificate from #1. The same is true for the 389-DS server cert. > > If the new subsystem is in the same instance as the CA, they will share > the same NSS database, so I suppose there's no additional steps required > to trust the CA/DS certs. > > If the new subsystem is in a different instance, it will require > exporting into PKCS #12 file as in case #3. Good catch! IMO we can treat the case like case #3. >> Case #3: subsystem on different host >> ------------------------------------ >> >> When a new subsystem is installed on a different host, the user must >> provide the trust anchor for 389-DS out-of-band. > > And some other CA certs too. > >> A user could also use >> plain LDAP, but let's not go there. > > To my understanding LDAPS is optional. The DS might be local and secured > in some ways that a plain LDAP connection is acceptable. Yes, LDAPS or StartTLS for LDAP are optional. Let's work under the basic requirement that the LDAP connection is properly secured. It's a different topic. > Do you want to get the trust anchors with LDAPS or a plain LDAP? If > LDAPS, doesn't it mean you need to have the trust anchors already? > > Since we will be transporting some CA certs & keys via PKCS #12 anyway, > we might as well include the DS trust anchor there. LDAPS implies that we already have *a* trust anchor *somewhere*. But it doesn't mean that we have the trust anchor for PKI RPC calls over HTTPS. For example the DS server might use a certificate that is signed by a public root CA or some other CA that is already in the system cert. >> Conclusion >> ========== >> >> In case #1 pkispawn should dump the self-signed cert from NSS DB to PEM >> file. requests can then load the self-signed cert as CA cert. For >> self-signed certs this makes the cert trusted. The file should be >> removed at the end of the installation. > > Right. Additionally, at the end of installation we probably should > export the trust anchors into PEM and store it at a standard location > (e.g. SSL_CERT_DIR) so all applications can use it immediately. Yes, that's exactly my idea, too. Do you have a suggestion for a directory? We should also consider the case of multiple independent PKIs on the same host. I'm not sure how to solve the issue. Perhaps we can store the trust anchor as pki-$NAME.pem and maintain a combined file with all trust anchors? The trust anchor should also be removed by pkidestroy. > If the subsystem is installed on the same host, the trust anchors should > already be available in the default location. Right! >> In case #3 the cert must either be provided out-of-band or grabbed from >> LDAP. I like the idea to grab it from LDAP and have an official API to >> do so. Other systems like FreeIPA could use the same API, too. Like in >> case #2 the cert should be dumped to a public-readable location. > > If the subsystem is installed on a different host, the trust anchors > should be exported from the PKCS #12 into the standard location on that > host. I'm not very familiar with the setup. But I think a PKCS#12 is only involved for clones. For an external subsystem like a OCSP on a different host, a PKCS #12 file is not involved. During my test setup I only had to specify the DS and Security Domain hosts and credentials. >> We could handle case #2 and #3 the same way and always grab the trust >> anchor from LDAP. It's less code and more robust, too. > > As mentioned above, since we'll be transporting PKCS #12 file anyway, > I'm not sure if we should/can use LDAP. see above >> 1) Is there a stable and easy way to find the trust anchor in LDAP? In >> my test setup the trust anchor has subjectName='CN=CA Signing >> Certificate,O=example.com Security Domain'. Is the name always similar? > > I'm not sure if that is guaranteed. A better way would be to retrieve > the actual cert used by the subsystem by its tag/nickname: > https://fedorahosted.org/pki/ticket/1473 #1473 has one flaw: A remote procedure call suffers from the chicken and egg dilemma. The trust anchor is required to make an authenticated RPC. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From ftweedal at redhat.com Thu Aug 6 12:32:21 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 6 Aug 2015 22:32:21 +1000 Subject: [Pki-devel] PKIConnection cert validation #1253 In-Reply-To: <55C34221.6020402@redhat.com> References: <55C227B0.6000507@redhat.com> <55C23F99.8040703@redhat.com> <55C34221.6020402@redhat.com> Message-ID: <20150806123221.GV4843@dhcp-40-8.bne.redhat.com> On Thu, Aug 06, 2015 at 01:16:49PM +0200, Christian Heimes wrote: > On 2015-08-05 18:53, Endi Sukma Dewata wrote: > > I'm not fully familiar with the process, but I have some comments below. > > Thanks :) > > > I suppose if LDAPS is required, the DS trust anchor would have to be > > provided before running pkispawn. > > Correct, pkispawn even asks for the trust anchor. By the way the X.509 > cert for LDAPS may not necessarily have the same trust anchor as the PKI > security domain. > > >> Case #2: new subsystem on the same host > >> --------------------------------------- > >> > >> For new subsystems on the same host, pkispawn simply has to trust the CA > >> Signing Certificate from #1. The same is true for the 389-DS server cert. > > > > If the new subsystem is in the same instance as the CA, they will share > > the same NSS database, so I suppose there's no additional steps required > > to trust the CA/DS certs. > > > > If the new subsystem is in a different instance, it will require > > exporting into PKCS #12 file as in case #3. > > Good catch! IMO we can treat the case like case #3. > > > >> Case #3: subsystem on different host > >> ------------------------------------ > >> > >> When a new subsystem is installed on a different host, the user must > >> provide the trust anchor for 389-DS out-of-band. > > > > And some other CA certs too. > > > >> A user could also use > >> plain LDAP, but let's not go there. > > > > To my understanding LDAPS is optional. The DS might be local and secured > > in some ways that a plain LDAP connection is acceptable. > > Yes, LDAPS or StartTLS for LDAP are optional. Let's work under the basic > requirement that the LDAP connection is properly secured. It's a > different topic. > > > Do you want to get the trust anchors with LDAPS or a plain LDAP? If > > LDAPS, doesn't it mean you need to have the trust anchors already? > > > > Since we will be transporting some CA certs & keys via PKCS #12 anyway, > > we might as well include the DS trust anchor there. > > LDAPS implies that we already have *a* trust anchor *somewhere*. But it > doesn't mean that we have the trust anchor for PKI RPC calls over HTTPS. > For example the DS server might use a certificate that is signed by a > public root CA or some other CA that is already in the system cert. > > > >> Conclusion > >> ========== > >> > >> In case #1 pkispawn should dump the self-signed cert from NSS DB to PEM > >> file. requests can then load the self-signed cert as CA cert. For > >> self-signed certs this makes the cert trusted. The file should be > >> removed at the end of the installation. > > > > Right. Additionally, at the end of installation we probably should > > export the trust anchors into PEM and store it at a standard location > > (e.g. SSL_CERT_DIR) so all applications can use it immediately. > > Yes, that's exactly my idea, too. Do you have a suggestion for a directory? > On Fedora and RHEL the "official" way is to put the PEM file in /etc/pki/ca-trust/source/ then run update-ca-trust(8). (Unlink and update-ca-trust to remove the trust anchor.) > We should also consider the case of multiple independent PKIs on the > same host. I'm not sure how to solve the issue. Perhaps we can store the > trust anchor as pki-$NAME.pem and maintain a combined file with all > trust anchors? > I agree with using the instance name in the filename. Simple and makes it obvious where the file came from. > The trust anchor should also be removed by pkidestroy. > > > If the subsystem is installed on the same host, the trust anchors should > > already be available in the default location. > > Right! > > >> In case #3 the cert must either be provided out-of-band or grabbed from > >> LDAP. I like the idea to grab it from LDAP and have an official API to > >> do so. Other systems like FreeIPA could use the same API, too. Like in > >> case #2 the cert should be dumped to a public-readable location. > > > > If the subsystem is installed on a different host, the trust anchors > > should be exported from the PKCS #12 into the standard location on that > > host. > > I'm not very familiar with the setup. But I think a PKCS#12 is only > involved for clones. For an external subsystem like a OCSP on a > different host, a PKCS #12 file is not involved. During my test setup I > only had to specify the DS and Security Domain hosts and credentials. > > >> We could handle case #2 and #3 the same way and always grab the trust > >> anchor from LDAP. It's less code and more robust, too. > > > > As mentioned above, since we'll be transporting PKCS #12 file anyway, > > I'm not sure if we should/can use LDAP. > > see above > > > >> 1) Is there a stable and easy way to find the trust anchor in LDAP? In > >> my test setup the trust anchor has subjectName='CN=CA Signing > >> Certificate,O=example.com Security Domain'. Is the name always similar? > > > > I'm not sure if that is guaranteed. A better way would be to retrieve > > the actual cert used by the subsystem by its tag/nickname: > > https://fedorahosted.org/pki/ticket/1473 > > #1473 has one flaw: A remote procedure call suffers from the chicken and > egg dilemma. The trust anchor is required to make an authenticated RPC. > > Christian > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Fri Aug 7 00:51:03 2015 From: cfu at redhat.com (Christina Fu) Date: Thu, 06 Aug 2015 17:51:03 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch In-Reply-To: <1616920711.7372205.1438822654209.JavaMail.zimbra@redhat.com> References: <55C29F94.9030902@redhat.com> <1616920711.7372205.1438822654209.JavaMail.zimbra@redhat.com> Message-ID: <55C400F7.4080404@redhat.com> Updated per jack's suggestion. Also, during testing, one issue was discovered where a failed authentication would cause the next one to fail. Investigation shows that a bad connection gets recycled back to the pool and somehow the underlying connection framework does not seem to clear it out. My solution was to just disconnect the bad connection once it's determined that it's botched, before it is returned back to the pool. That seems to reset it and works well now. Since this extra disconnect code needs to go into all authentication plugins that extends the DirBasedAuthentication, I have to modify all four of them to do the disconnect in case of ldap authentication failure. thanks, Christina On 08/05/2015 05:57 PM, John Magne wrote: > This looks fine , with the caveat of tested to work of course, > which you have already stated. > > Just a couple of minor things, and then a conditional ACK > > 1. In CMSEngine: this bloc: > > if (tag.equals("internaldb")) { > authType = config.getString("internaldb.ldapauth.authtype", "BasicAuth"); > @@ -382,8 +384,35 @@ public class CMSEngine implements ICMSEngine { > binddn = config.getString("ca.publish.ldappublish.ldap.ldapauth.bindDN"); > > } else { > - // ignore any others for now > - continue; > + /* > + * This section assumes a generic format of > + * .ldap.xxx > + * where is specified under the tag substore > + * > + * e.g. if tag = "externalLDAP" > + * cms.passwordlist=...,externalLDAP > + * externalLDAP.prefix=auths.instance.UserDirEnrollment > + * > + * auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth > + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Corporate Directory Manager > + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP > + * auths.instance.UserDirEnrollment.ldap.ldapconn.host=host.example.com > + * auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 > + * auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false > + */ > + String prefix = config.getString(tag + ".prefix"); > + System.out.println("CMSEngine.initializePasswordStore(): prefix=" + prefix); > + authType = config.getString(prefix +".ldap.ldapauth.authtype", "BasicAuth"); > + System.out.println("CMSEngine.initializePasswordStore(): authType " + authType); > + if (!authType.equals("BasicAuth")) > + continue; > > > In the else clause could we short circuit processing earlier if we find something we don't like for instance: > > String prefix = config.getString(tag + ".prefix"); > > No need to go on if that fails. The same for the rest of the values checked. > > > > 2. Can we rename "prefix" to something more friendly to the user like "auths-prefix" to it is clearer to the user > what the exact purpose of that setting is. > > > > > > ----- Original Message ----- >> From: "Christina Fu" >> To: "pki-devel" >> Sent: Wednesday, August 5, 2015 4:43:16 PM >> Subject: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch >> >> This patch is for ticket >> https://fedorahosted.org/pki/ticket/1531 Directory auth plugin requires >> LDAP anonymous binds >> >> This patch adds a feature to allow a directory based authentication >> plugin >> to use bound ldap conneciton instead of anonymous. >> Two files need to be edited >> 1. /conf/password.conf >> add a "tag" and the password of the binding user dn to the file >> e.g. externalLDAP=password123 >> 2. /ca/CS.cfg >> add the tag to cms.passwordlist: >> e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP >> add the prefix of the auths entry for the authentication instance >> e.g. externalLDAP.prefix=auths.instance.UserDirEnrollment >> add relevant entries to the authenticaiton instance >> e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true >> auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth >> auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com >> auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP >> >> The code has been tested to work. >> The code (in its plugin form) has also been tested to work successfully >> with an ldap server that has its anonymous bind turned off. >> >> thanks, >> Christina >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0091-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch Type: text/x-patch Size: 17862 bytes Desc: not available URL: From cheimes at redhat.com Fri Aug 7 17:27:16 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 7 Aug 2015 19:27:16 +0200 Subject: [Pki-devel] [PATCH 019] Temporary silence InsecureRequestWarning Message-ID: <55C4EA74.1020108@redhat.com> Hi, this patch for https://fedorahosted.org/pki/ticket/1253 silences the InsecureRequestWarning. The decorator makes it possible to silence only our request calls. Other libraries aren't not affected. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0019-Temporary-silence-InsecureRequestWarning.patch Type: text/x-patch Size: 2419 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jmagne at redhat.com Fri Aug 7 17:44:43 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 7 Aug 2015 13:44:43 -0400 (EDT) Subject: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch In-Reply-To: <55C400F7.4080404@redhat.com> References: <55C29F94.9030902@redhat.com> <1616920711.7372205.1438822654209.JavaMail.zimbra@redhat.com> <55C400F7.4080404@redhat.com> Message-ID: <507378983.8596461.1438969483178.JavaMail.zimbra@redhat.com> After the fixes and some further discussion over the connection issue being resolved: ACK ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Thursday, August 6, 2015 5:51:03 PM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch Updated per jack's suggestion. Also, during testing, one issue was discovered where a failed authentication would cause the next one to fail. Investigation shows that a bad connection gets recycled back to the pool and somehow the underlying connection framework does not seem to clear it out. My solution was to just disconnect the bad connection once it's determined that it's botched, before it is returned back to the pool. That seems to reset it and works well now. Since this extra disconnect code needs to go into all authentication plugins that extends the DirBasedAuthentication, I have to modify all four of them to do the disconnect in case of ldap authentication failure. thanks, Christina On 08/05/2015 05:57 PM, John Magne wrote: > This looks fine , with the caveat of tested to work of course, > which you have already stated. > > Just a couple of minor things, and then a conditional ACK > > 1. In CMSEngine: this bloc: > > if (tag.equals("internaldb")) { > authType = config.getString("internaldb.ldapauth.authtype", "BasicAuth"); > @@ -382,8 +384,35 @@ public class CMSEngine implements ICMSEngine { > binddn = config.getString("ca.publish.ldappublish.ldap.ldapauth.bindDN"); > > } else { > - // ignore any others for now > - continue; > + /* > + * This section assumes a generic format of > + * .ldap.xxx > + * where is specified under the tag substore > + * > + * e.g. if tag = "externalLDAP" > + * cms.passwordlist=...,externalLDAP > + * externalLDAP.prefix=auths.instance.UserDirEnrollment > + * > + * auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth > + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Corporate Directory Manager > + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP > + * auths.instance.UserDirEnrollment.ldap.ldapconn.host=host.example.com > + * auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 > + * auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false > + */ > + String prefix = config.getString(tag + ".prefix"); > + System.out.println("CMSEngine.initializePasswordStore(): prefix=" + prefix); > + authType = config.getString(prefix +".ldap.ldapauth.authtype", "BasicAuth"); > + System.out.println("CMSEngine.initializePasswordStore(): authType " + authType); > + if (!authType.equals("BasicAuth")) > + continue; > > > In the else clause could we short circuit processing earlier if we find something we don't like for instance: > > String prefix = config.getString(tag + ".prefix"); > > No need to go on if that fails. The same for the rest of the values checked. > > > > 2. Can we rename "prefix" to something more friendly to the user like "auths-prefix" to it is clearer to the user > what the exact purpose of that setting is. > > > > > > ----- Original Message ----- >> From: "Christina Fu" >> To: "pki-devel" >> Sent: Wednesday, August 5, 2015 4:43:16 PM >> Subject: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch >> >> This patch is for ticket >> https://fedorahosted.org/pki/ticket/1531 Directory auth plugin requires >> LDAP anonymous binds >> >> This patch adds a feature to allow a directory based authentication >> plugin >> to use bound ldap conneciton instead of anonymous. >> Two files need to be edited >> 1. /conf/password.conf >> add a "tag" and the password of the binding user dn to the file >> e.g. externalLDAP=password123 >> 2. /ca/CS.cfg >> add the tag to cms.passwordlist: >> e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP >> add the prefix of the auths entry for the authentication instance >> e.g. externalLDAP.prefix=auths.instance.UserDirEnrollment >> add relevant entries to the authenticaiton instance >> e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true >> auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth >> auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com >> auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP >> >> The code has been tested to work. >> The code (in its plugin form) has also been tested to work successfully >> with an ldap server that has its anonymous bind turned off. >> >> thanks, >> Christina >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Fri Aug 7 18:12:00 2015 From: cfu at redhat.com (Christina Fu) Date: Fri, 07 Aug 2015 11:12:00 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch In-Reply-To: <507378983.8596461.1438969483178.JavaMail.zimbra@redhat.com> References: <55C29F94.9030902@redhat.com> <1616920711.7372205.1438822654209.JavaMail.zimbra@redhat.com> <55C400F7.4080404@redhat.com> <507378983.8596461.1438969483178.JavaMail.zimbra@redhat.com> Message-ID: <55C4F4F0.3090403@redhat.com> pushed to master: commit c13593770108b6d683ab3d3b43b92d67ac64a1ef thanks, Christina On 08/07/2015 10:44 AM, John Magne wrote: > After the fixes and some further discussion over the connection issue being resolved: > > ACK > > ----- Original Message ----- > From: "Christina Fu" > To: "pki-devel" > Sent: Thursday, August 6, 2015 5:51:03 PM > Subject: Re: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch > > Updated per jack's suggestion. > > Also, during testing, one issue was discovered where a failed > authentication would cause the next one to fail. Investigation shows > that a bad connection gets recycled back to the pool and somehow the > underlying connection framework does not seem to clear it out. > My solution was to just disconnect the bad connection once it's > determined that it's botched, before it is returned back to the pool. > That seems to reset it and works well now. > Since this extra disconnect code needs to go into all authentication > plugins that extends the DirBasedAuthentication, I have to modify all > four of them to do the disconnect in case of ldap authentication failure. > > thanks, > Christina > > On 08/05/2015 05:57 PM, John Magne wrote: >> This looks fine , with the caveat of tested to work of course, >> which you have already stated. >> >> Just a couple of minor things, and then a conditional ACK >> >> 1. In CMSEngine: this bloc: >> >> if (tag.equals("internaldb")) { >> authType = config.getString("internaldb.ldapauth.authtype", "BasicAuth"); >> @@ -382,8 +384,35 @@ public class CMSEngine implements ICMSEngine { >> binddn = config.getString("ca.publish.ldappublish.ldap.ldapauth.bindDN"); >> >> } else { >> - // ignore any others for now >> - continue; >> + /* >> + * This section assumes a generic format of >> + * .ldap.xxx >> + * where is specified under the tag substore >> + * >> + * e.g. if tag = "externalLDAP" >> + * cms.passwordlist=...,externalLDAP >> + * externalLDAP.prefix=auths.instance.UserDirEnrollment >> + * >> + * auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth >> + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Corporate Directory Manager >> + * auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP >> + * auths.instance.UserDirEnrollment.ldap.ldapconn.host=host.example.com >> + * auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 >> + * auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false >> + */ >> + String prefix = config.getString(tag + ".prefix"); >> + System.out.println("CMSEngine.initializePasswordStore(): prefix=" + prefix); >> + authType = config.getString(prefix +".ldap.ldapauth.authtype", "BasicAuth"); >> + System.out.println("CMSEngine.initializePasswordStore(): authType " + authType); >> + if (!authType.equals("BasicAuth")) >> + continue; >> >> >> In the else clause could we short circuit processing earlier if we find something we don't like for instance: >> >> String prefix = config.getString(tag + ".prefix"); >> >> No need to go on if that fails. The same for the rest of the values checked. >> >> >> >> 2. Can we rename "prefix" to something more friendly to the user like "auths-prefix" to it is clearer to the user >> what the exact purpose of that setting is. >> >> >> >> >> >> ----- Original Message ----- >>> From: "Christina Fu" >>> To: "pki-devel" >>> Sent: Wednesday, August 5, 2015 4:43:16 PM >>> Subject: [Pki-devel] [PATCH] pki-cfu-0090-Ticket-1531-Directory-auth-plugin-requires-LDAP-anon.patch >>> >>> This patch is for ticket >>> https://fedorahosted.org/pki/ticket/1531 Directory auth plugin requires >>> LDAP anonymous binds >>> >>> This patch adds a feature to allow a directory based authentication >>> plugin >>> to use bound ldap conneciton instead of anonymous. >>> Two files need to be edited >>> 1. /conf/password.conf >>> add a "tag" and the password of the binding user dn to the file >>> e.g. externalLDAP=password123 >>> 2. /ca/CS.cfg >>> add the tag to cms.passwordlist: >>> e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP >>> add the prefix of the auths entry for the authentication instance >>> e.g. externalLDAP.prefix=auths.instance.UserDirEnrollment >>> add relevant entries to the authenticaiton instance >>> e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true >>> auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth >>> auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com >>> auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP >>> >>> The code has been tested to work. >>> The code (in its plugin form) has also been tested to work successfully >>> with an ldap server that has its anonymous bind turned off. >>> >>> thanks, >>> Christina >>> >>> _______________________________________________ >>> Pki-devel mailing list >>> Pki-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Fri Aug 7 22:36:14 2015 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 07 Aug 2015 16:36:14 -0600 Subject: [Pki-devel] [PATCH] Removed more inaccessible URLs from server.xml In-Reply-To: <55C14007.4000306@redhat.com> References: <55C14007.4000306@redhat.com> Message-ID: <55C532DE.5050104@redhat.com> Per discussions via email and IRC, the attached patch restores and modifies the two OCSP URL links. Additionally, this patch alters the pkidaemon man page to reflect these changes. -- Matt On 08/04/15 16:43, Matthew Harmsen wrote: > Please review the attached patch which addresses the following two > tickets: > > * PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under > PKI subsystems which are not accessible > > * PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status > tomcat shows an error page > > These were tested by installing four new instances and running > 'pkidaemon status tomcat pki-tomcat'. The following four inaccessible > URLs no longer showed up: > > * *Unsecure URL = http://pki.example.com:8080/kra/ee/kra* (1443) > * *Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp* > (1518) > * *Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp* > (1518) > * *Unsecure URL = http://pki.example.com:8080/tks/ee/tks* (1443) > > Additionally, a test was run which showed that the upgrade code worked > successfully: > > # pkidaemon status tomcat pki-tomcat > Status for pki-tomcat: pki-tomcat is running .. > > [CA Status Definitions] > Unsecure URL = http://pki.example.com:8080/ca/ee/ca > Secure Agent URL = https://pki.example.com:8443/ca/agent/ca > Secure EE URL = https://pki.example.com:8443/ca/ee/ca > Secure Admin URL = https://pki.example.com:8443/ca/services > PKI Console Command = pkiconsole https://pki.example.com:8443/ca > Tomcat Port = 8005 (for shutdown) > > [DRM Status Definitions] > * Unsecure URL = http://pki.example.com:8080/kra/ee/kra* > Secure Agent URL = https://pki.example.com:8443/kra/agent/kra > Secure Admin URL = https://pki.example.com:8443/kra/services > PKI Console Command = pkiconsole https://pki.example.com:8443/kra > Tomcat Port = 8005 (for shutdown) > > [OCSP Status Definitions] > * Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp* > Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp > * Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp* > Secure Admin URL = https://pki.example.com:8443/ocsp/services > PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp > Tomcat Port = 8005 (for shutdown) > > [TKS Status Definitions] > * Unsecure URL = http://pki.example.com:8080/tks/ee/tks* > Secure Agent URL = https://pki.example.com:8443/tks/agent/tks > Secure Admin URL = https://pki.example.com:8443/tks/services > PKI Console Command = pkiconsole https://pki.example.com:8443/tks > Tomcat Port = 8005 (for shutdown) > > [CA Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [DRM Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: DRM > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [OCSP Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: OCSP > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [TKS Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: TKS > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > After running the upgrade script, the inaccessible URLs were removed: > > # pkidaemon status tomcat pki-tomcat > Status for pki-tomcat: pki-tomcat is running .. > > [CA Status Definitions] > Unsecure URL = http://pki.example.com:8080/ca/ee/ca > Secure Agent URL = https://pki.example.com:8443/ca/agent/ca > Secure EE URL = https://pki.example.com:8443/ca/ee/ca > Secure Admin URL = https://pki.example.com:8443/ca/services > PKI Console Command = pkiconsole https://pki.example.com:8443/ca > Tomcat Port = 8005 (for shutdown) > > [DRM Status Definitions] > Secure Agent URL = https://pki.example.com:8443/kra/agent/kra > Secure Admin URL = https://pki.example.com:8443/kra/services > PKI Console Command = pkiconsole https://pki.example.com:8443/kra > Tomcat Port = 8005 (for shutdown) > > [OCSP Status Definitions] > * Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp/* > > Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp > * Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp/* > > Secure Admin URL = https://pki.example.com:8443/ocsp/services > PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp > Tomcat Port = 8005 (for shutdown) > > [TKS Status Definitions] > Secure Agent URL = https://pki.example.com:8443/tks/agent/tks > Secure Admin URL = https://pki.example.com:8443/tks/services > PKI Console Command = pkiconsole https://pki.example.com:8443/tks > Tomcat Port = 8005 (for shutdown) > > [CA Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [DRM Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: DRM > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [OCSP Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: OCSP > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > > [TKS Configuration Definitions] > PKI Instance Name: pki-tomcat > > PKI Subsystem Type: TKS > > Registered PKI Security Domain Information: > ========================================================================== > Name: example.com Security Domain > URL: https://pki.example.com:8443 > ========================================================================== > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20150807-remove-more-inaccessible-URLs-from-server.xml.patch Type: text/x-patch Size: 8864 bytes Desc: not available URL: From jmagne at redhat.com Fri Aug 7 23:25:14 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 7 Aug 2015 19:25:14 -0400 (EDT) Subject: [Pki-devel] [PATCH] Removed more inaccessible URLs from server.xml In-Reply-To: <55C532DE.5050104@redhat.com> References: <55C14007.4000306@redhat.com> <55C532DE.5050104@redhat.com> Message-ID: <2032688563.8689151.1438989914333.JavaMail.zimbra@redhat.com> Looks like what we discussed in IRC : ACK ----- Original Message ----- From: "Matthew Harmsen" To: "pki-devel" Sent: Friday, August 7, 2015 3:36:14 PM Subject: Re: [Pki-devel] [PATCH] Removed more inaccessible URLs from server.xml Per discussions via email and IRC, the attached patch restores and modifies the two OCSP URL links. Additionally, this patch alters the pkidaemon man page to reflect these changes. -- Matt On 08/04/15 16:43, Matthew Harmsen wrote: Please review the attached patch which addresses the following two tickets: * PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI subsystems which are not accessible * PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat shows an error page These were tested by installing four new instances and running 'pkidaemon status tomcat pki-tomcat'. The following four inaccessible URLs no longer showed up: * Unsecure URL = http://pki.example.com:8080/kra/ee/kra (1443) * Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp (1518) * Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp (1518) * Unsecure URL = http://pki.example.com:8080/tks/ee/tks (1443) Additionally, a test was run which showed that the upgrade code worked successfully: # pkidaemon status tomcat pki-tomcat Status for pki-tomcat: pki-tomcat is running .. [CA Status Definitions] Unsecure URL = http://pki.example.com:8080/ca/ee/ca Secure Agent URL = https://pki.example.com:8443/ca/agent/ca Secure EE URL = https://pki.example.com:8443/ca/ee/ca Secure Admin URL = https://pki.example.com:8443/ca/services PKI Console Command = pkiconsole https://pki.example.com:8443/ca Tomcat Port = 8005 (for shutdown) [DRM Status Definitions] Unsecure URL = http://pki.example.com:8080/kra/ee/kra Secure Agent URL = https://pki.example.com:8443/kra/agent/kra Secure Admin URL = https://pki.example.com:8443/kra/services PKI Console Command = pkiconsole https://pki.example.com:8443/kra Tomcat Port = 8005 (for shutdown) [OCSP Status Definitions] Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp Secure Admin URL = https://pki.example.com:8443/ocsp/services PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp Tomcat Port = 8005 (for shutdown) [TKS Status Definitions] Unsecure URL = http://pki.example.com:8080/tks/ee/tks Secure Agent URL = https://pki.example.com:8443/tks/agent/tks Secure Admin URL = https://pki.example.com:8443/tks/services PKI Console Command = pkiconsole https://pki.example.com:8443/tks Tomcat Port = 8005 (for shutdown) [CA Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [DRM Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: DRM Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [OCSP Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: OCSP Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [TKS Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: TKS Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== After running the upgrade script, the inaccessible URLs were removed: # pkidaemon status tomcat pki-tomcat Status for pki-tomcat: pki-tomcat is running .. [CA Status Definitions] Unsecure URL = http://pki.example.com:8080/ca/ee/ca Secure Agent URL = https://pki.example.com:8443/ca/agent/ca Secure EE URL = https://pki.example.com:8443/ca/ee/ca Secure Admin URL = https://pki.example.com:8443/ca/services PKI Console Command = pkiconsole https://pki.example.com:8443/ca Tomcat Port = 8005 (for shutdown) [DRM Status Definitions] Secure Agent URL = https://pki.example.com:8443/kra/agent/kra Secure Admin URL = https://pki.example.com:8443/kra/services PKI Console Command = pkiconsole https://pki.example.com:8443/kra Tomcat Port = 8005 (for shutdown) [OCSP Status Definitions] Unsecure URL = http://pki.example.com:8080/ocsp/ee/ocsp / Secure Agent URL = https://pki.example.com:8443/ocsp/agent/ocsp Secure EE URL = https://pki.example.com:8443/ocsp/ee/ocsp / Secure Admin URL = https://pki.example.com:8443/ocsp/services PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp Tomcat Port = 8005 (for shutdown) [TKS Status Definitions] Secure Agent URL = https://pki.example.com:8443/tks/agent/tks Secure Admin URL = https://pki.example.com:8443/tks/services PKI Console Command = pkiconsole https://pki.example.com:8443/tks Tomcat Port = 8005 (for shutdown) [CA Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [DRM Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: DRM Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [OCSP Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: OCSP Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== [TKS Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: TKS Registered PKI Security Domain Information: ========================================================================== Name: example.com Security Domain URL: https://pki.example.com:8443 ========================================================================== _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Sat Aug 8 00:42:30 2015 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 07 Aug 2015 18:42:30 -0600 Subject: [Pki-devel] [PATCH] updated dependencies Message-ID: <55C55076.8030807@redhat.com> Please review the attached patch which addresses the following issues: * PKI TRAC Ticket #1530 - Client pki-tools missing tomcat-servlet dependency * PKI TRAC Ticket #1542 - Update tomcatjss dependency on Fedora 23 and later Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20150807-updated-dependencies.patch Type: text/x-patch Size: 2539 bytes Desc: not available URL: From edewata at redhat.com Sat Aug 8 04:47:50 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 7 Aug 2015 23:47:50 -0500 Subject: [Pki-devel] [PATCH 019] Temporary silence InsecureRequestWarning In-Reply-To: <55C4EA74.1020108@redhat.com> References: <55C4EA74.1020108@redhat.com> Message-ID: <55C589F6.20900@redhat.com> On 8/7/2015 12:27 PM, Christian Heimes wrote: > Hi, > > this patch for https://fedorahosted.org/pki/ticket/1253 silences the > InsecureRequestWarning. The decorator makes it possible to silence only > our request calls. Other libraries aren't not affected. > > Christian ACK. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Sat Aug 8 05:19:43 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 8 Aug 2015 00:19:43 -0500 Subject: [Pki-devel] [PATCH] updated dependencies In-Reply-To: <55C55076.8030807@redhat.com> References: <55C55076.8030807@redhat.com> Message-ID: <55C5916F.1030909@redhat.com> On 8/7/2015 7:42 PM, Matthew Harmsen wrote: > Please review the attached patch which addresses the following issues: > > * PKI TRAC Ticket #1530 - Client pki-tools missing tomcat-servlet > dependency > * PKI TRAC Ticket #1542 - Update tomcatjss dependency on Fedora 23 and > later > > Thanks, > -- Matt ACK. Pushed to master. -- Endi S. Dewata From mharmsen at redhat.com Sun Aug 9 19:05:28 2015 From: mharmsen at redhat.com (Matthew Harmsen) Date: Sun, 09 Aug 2015 13:05:28 -0600 Subject: [Pki-devel] Karma Request for Dogtag 10.2.6 in Fedora 22 & 23 In-Reply-To: <55B8754A.8000709@redhat.com> References: <55B8754A.8000709@redhat.com> Message-ID: <55C7A478.5080609@redhat.com> Everyone, Please provide Karma for the following Dogtag 10.2.6 packages for Fedora 22: * dogtag-pki-theme-10.2.6-1.fc22 * pki-core-10.2.6-1.fc22 * pki-core-10.2.6-2.fc22 * pki-core-10.2.6-4.fc22 * *pki-core-10.2.6-5.fc22 * * pki-console-10.2.6-1.fc22 * dogtag-pki-10.2.6-1.fc22 and for Fedora 23: * *pki-core-10.2.6-5.fc23 * Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Aug 11 16:26:57 2015 From: cfu at redhat.com (Christina Fu) Date: Tue, 11 Aug 2015 09:26:57 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0092-Ticket-1539-Unable-to-create-ECC-KRA-Instance-when-k.patch Message-ID: <55CA2251.6000206@redhat.com> This patch is for ticket: https://fedorahosted.org/pki/ticket/1539 Unable to create ECC KRA Instance when kra admin key type is ECC The fixed profiles have been tested to work. I was able to create EC admin certificates. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0092-Ticket-1539-Unable-to-create-ECC-KRA-Instance-when-k.patch Type: text/x-patch Size: 2610 bytes Desc: not available URL: From cheimes at redhat.com Tue Aug 11 17:55:23 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 11 Aug 2015 19:55:23 +0200 Subject: [Pki-devel] [PATCH 013-018] spring-cleaning for Python 3 In-Reply-To: <55ACD8BC.4000608@redhat.com> References: <55ACD8BC.4000608@redhat.com> Message-ID: <55CA370B.9000703@redhat.com> On 2015-07-20 13:17, Christian Heimes wrote: > Hello, > > I had some outstanding patches for Python 3 in my queue. Today I split > them up in digestible portions. The attached patches all hand-written. > I'm planning to submit the auto-generated patches by python-modernize at > a later point. Endi has ACKed the patches on IRC. The patches have landed in master: commit 1738f27d3683d58b3ab023724eb8d0133c428eef commit 8ae5ec7f3774d81a1c3d79c2a05649de65b8658c commit a51b8b657f90e69d4c6eaaaf4c24af6501331668 commit 82863bb9250477953fad80387190f8e1e6399d48 commit aa9e6a5added815631094131ff5e7ded48c911c3 commit e0af593277a26192992f939f24e6df3a0ec959f6 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Tue Aug 11 17:56:54 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 11 Aug 2015 19:56:54 +0200 Subject: [Pki-devel] [PATCH 020] Move pylint-build-scan.py to scripts directory Message-ID: <55CA3766.1030601@redhat.com> Endi has suggested to move the script and to tweak the file name matching algorithms a bit. Move internal helper and its configuration out of the project's root directory into scripts/. Also use re instead of fnmatch to find the upgrade scriptlets. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0020-Move-pylint-build-scan.py-to-scripts-directory.patch Type: text/x-patch Size: 5515 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Tue Aug 11 19:31:09 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 11 Aug 2015 21:31:09 +0200 Subject: [Pki-devel] [PATCH 021] Make pki PEP 8 compatible Message-ID: <55CA4D7D.4090503@redhat.com> Large portions of the patch was automatically created with autopep8: find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \ --aggressive find base/common/upgrade base/server/upgrade -type f -and \ -not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive autopep8 --in-place --ignore E309 --aggressive \ base/common/sbin/pki-upgrade \ base/server/sbin/pkispawn \ base/server/sbin/pkidestroy \ base/server/sbin/pki-server \ base/server/sbin/pki-server-upgrade About two dozent violations were fixed manually. https://fedorahosted.org/pki/ticket/708 NOTE: I'm going to add some checks to the PKI core spec file and tox later. -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0021-Make-pki-PEP-8-compatible.patch Type: text/x-patch Size: 158349 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jmagne at redhat.com Tue Aug 11 22:17:57 2015 From: jmagne at redhat.com (John Magne) Date: Tue, 11 Aug 2015 18:17:57 -0400 (EDT) Subject: [Pki-devel] [PATCH] pki-cfu-0092-Ticket-1539-Unable-to-create-ECC-KRA-Instance-when-k.patch In-Reply-To: <55CA2251.6000206@redhat.com> References: <55CA2251.6000206@redhat.com> Message-ID: <964209551.11667296.1439331477600.JavaMail.zimbra@redhat.com> ACK : Looks fine, and this is something I"ve seen in the past to it totally makes sense. ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Tuesday, August 11, 2015 9:26:57 AM Subject: [Pki-devel] [PATCH] pki-cfu-0092-Ticket-1539-Unable-to-create-ECC-KRA-Instance-when-k.patch This patch is for ticket: https://fedorahosted.org/pki/ticket/1539 Unable to create ECC KRA Instance when kra admin key type is ECC The fixed profiles have been tested to work. I was able to create EC admin certificates. thanks, Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From jmagne at redhat.com Wed Aug 12 01:40:13 2015 From: jmagne at redhat.com (John Magne) Date: Tue, 11 Aug 2015 21:40:13 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0047-setpin-utility-doesn-t-set-the-pin-for-users.patch In-Reply-To: <518357190.11738965.1439343544369.JavaMail.zimbra@redhat.com> Message-ID: <893287167.11739128.1439343613771.JavaMail.zimbra@redhat.com> PATCH] setpin utility doesn't set the pin for users. There were some things wrong with the setpin utility. 1. There were some syntax violations that had to be dealt with or a DS with syntax checking would not be pleased. 2. The back end is expecting a byte of hash data at the beginning of the pin. In our case we are sending NO hash so we want the code at the beginning '-', which means no hash. 3. We also need to prepend the dn in front of the pin so the back end can verify the set pin. Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin. Tested to work with actual PinBased Enrollment. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0047-setpin-utility-doesn-t-set-the-pin-for-users.patch Type: text/x-patch Size: 2654 bytes Desc: not available URL: From alee at redhat.com Wed Aug 12 05:14:35 2015 From: alee at redhat.com (Ade Lee) Date: Wed, 12 Aug 2015 01:14:35 -0400 Subject: [Pki-devel] [PATCH] 268 - fix serial number updates on clones Message-ID: <1439356475.6402.4.camel@redhat.com> Author: Ade Lee Date: Wed Aug 12 00:57:46 2015 -0400 Separate range and cert status threads We currently disable the cert status maintenance thread on clone CAs because CRL processing should only be done on the master CA. Currently, the maintenance thread also performs other checks on serial number ranges and settings. By disabling the maintenance thread, we disable these checks too. To fix this, we have separated the serial number checks into a different maintenance thread, so that these tasks will occur even if the cert status thread is disabled. Bugzilla # 1251606 -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0268-Separate-range-and-cert-status-threads.patch Type: text/x-patch Size: 6666 bytes Desc: not available URL: From alee at redhat.com Wed Aug 12 16:32:39 2015 From: alee at redhat.com (Ade Lee) Date: Wed, 12 Aug 2015 12:32:39 -0400 Subject: [Pki-devel] [PATCH] 268 - fix serial number updates on clones In-Reply-To: <1439356475.6402.4.camel@redhat.com> References: <1439356475.6402.4.camel@redhat.com> Message-ID: <1439397159.6402.21.camel@redhat.com> acked by endi - checked into master with small changes. Ade On Wed, 2015-08-12 at 01:14 -0400, Ade Lee wrote: > Author: Ade Lee > Date: Wed Aug 12 00:57:46 2015 -0400 > > Separate range and cert status threads > > We currently disable the cert status maintenance thread on > clone CAs because CRL processing should only be done on the > master CA. Currently, the maintenance thread also performs > other checks on serial number ranges and settings. By disabling > the maintenance thread, we disable these checks too. > > To fix this, we have separated the serial number checks into a > different maintenance thread, so that these tasks will occur > even if the cert status thread is disabled. > > Bugzilla # 1251606 > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Wed Aug 12 17:17:00 2015 From: cfu at redhat.com (Christina Fu) Date: Wed, 12 Aug 2015 10:17:00 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch Message-ID: <55CB7F8C.80708@redhat.com> Ticket 1543 portalEnroll authentication does not load during creation from Console https://fedorahosted.org/pki/ticket/1543 It appears that the PortalEnroll plugin was never converted to work in the Profile Framework. This patch takes out the following line from CS.cfg: auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll so that it cannot be instantiated from the console, nor manually in CS.cfg, unless explicitly put back in. While in CS.cfg.in, I found the NSSAuth auths.impl line having no real implementation, so I remove that too. thanks, Christina From cfu at redhat.com Wed Aug 12 17:45:57 2015 From: cfu at redhat.com (Christina Fu) Date: Wed, 12 Aug 2015 10:45:57 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch In-Reply-To: <55CB7F8C.80708@redhat.com> References: <55CB7F8C.80708@redhat.com> Message-ID: <55CB8655.1050600@redhat.com> now with the patch... On 08/12/2015 10:17 AM, Christina Fu wrote: > Ticket 1543 portalEnroll authentication does not load during creation > from Console > https://fedorahosted.org/pki/ticket/1543 > > It appears that the PortalEnroll plugin was never converted to > work in the > Profile Framework. > This patch takes out the following line from CS.cfg: > auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll > > > so that it cannot be instantiated from the console, nor manually > in CS.cfg, > unless explicitly put back in. > While in CS.cfg.in, I found the NSSAuth auths.impl line having no > real > implementation, so I remove that too. > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch Type: text/x-patch Size: 1684 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 12 17:47:29 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 12 Aug 2015 12:47:29 -0500 Subject: [Pki-devel] [PATCH] 639 Fixed missing query parameters in ListCerts page. Message-ID: <55CB86B1.5080707@redhat.com> The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538 -- Endi S. Dewata -------------- next part -------------- From 86d7e0ec3ccbb849f0b2ba33b76d167c3950aced Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 12 Aug 2015 18:59:57 +0200 Subject: [PATCH] Fixed missing query parameters in ListCerts page. The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538 --- .../shared/webapps/ca/agent/ca/queryCert.template | 4 ++ base/ca/shared/webapps/ca/ee/ca/queryCert.template | 4 ++ .../com/netscape/cms/servlet/cert/ListCerts.java | 60 +++++++++++----------- 3 files changed, 37 insertions(+), 31 deletions(-) diff --git a/base/ca/shared/webapps/ca/agent/ca/queryCert.template b/base/ca/shared/webapps/ca/agent/ca/queryCert.template index 40ee64b0c0b62a0ff409f2617b956647b8779b59..0a423823fe874253f5bff5fad44608eae471c401 100644 --- a/base/ca/shared/webapps/ca/agent/ca/queryCert.template +++ b/base/ca/shared/webapps/ca/agent/ca/queryCert.template @@ -474,6 +474,10 @@ document.write( result.header.totalRecordCount+ "'>\n"+ "\n"+ +"\n"+ +"\n"+ "\n"+ "\n"+ "\n"+ +"\n"+ +"\n"+ "\n"+ " mMaxReturns) { - com.netscape.certsrv.apps.CMS.debug("Resetting page size from " + maxCount + " to " + mMaxReturns); + CMS.debug("ListCerts: Resetting page size from " + maxCount + " to " + mMaxReturns); maxCount = mMaxReturns; } @@ -303,7 +295,7 @@ public class ListCerts extends CMSServlet { return; } - com.netscape.certsrv.apps.CMS.debug("queryCertFilter=" + queryCertFilter); + CMS.debug("ListCerts: queryCertFilter: " + queryCertFilter); int totalRecordCount = -1; @@ -311,18 +303,18 @@ public class ListCerts extends CMSServlet { totalRecordCount = Integer.parseInt(req.getParameter("totalRecordCount")); } catch (Exception e) { } + processCertFilter(argSet, header, maxCount, sentinel, totalRecordCount, req.getParameter("serialTo"), queryCertFilter, req, resp, revokeAll, locale[0]); + } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, com.netscape.certsrv.apps.CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); - - error = - new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage(getLocale(req), - "CMS_BASE_INVALID_NUMBER_FORMAT")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); + error = new EBaseException(CMS.getUserMessage(getLocale(req), + "CMS_BASE_INVALID_NUMBER_FORMAT"), e); } catch (EBaseException e) { error = e; } @@ -347,9 +339,9 @@ public class ListCerts extends CMSServlet { } } catch (IOException e) { log(ILogger.LL_FAILURE, - com.netscape.certsrv.apps.CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); + CMS.getLogMessage("CMSGW_ERR_OUT_STREAM_TEMPLATE", e.toString())); throw new ECMSGWException( - com.netscape.certsrv.apps.CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR")); + CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"), e); } } @@ -488,9 +480,8 @@ public class ListCerts extends CMSServlet { // even though the filter is not matched. /*cfu - is this necessary? it breaks when paging up if (curSerial.compareTo(sentinel) == -1) { - com.netscape.certsrv.apps.CMS.debug("curSerial compare sentinel -1 break..."); - - break; + CMS.debug("curSerial compare sentinel -1 break..."); + break; } */ if (!serialToVal.equals(MINUS_ONE)) { @@ -524,8 +515,8 @@ public class ListCerts extends CMSServlet { for (int ii = rcount - 1; ii >= 0; ii--) { if (recs[ii] != null) { CMS.debug("ListCerts: processing recs[" + ii + "]"); - IArgBlock rarg = com.netscape.certsrv.apps.CMS.createArgBlock(); - //com.netscape.certsrv.apps.CMS.debug("item "+ii+" is serial # "+ recs[ii].getSerialNumber()); + IArgBlock rarg = CMS.createArgBlock(); + // CMS.debug("item " + ii + " is serial #" + recs[ii].getSerialNumber()); fillRecordIntoArg(recs[ii], rarg); argSet.addRepeatRecord(rarg); } @@ -555,6 +546,13 @@ public class ListCerts extends CMSServlet { header.addStringValue("serviceURL", req.getRequestURI()); header.addStringValue("queryCertFilter", filter); + + String skipRevoked = req.getParameter("skipRevoked"); + header.addStringValue("skipRevoked", skipRevoked == null ? "" : skipRevoked); + + String skipNonValid = req.getParameter("skipNonValid"); + header.addStringValue("skipNonValid", skipNonValid == null ? "" : skipNonValid); + header.addStringValue("templateName", "queryCert"); header.addStringValue("queryFilter", filter); header.addIntegerValue("maxCount", maxCount); -- 2.1.0 From jmagne at redhat.com Wed Aug 12 17:56:09 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 12 Aug 2015 13:56:09 -0400 (EDT) Subject: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch In-Reply-To: <55CB8655.1050600@redhat.com> References: <55CB7F8C.80708@redhat.com> <55CB8655.1050600@redhat.com> Message-ID: <1123110611.12357696.1439402169568.JavaMail.zimbra@redhat.com> This looks like a good solution at this point in time. ACK I would suggest we investigate the possibility of permanently ripping this thing out or actually fixing it and file the appropriate ticket. ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Wednesday, August 12, 2015 10:45:57 AM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch now with the patch... On 08/12/2015 10:17 AM, Christina Fu wrote: > Ticket 1543 portalEnroll authentication does not load during creation > from Console > https://fedorahosted.org/pki/ticket/1543 > > It appears that the PortalEnroll plugin was never converted to > work in the > Profile Framework. > This patch takes out the following line from CS.cfg: > auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll > > > so that it cannot be instantiated from the console, nor manually > in CS.cfg, > unless explicitly put back in. > While in CS.cfg.in, I found the NSSAuth auths.impl line having no > real > implementation, so I remove that too. > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Wed Aug 12 18:10:34 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 12 Aug 2015 13:10:34 -0500 Subject: [Pki-devel] [PATCH] 639 Fixed missing query parameters in ListCerts page. In-Reply-To: <55CB86B1.5080707@redhat.com> References: <55CB86B1.5080707@redhat.com> Message-ID: <55CB8C1A.3080005@redhat.com> On 8/12/2015 12:47 PM, Endi Sukma Dewata wrote: > The ListCerts servlet and the templates have been fixed to pass > the skipRevoked and skipNonValid parameters to the subsequent page. > > Some debugging messages have been cleaned up as well. > > https://fedorahosted.org/pki/ticket/1538 ACKed by alee. Pushed to master. -- Endi S. Dewata From cfu at redhat.com Thu Aug 13 01:39:01 2015 From: cfu at redhat.com (Christina Fu) Date: Wed, 12 Aug 2015 18:39:01 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch In-Reply-To: <1123110611.12357696.1439402169568.JavaMail.zimbra@redhat.com> References: <55CB7F8C.80708@redhat.com> <55CB8655.1050600@redhat.com> <1123110611.12357696.1439402169568.JavaMail.zimbra@redhat.com> Message-ID: <55CBF535.8010103@redhat.com> I tried the patch and looked at the code. Functionally, the non-hash option works, but for security reasons, please make the hashed option work as well, and make sure hashed option is on by default. thanks, Christina On 08/12/2015 10:56 AM, John Magne wrote: > This looks like a good solution at this point in time. > > ACK > > I would suggest we investigate the possibility of permanently > ripping this thing out or actually fixing it and file the appropriate ticket. > > ----- Original Message ----- > From: "Christina Fu" > To: "pki-devel" > Sent: Wednesday, August 12, 2015 10:45:57 AM > Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch > > now with the patch... > > On 08/12/2015 10:17 AM, Christina Fu wrote: >> Ticket 1543 portalEnroll authentication does not load during creation >> from Console >> https://fedorahosted.org/pki/ticket/1543 >> >> It appears that the PortalEnroll plugin was never converted to >> work in the >> Profile Framework. >> This patch takes out the following line from CS.cfg: >> auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll >> >> >> so that it cannot be instantiated from the console, nor manually >> in CS.cfg, >> unless explicitly put back in. >> While in CS.cfg.in, I found the NSSAuth auths.impl line having no >> real >> implementation, so I remove that too. >> >> thanks, >> Christina >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From jmagne at redhat.com Thu Aug 13 01:55:34 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 12 Aug 2015 21:55:34 -0400 (EDT) Subject: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch In-Reply-To: <1123110611.12357696.1439402169568.JavaMail.zimbra@redhat.com> References: <55CB7F8C.80708@redhat.com> <55CB8655.1050600@redhat.com> <1123110611.12357696.1439402169568.JavaMail.zimbra@redhat.com> Message-ID: <1166101700.12763267.1439430934030.JavaMail.zimbra@redhat.com> I just found out the reason why the hashed versions were not working was that I chose the wrong syntax oid for the "pin" attribute. Noriko suggested an appropriate one and all is working now. Revised patch to come soon. ----- Original Message ----- From: "John Magne" To: "Christina Fu" Cc: "pki-devel" Sent: Wednesday, August 12, 2015 10:56:09 AM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch This looks like a good solution at this point in time. ACK I would suggest we investigate the possibility of permanently ripping this thing out or actually fixing it and file the appropriate ticket. ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Wednesday, August 12, 2015 10:45:57 AM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch now with the patch... On 08/12/2015 10:17 AM, Christina Fu wrote: > Ticket 1543 portalEnroll authentication does not load during creation > from Console > https://fedorahosted.org/pki/ticket/1543 > > It appears that the PortalEnroll plugin was never converted to > work in the > Profile Framework. > This patch takes out the following line from CS.cfg: > auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll > > > so that it cannot be instantiated from the console, nor manually > in CS.cfg, > unless explicitly put back in. > While in CS.cfg.in, I found the NSSAuth auths.impl line having no > real > implementation, so I remove that too. > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From jmagne at redhat.com Thu Aug 13 02:07:59 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 12 Aug 2015 22:07:59 -0400 (EDT) Subject: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch In-Reply-To: <1166101700.12763267.1439430934030.JavaMail.zimbra@redhat.com> References: <55CB7F8C.80708@redhat.com> <55CB8655.1050600@redhat.com> <1123110611.12357696.1439402169568.JavaMail.zimbra@redhat.com> <1166101700.12763267.1439430934030.JavaMail.zimbra@redhat.com> Message-ID: <810156077.12768371.1439431679991.JavaMail.zimbra@redhat.com> Patch again with the hashes working now. ----- Original Message ----- From: "John Magne" To: "Christina Fu" Cc: "pki-devel" Sent: Wednesday, August 12, 2015 6:55:34 PM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch I just found out the reason why the hashed versions were not working was that I chose the wrong syntax oid for the "pin" attribute. Noriko suggested an appropriate one and all is working now. Revised patch to come soon. ----- Original Message ----- From: "John Magne" To: "Christina Fu" Cc: "pki-devel" Sent: Wednesday, August 12, 2015 10:56:09 AM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch This looks like a good solution at this point in time. ACK I would suggest we investigate the possibility of permanently ripping this thing out or actually fixing it and file the appropriate ticket. ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Wednesday, August 12, 2015 10:45:57 AM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch now with the patch... On 08/12/2015 10:17 AM, Christina Fu wrote: > Ticket 1543 portalEnroll authentication does not load during creation > from Console > https://fedorahosted.org/pki/ticket/1543 > > It appears that the PortalEnroll plugin was never converted to > work in the > Profile Framework. > This patch takes out the following line from CS.cfg: > auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll > > > so that it cannot be instantiated from the console, nor manually > in CS.cfg, > unless explicitly put back in. > While in CS.cfg.in, I found the NSSAuth auths.impl line having no > real > implementation, so I remove that too. > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0048-setpin-utility-doesn-t-set-the-pin-for-users.patch Type: text/x-patch Size: 2815 bytes Desc: not available URL: From cfu at redhat.com Thu Aug 13 18:12:38 2015 From: cfu at redhat.com (Christina Fu) Date: Thu, 13 Aug 2015 11:12:38 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch In-Reply-To: <810156077.12768371.1439431679991.JavaMail.zimbra@redhat.com> References: <55CB7F8C.80708@redhat.com> <55CB8655.1050600@redhat.com> <1123110611.12357696.1439402169568.JavaMail.zimbra@redhat.com> <1166101700.12763267.1439430934030.JavaMail.zimbra@redhat.com> <810156077.12768371.1439431679991.JavaMail.zimbra@redhat.com> Message-ID: <55CCDE16.90308@redhat.com> sorry I missed seeing this earlier... but could you replace the sha1 and md5 with sha2 instead? thanks, Christina On 08/12/2015 07:07 PM, John Magne wrote: > Patch again with the hashes working now. > > > > ----- Original Message ----- > From: "John Magne" > To: "Christina Fu" > Cc: "pki-devel" > Sent: Wednesday, August 12, 2015 6:55:34 PM > Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch > > I just found out the reason why the hashed versions were not working was that I > chose the wrong syntax oid for the "pin" attribute. Noriko suggested an appropriate one > and all is working now. Revised patch to come soon. > > ----- Original Message ----- > From: "John Magne" > To: "Christina Fu" > Cc: "pki-devel" > Sent: Wednesday, August 12, 2015 10:56:09 AM > Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch > > This looks like a good solution at this point in time. > > ACK > > I would suggest we investigate the possibility of permanently > ripping this thing out or actually fixing it and file the appropriate ticket. > > ----- Original Message ----- > From: "Christina Fu" > To: "pki-devel" > Sent: Wednesday, August 12, 2015 10:45:57 AM > Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch > > now with the patch... > > On 08/12/2015 10:17 AM, Christina Fu wrote: >> Ticket 1543 portalEnroll authentication does not load during creation >> from Console >> https://fedorahosted.org/pki/ticket/1543 >> >> It appears that the PortalEnroll plugin was never converted to >> work in the >> Profile Framework. >> This patch takes out the following line from CS.cfg: >> auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll >> >> >> so that it cannot be instantiated from the console, nor manually >> in CS.cfg, >> unless explicitly put back in. >> While in CS.cfg.in, I found the NSSAuth auths.impl line having no >> real >> implementation, so I remove that too. >> >> thanks, >> Christina >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From jmagne at redhat.com Thu Aug 13 18:58:01 2015 From: jmagne at redhat.com (John Magne) Date: Thu, 13 Aug 2015 14:58:01 -0400 (EDT) Subject: [Pki-devel] [PATCH] 0049-setpin-utility-doesn-t-set-the-pinfor-users.patch In-Reply-To: <810156077.12768371.1439431679991.JavaMail.zimbra@redhat.com> References: <55CB7F8C.80708@redhat.com> <55CB8655.1050600@redhat.com> <1123110611.12357696.1439402169568.JavaMail.zimbra@redhat.com> <1166101700.12763267.1439430934030.JavaMail.zimbra@redhat.com> <810156077.12768371.1439431679991.JavaMail.zimbra@redhat.com> Message-ID: <59992227.13902587.1439492281821.JavaMail.zimbra@redhat.com> We have been updating the wrong email, but subject name fixed. The latest patch now gives us a sha256 hash for the pins and sha1 and md5 are gone as options. The back end gets a minor addition where it can deal with a sha256 has when verifying the pin. ----- Original Message ----- From: "John Magne" To: "Christina Fu" Cc: "pki-devel" Sent: Wednesday, August 12, 2015 7:07:59 PM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch Patch again with the hashes working now. ----- Original Message ----- From: "John Magne" To: "Christina Fu" Cc: "pki-devel" Sent: Wednesday, August 12, 2015 6:55:34 PM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch I just found out the reason why the hashed versions were not working was that I chose the wrong syntax oid for the "pin" attribute. Noriko suggested an appropriate one and all is working now. Revised patch to come soon. ----- Original Message ----- From: "John Magne" To: "Christina Fu" Cc: "pki-devel" Sent: Wednesday, August 12, 2015 10:56:09 AM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch This looks like a good solution at this point in time. ACK I would suggest we investigate the possibility of permanently ripping this thing out or actually fixing it and file the appropriate ticket. ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Wednesday, August 12, 2015 10:45:57 AM Subject: Re: [Pki-devel] [PATCH] pki-cfu-0095-Ticket-1543-portalEnroll-authentication-does-not-loa.patch now with the patch... On 08/12/2015 10:17 AM, Christina Fu wrote: > Ticket 1543 portalEnroll authentication does not load during creation > from Console > https://fedorahosted.org/pki/ticket/1543 > > It appears that the PortalEnroll plugin was never converted to > work in the > Profile Framework. > This patch takes out the following line from CS.cfg: > auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll > > > so that it cannot be instantiated from the console, nor manually > in CS.cfg, > unless explicitly put back in. > While in CS.cfg.in, I found the NSSAuth auths.impl line having no > real > implementation, so I remove that too. > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0049-setpin-utility-doesn-t-set-the-pin-for-users.patch Type: text/x-patch Size: 9940 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 13 21:47:06 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 13 Aug 2015 16:47:06 -0500 Subject: [Pki-devel] [PATCH 020] Move pylint-build-scan.py to scripts directory In-Reply-To: <55CA3766.1030601@redhat.com> References: <55CA3766.1030601@redhat.com> Message-ID: <55CD105A.1070905@redhat.com> On 8/11/2015 12:56 PM, Christian Heimes wrote: > Endi has suggested to move the script and to tweak the file name > matching algorithms a bit. > > Move internal helper and its configuration out of the project's root > directory into scripts/. Also use re instead of fnmatch to find the > upgrade scriptlets. > > Christian ACK. -- Endi S. Dewata From edewata at redhat.com Thu Aug 13 21:47:24 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 13 Aug 2015 16:47:24 -0500 Subject: [Pki-devel] [PATCH 021] Make pki PEP 8 compatible In-Reply-To: <55CA4D7D.4090503@redhat.com> References: <55CA4D7D.4090503@redhat.com> Message-ID: <55CD106C.3010003@redhat.com> On 8/11/2015 2:31 PM, Christian Heimes wrote: > Large portions of the patch was automatically created with autopep8: > > find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \ > --aggressive > find base/common/upgrade base/server/upgrade -type f -and \ > -not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive > autopep8 --in-place --ignore E309 --aggressive \ > base/common/sbin/pki-upgrade \ > base/server/sbin/pkispawn \ > base/server/sbin/pkidestroy \ > base/server/sbin/pki-server \ > base/server/sbin/pki-server-upgrade > > About two dozent violations were fixed manually. > > https://fedorahosted.org/pki/ticket/708 > > > NOTE: I'm going to add some checks to the PKI core spec file and tox later. Some comments: 1. In base/common/python/pki/cli.py we probably shouldn't insert a line break inside an argument: # If module command exists, include it as arguments: ... 2. In base/common/python/pki/crypto.py it probably should have been a decorator, but this is a separate issue. # abc.abstractmethod def get_cert(self, cert_nick): 3. In base/kra/functional/drmclient_deprecated.py this code is probably less readable than the original. Is there a better way to format it? It's a deprecated code too, maybe we can just ignore/remove it. response['cert'] = b64.replace( CERT_HEADER, "").replace( CERT_FOOTER, "") 4. In base/server/python/pki/server/cli/migrate.py the line break isn't very nice: if valve.get( 'className') == 'org.apache.catalina.valves.AccessLogValve': Everything else looks good. It's up to you how you want to address the above items. Regardless, it's ACKed. -- Endi S. Dewata From cfu at redhat.com Fri Aug 14 02:47:11 2015 From: cfu at redhat.com (Christina Fu) Date: Thu, 13 Aug 2015 19:47:11 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0096-Ticket-1556-Weak-HTTPS-TLS-ciphers.patch Message-ID: <55CD56AF.8080008@redhat.com> This is a preliminary patch for: https://fedorahosted.org/pki/ticket/1556 Weak HTTPS TLS ciphers It is preliminary because I have to leave a couple RSA ciphers under the ECC option due to the fact that if we leave that out, the configuration will not be able to connect with the temporary ssl server cert. We could add code to remove those after the configuration, or we can leave it for a separate ticket. We can discuss tomorrow morning. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0096-Ticket-1556-Weak-HTTPS-TLS-ciphers.patch Type: text/x-patch Size: 6483 bytes Desc: not available URL: From cheimes at redhat.com Fri Aug 14 10:15:42 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 14 Aug 2015 12:15:42 +0200 Subject: [Pki-devel] [PATCH 020] Move pylint-build-scan.py to scripts directory In-Reply-To: <55CD105A.1070905@redhat.com> References: <55CA3766.1030601@redhat.com> <55CD105A.1070905@redhat.com> Message-ID: <55CDBFCE.2080602@redhat.com> On 2015-08-13 23:47, Endi Sukma Dewata wrote: > On 8/11/2015 12:56 PM, Christian Heimes wrote: >> Endi has suggested to move the script and to tweak the file name >> matching algorithms a bit. >> >> Move internal helper and its configuration out of the project's root >> directory into scripts/. Also use re instead of fnmatch to find the >> upgrade scriptlets. >> >> Christian > > ACK. Thanks! Pushed to master d63ade55f5cc2a9ecf21ea2b43cfac80149c4c29 Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Fri Aug 14 13:51:50 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 14 Aug 2015 15:51:50 +0200 Subject: [Pki-devel] [PATCH 021] Make pki PEP 8 compatible In-Reply-To: <55CD106C.3010003@redhat.com> References: <55CA4D7D.4090503@redhat.com> <55CD106C.3010003@redhat.com> Message-ID: <55CDF276.5040209@redhat.com> On 2015-08-13 23:47, Endi Sukma Dewata wrote: > Some comments: > > 1. In base/common/python/pki/cli.py we probably shouldn't insert a line > break inside an argument: > > # If module command exists, include it as arguments: # command> ... > > 2. In base/common/python/pki/crypto.py it probably should have been a > decorator, but this is a separate issue. > > # abc.abstractmethod > def get_cert(self, cert_nick): > > 3. In base/kra/functional/drmclient_deprecated.py this code is probably > less readable than the original. Is there a better way to format it? > It's a deprecated code too, maybe we can just ignore/remove it. > > response['cert'] = b64.replace( > CERT_HEADER, > "").replace( > CERT_FOOTER, > "") > > 4. In base/server/python/pki/server/cli/migrate.py the line break isn't > very nice: > > if valve.get( > 'className') == 'org.apache.catalina.valves.AccessLogValve': > > Everything else looks good. It's up to you how you want to address the > above items. Regardless, it's ACKed. Hi Endi, thanks for the review. The automatic code wrapping feature of autopep8 isn't perfect. Before I created the patch ball, I fixed a bunch of places manually. It looks like three places slipped through. Good work :) I rearranged 1, 3 and 4 and made the code more readable before I pushed the patch to master. Pushed to master in 12badcabc1cd345256a4902f7b0583cf667ecd8d Regards, Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Fri Aug 14 13:59:37 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 14 Aug 2015 15:59:37 +0200 Subject: [Pki-devel] [PATCH 022] Modernize for Python 3 support Message-ID: <55CDF449.2080504@redhat.com> One big step for Python 3 support. With this patch and manual installation of pyldap and nss, pki can be imported under Python 3.4. The code doesn't run properly yet, though. Run python-modernize fixers: libmodernize.fixes.fix_import libmodernize.fixes.fix_print libmodernize.fixes.fix_input_six libmodernize.fixes.fix_xrange_six lib2to3.fixes.fix_execfile libmodernize.fixes.fix_metaclass libmodernize.fixes.fix_unicode_type libmodernize.fixes.fix_dict_six Add more from __future__ import absolute_import Manually fix import problems with either six.moves or manual try/except ImportError blocks. Remove Exception.message attribute access. Add a workaround for policycoreutils-python3. It lacks sepolgen on Fedora 22. Test pep8 and lint on Python 3 with tox. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Fri Aug 14 15:03:11 2015 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 14 Aug 2015 17:03:11 +0200 Subject: [Pki-devel] [PATCH 022] Modernize for Python 3 support In-Reply-To: <55CDF449.2080504@redhat.com> References: <55CDF449.2080504@redhat.com> Message-ID: <55CE032F.6090606@redhat.com> And now with attachment. I also attached a 2nd patch that fixes the one unit test under Python 3. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0022-Modernize-for-Python-3-support.patch Type: text/x-patch Size: 176267 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0023-Fix-encoding-issue.-On-Python-3-requests-requires-by.patch Type: text/x-patch Size: 2207 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cfu at redhat.com Fri Aug 14 16:07:25 2015 From: cfu at redhat.com (Christina Fu) Date: Fri, 14 Aug 2015 09:07:25 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0096-Ticket-1556-Weak-HTTPS-TLS-ciphers.patch In-Reply-To: <55CD56AF.8080008@redhat.com> References: <55CD56AF.8080008@redhat.com> Message-ID: <55CE123D.4040506@redhat.com> Here is the investigation report on the issue: https://fedorahosted.org/pki/ticket/1556#comment:1 Under which a couple things could be discussed. Here is the workaround: https://fedorahosted.org/pki/ticket/1556#comment:2 thanks, Christina On 08/13/2015 07:47 PM, Christina Fu wrote: > This is a preliminary patch for: > https://fedorahosted.org/pki/ticket/1556 Weak HTTPS TLS ciphers > > It is preliminary because I have to leave a couple RSA ciphers under > the ECC option due to the fact that if we leave that out, the > configuration will not be able to connect with the temporary ssl > server cert. > > We could add code to remove those after the configuration, or we can > leave it for a separate ticket. > We can discuss tomorrow morning. > > thanks, > Christina > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Fri Aug 14 19:21:01 2015 From: alee at redhat.com (Ade Lee) Date: Fri, 14 Aug 2015 15:21:01 -0400 Subject: [Pki-devel] [PATCH 022] Modernize for Python 3 support In-Reply-To: <55CE032F.6090606@redhat.com> References: <55CDF449.2080504@redhat.com> <55CE032F.6090606@redhat.com> Message-ID: <1439580061.5685.13.camel@redhat.com> Went through the 15 patches. Looks pretty straightforward and acks for the first 12 and the last patch, which the following comment: 1. Please add comments to describe some of the changes being made so that we have a record for later on. This is particularly true for things like adding absolute_import (which doesn't have a reference in the code and someone might be tempted to remove in future). On patch 13 - Manually fix import problems and access to Exception.message, I have the following question: 2. In base/server/python/pki/server/deployment/pkiparser.py and in base/common/python/pki/key.py, you solve the import problem for urllib by trying to import the Python2 first and then Python 3 (or visa versa). Why doesn't importing the relevant six module work instead? And on patch 14 (sepolgen): 3. Could you explain what the effect of your sepolgen change is? Please co-ordinate checkins with Matt. Ade On Fri, 2015-08-14 at 17:03 +0200, Christian Heimes wrote: > And now with attachment. > > I also attached a 2nd patch that fixes the one unit test under Python > 3. > > Christian > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Fri Aug 14 22:36:29 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 14 Aug 2015 17:36:29 -0500 Subject: [Pki-devel] [PATCH 022] Modernize for Python 3 support In-Reply-To: <55CE032F.6090606@redhat.com> References: <55CDF449.2080504@redhat.com> <55CE032F.6090606@redhat.com> Message-ID: <55CE6D6D.6050901@redhat.com> On 8/14/2015 10:03 AM, Christian Heimes wrote: > And now with attachment. > > I also attached a 2nd patch that fixes the one unit test under Python 3. > > Christian Some comments: 1. Build works on F22, but fails on F21: ************* Module pylint-build-scan I: 33, 0: Locally disabling import-error (F0401) (locally-disabled) ************* Module pki I: 33, 0: Locally disabling redefined-builtin (W0622) (locally-disabled) I:127, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:141, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:149, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:161, 0: Locally disabling invalid-name (C0103) (locally-disabled) F: 33, 0: Unable to import 'six.moves' (import-error) ************* Module pki.encoder I: 36, 0: Locally disabling method-hidden (E0202) (locally-disabled) ************* Module pki.profile I:1361, 0: Locally disabling broad-except (W0703) (locally-disabled) I:1398, 0: Locally disabling broad-except (W0703) (locally-disabled) ************* Module pki.key I: 34, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) I: 36, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) I: 43, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I: 54, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I: 66, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:118, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:150, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:186, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:222, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:258, 0: Locally disabling invalid-name (C0103) (locally-disabled) F: 34, 4: Unable to import 'urllib.parse' (import-error) ************* Module pki.upgrade I:545, 0: Locally disabling exec-used (W0122) (locally-disabled) I:632, 0: Locally disabling broad-except (W0703) (locally-disabled) I:699, 0: Locally disabling broad-except (W0703) (locally-disabled) ************* Module pki.server.cli.migrate I:166, 0: Locally disabling protected-access (W0212) (locally-disabled) I:279, 0: Locally disabling protected-access (W0212) (locally-disabled) ************* Module pki.server.cli.instance I:327, 0: Locally disabling no-member (E1101) (locally-disabled) I:327, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) I:383, 0: Locally disabling no-member (E1101) (locally-disabled) I:383, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) I:439, 0: Locally disabling no-member (E1101) (locally-disabled) I:439, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) ************* Module pki.server.deployment.pkiparser I: 36, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) I: 38, 0: Locally disabling import-error (F0401) (locally-disabled) I: 40, 0: Locally disabling redefined-builtin (W0622) (locally-disabled) I:362, 0: Locally disabling no-member (E1101) (locally-disabled) I:377, 0: Locally disabling no-member (E1101) (locally-disabled) F: 36, 4: Unable to import 'urllib.parse' (import-error) F: 40, 0: Unable to import 'six.moves' (import-error) F: 41, 0: Unable to import 'six.moves' (import-error) ************* Module pki.server.deployment.pkiscriptlet I: 36, 0: Locally disabling unused-argument (W0613) (locally-disabled) W: 29, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.pkihelper I: 35, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) I:1091, 0: Locally disabling broad-except (W0703) (locally-disabled) I:2978, 0: Locally disabling broad-except (W0703) (locally-disabled) I:2999, 0: Locally disabling broad-except (W0703) (locally-disabled) I:3903, 0: Locally disabling no-member (E1101) (locally-disabled) ************* Module pki.server.deployment.pkiconfig I: 25, 0: Locally disabling redefined-builtin (W0622) (locally-disabled) F: 25, 0: Unable to import 'six.moves' (import-error) ************* Module pki.server.deployment.scriptlets.security_databases W: 31, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.webapp_deployment W: 33, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.instance_layout W: 33, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.finalization W: 32, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.infrastructure_layout W: 32, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.subsystem_layout W: 31, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.selinux_setup W: 36, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.slot_substitution W: 31, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.initialization W: 31, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.configuration W: 34, 0: Class has no __init__ method (no-init) I: 83, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pkispawn I: 58, 0: Locally disabling unused-argument (W0613) (locally-disabled) I:602, 0: Locally disabling broad-except (W0703) (locally-disabled) ************* Module pkidestroy I: 55, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pki-upgrade I: 31, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pki-server-upgrade I: 33, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module 01-RemoveInaccessableURLsFromServerXML I: 34, 0: Locally disabling anomalous-backslash-in-string (W1401) (locally-disabled) ************* Module 01-AddKraAuditEvents I: 48, 0: Locally disabling unused-argument (W0613) (locally-disabled) 2. In "Manually fix import problems and access to Exception.message" you replaced e.message['desc'] with e.args[0]['desc']. I suppose the code works fine, but it's kind of strange that we'd have to use a more cryptic code. Are there other alternatives? Everything else looks fine. Thanks for the clarification about list(). -- Endi S. Dewata From cfu at redhat.com Sat Aug 15 01:34:15 2015 From: cfu at redhat.com (Christina Fu) Date: Fri, 14 Aug 2015 18:34:15 -0700 Subject: [Pki-devel] [PATCH] Ticket #1556 Weak HTTPS TLS ciphers Message-ID: <55CE9717.1000403@redhat.com> (this patch overrides the preliminary one sent out yesterday) https://fedorahosted.org/pki/ticket/1556 Please note that the cipher lists can be considered to be ack'ed by Bob Relyea as it incorporates feedback directly from him. All changes have been tested to work for both RSA and ECC servers. Ticket #1556 Weak HTTPS TLS ciphers This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, /conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization) thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0097-Ticket-1556-Weak-HTTPS-TLS-ciphers.patch Type: text/x-patch Size: 15950 bytes Desc: not available URL: From jmagne at redhat.com Sat Aug 15 02:51:54 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 14 Aug 2015 22:51:54 -0400 (EDT) Subject: [Pki-devel] [PATCH] Ticket #1556 Weak HTTPS TLS ciphers In-Reply-To: <55CE9717.1000403@redhat.com> References: <55CE9717.1000403@redhat.com> Message-ID: <1354297048.15321558.1439607114139.JavaMail.zimbra@redhat.com> ACK, based on the fact that is has been tested to work, and that BobR has approved all the ciphers. ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Friday, 14 August, 2015 6:34:15 PM Subject: [Pki-devel] [PATCH] Ticket #1556 Weak HTTPS TLS ciphers (this patch overrides the preliminary one sent out yesterday) https://fedorahosted.org/pki/ticket/1556 Please note that the cipher lists can be considered to be ack'ed by Bob Relyea as it incorporates feedback directly from him. All changes have been tested to work for both RSA and ECC servers. Ticket #1556 Weak HTTPS TLS ciphers This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, /conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization) thanks, Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Sat Aug 15 04:05:10 2015 From: cfu at redhat.com (Christina Fu) Date: Fri, 14 Aug 2015 21:05:10 -0700 Subject: [Pki-devel] [PATCH] Ticket #1556 Weak HTTPS TLS ciphers In-Reply-To: <1354297048.15321558.1439607114139.JavaMail.zimbra@redhat.com> References: <55CE9717.1000403@redhat.com> <1354297048.15321558.1439607114139.JavaMail.zimbra@redhat.com> Message-ID: <55CEBA76.20400@redhat.com> pushed to DOGTAG_10_2_BRANCH (for later cherry picking), as planned commit 67c895851781d69343979cbcff138184803880ea thanks, Christina On 08/14/2015 07:51 PM, John Magne wrote: > ACK, based on the fact that is has been tested to work, > and that BobR has approved all the ciphers. > > ----- Original Message ----- > From: "Christina Fu" > To: "pki-devel" > Sent: Friday, 14 August, 2015 6:34:15 PM > Subject: [Pki-devel] [PATCH] Ticket #1556 Weak HTTPS TLS ciphers > > (this patch overrides the preliminary one sent out yesterday) > https://fedorahosted.org/pki/ticket/1556 > > Please note that the cipher lists can be considered to be ack'ed by Bob > Relyea as it incorporates feedback directly from him. > All changes have been tested to work for both RSA and ECC servers. > > Ticket #1556 Weak HTTPS TLS ciphers > > This patch fixes the RSA ciphers that were mistakenly turned on > under ECC > section, and off under RSA section. A few adjustments have also > been made > based on Bob Relyea's feedback. A new file, > /conf/ciphers.info > was also created to > 1. provide info on the ciphers > 2. provide default rsa and ecc ciphers for admins to incorporate > into earlier > instances (as migration script might not be ideal due to > possible customization) > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From cheimes at redhat.com Mon Aug 17 05:54:55 2015 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 17 Aug 2015 07:54:55 +0200 Subject: [Pki-devel] [PATCH 022] Modernize for Python 3 support In-Reply-To: <1439580061.5685.13.camel@redhat.com> References: <55CDF449.2080504@redhat.com> <55CE032F.6090606@redhat.com> <1439580061.5685.13.camel@redhat.com> Message-ID: <55D1772F.5020809@redhat.com> Ade, thanks for your review of my gigantic patch set. On 2015-08-14 21:21, Ade Lee wrote: > Went through the 15 patches. Looks pretty straightforward and acks for > the first 12 and the last patch, which the following comment: > > 1. Please add comments to describe some of the changes being made so > that we have a record for later on. > > This is particularly true for things like adding absolute_import > (which doesn't have a reference in the code and someone might be > tempted to remove in future). Your and Endi's review have shown me that several small patches are easier to understand and better to read than a large, squashed patch bomb. I will post a series of smaller patches later. Each patch will a long description > On patch 13 - Manually fix import problems and access to > Exception.message, I have the following question: > > 2. In base/server/python/pki/server/deployment/pkiparser.py and in > base/common/python/pki/key.py, you solve the import problem for > urllib by trying to import the Python2 first and then Python 3 > (or visa versa). Why doesn't importing the relevant six module > work instead? I don't mind to use six.moves here, too. I guess I'm used to manual imports with try/except ImportError. I've to disable pylint warnings anyway as pylint doesn't understand six.moves magic. > > And on patch 14 (sepolgen): > > 3. Could you explain what the effect of your sepolgen change is? It's a temporary workaround for an incomplete Python 3 package. It disables the SELinux policy generator in pkispawn until the package is fixed. As a consequence you have to disable SELinux enforcement -- but only for pkispawn and pkidestroy on Python 3. It doesn't affect the regular Python 2.7 code. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Mon Aug 17 06:04:30 2015 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 17 Aug 2015 08:04:30 +0200 Subject: [Pki-devel] [PATCH 022] Modernize for Python 3 support In-Reply-To: <55CE6D6D.6050901@redhat.com> References: <55CDF449.2080504@redhat.com> <55CE032F.6090606@redhat.com> <55CE6D6D.6050901@redhat.com> Message-ID: <55D1796E.4020103@redhat.com> On 2015-08-15 00:36, Endi Sukma Dewata wrote: > On 8/14/2015 10:03 AM, Christian Heimes wrote: >> And now with attachment. >> >> I also attached a 2nd patch that fixes the one unit test under Python 3. >> >> Christian > > Some comments: > > 1. Build works on F22, but fails on F21: > > ************* Module pylint-build-scan > I: 33, 0: Locally disabling import-error (F0401) (locally-disabled) > ************* Module pki > I: 33, 0: Locally disabling redefined-builtin (W0622) (locally-disabled) > I:127, 0: Locally disabling too-few-public-methods (R0903) > (locally-disabled) > I:141, 0: Locally disabling too-few-public-methods (R0903) > (locally-disabled) > I:149, 0: Locally disabling invalid-name (C0103) (locally-disabled) > I:161, 0: Locally disabling invalid-name (C0103) (locally-disabled) > F: 33, 0: Unable to import 'six.moves' (import-error) > ************* Module pki.encoder > I: 36, 0: Locally disabling method-hidden (E0202) (locally-disabled) > ************* Module pki.profile > I:1361, 0: Locally disabling broad-except (W0703) (locally-disabled) > I:1398, 0: Locally disabling broad-except (W0703) (locally-disabled) > ************* Module pki.key > I: 34, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) > I: 36, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) > I: 43, 0: Locally disabling too-few-public-methods (R0903) > (locally-disabled) > I: 54, 0: Locally disabling too-few-public-methods (R0903) > (locally-disabled) > I: 66, 0: Locally disabling invalid-name (C0103) (locally-disabled) > I:118, 0: Locally disabling invalid-name (C0103) (locally-disabled) > I:150, 0: Locally disabling too-few-public-methods (R0903) > (locally-disabled) > I:186, 0: Locally disabling invalid-name (C0103) (locally-disabled) > I:222, 0: Locally disabling too-few-public-methods (R0903) > (locally-disabled) > I:258, 0: Locally disabling invalid-name (C0103) (locally-disabled) > F: 34, 4: Unable to import 'urllib.parse' (import-error) > ************* Module pki.upgrade > I:545, 0: Locally disabling exec-used (W0122) (locally-disabled) > I:632, 0: Locally disabling broad-except (W0703) (locally-disabled) > I:699, 0: Locally disabling broad-except (W0703) (locally-disabled) > ************* Module pki.server.cli.migrate > I:166, 0: Locally disabling protected-access (W0212) (locally-disabled) > I:279, 0: Locally disabling protected-access (W0212) (locally-disabled) > ************* Module pki.server.cli.instance > I:327, 0: Locally disabling no-member (E1101) (locally-disabled) > I:327, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) > I:383, 0: Locally disabling no-member (E1101) (locally-disabled) > I:383, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) > I:439, 0: Locally disabling no-member (E1101) (locally-disabled) > I:439, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) > ************* Module pki.server.deployment.pkiparser > I: 36, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) > I: 38, 0: Locally disabling import-error (F0401) (locally-disabled) > I: 40, 0: Locally disabling redefined-builtin (W0622) (locally-disabled) > I:362, 0: Locally disabling no-member (E1101) (locally-disabled) > I:377, 0: Locally disabling no-member (E1101) (locally-disabled) > F: 36, 4: Unable to import 'urllib.parse' (import-error) > F: 40, 0: Unable to import 'six.moves' (import-error) > F: 41, 0: Unable to import 'six.moves' (import-error) > ************* Module pki.server.deployment.pkiscriptlet > I: 36, 0: Locally disabling unused-argument (W0613) (locally-disabled) > W: 29, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.pkihelper > I: 35, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) > I:1091, 0: Locally disabling broad-except (W0703) (locally-disabled) > I:2978, 0: Locally disabling broad-except (W0703) (locally-disabled) > I:2999, 0: Locally disabling broad-except (W0703) (locally-disabled) > I:3903, 0: Locally disabling no-member (E1101) (locally-disabled) > ************* Module pki.server.deployment.pkiconfig > I: 25, 0: Locally disabling redefined-builtin (W0622) (locally-disabled) > F: 25, 0: Unable to import 'six.moves' (import-error) > ************* Module pki.server.deployment.scriptlets.security_databases > W: 31, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.scriptlets.webapp_deployment > W: 33, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.scriptlets.instance_layout > W: 33, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.scriptlets.finalization > W: 32, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.scriptlets.infrastructure_layout > W: 32, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.scriptlets.subsystem_layout > W: 31, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.scriptlets.selinux_setup > W: 36, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.scriptlets.slot_substitution > W: 31, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.scriptlets.initialization > W: 31, 0: Class has no __init__ method (no-init) > ************* Module pki.server.deployment.scriptlets.configuration > W: 34, 0: Class has no __init__ method (no-init) > I: 83, 0: Locally disabling unused-argument (W0613) (locally-disabled) > ************* Module pkispawn > I: 58, 0: Locally disabling unused-argument (W0613) (locally-disabled) > I:602, 0: Locally disabling broad-except (W0703) (locally-disabled) > ************* Module pkidestroy > I: 55, 0: Locally disabling unused-argument (W0613) (locally-disabled) > ************* Module pki-upgrade > I: 31, 0: Locally disabling unused-argument (W0613) (locally-disabled) > ************* Module pki-server-upgrade > I: 33, 0: Locally disabling unused-argument (W0613) (locally-disabled) > ************* Module 01-RemoveInaccessableURLsFromServerXML > I: 34, 0: Locally disabling anomalous-backslash-in-string (W1401) > (locally-disabled) > ************* Module 01-AddKraAuditEvents > I: 48, 0: Locally disabling unused-argument (W0613) (locally-disabled) Thanks for the tests. Older versions of pylint I've addressed the six.moves import-error failures in my updated patch. The no-init warnings seem to be unrelated to my work, though. > 2. In "Manually fix import problems and access to Exception.message" you > replaced e.message['desc'] with e.args[0]['desc']. I suppose the code > works fine, but it's kind of strange that we'd have to use a more > cryptic code. Are there other alternatives? No, there is no better way to write it. :( I checked python-ldap's and pyldap's source code as well as tested a couple of alternative approaches interactively. The LDAPError exception doesn't have other means to access the error dict. In Python 2 Exceception.message is an alternative spelling for Exception.args[0] if len(args) == 1. The alternative is gone in Python 3. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Mon Aug 17 06:21:29 2015 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 17 Aug 2015 08:21:29 +0200 Subject: [Pki-devel] [PATCH 024-034] Python 3 modernizations Message-ID: <55D17D69.20309@redhat.com> Hello, this patch set replaces patch 22 and 23. The patches 24 to 31 are the same as the patches from my git fork https://github.com/tiran/pki/commits/modernize. I just have squashed some related patches into one patch and added long descriptions. Patch 32 is the same as patch 23 Patch 33 also fixes a second occurrence of 'import seobject'. Patch 34 addresses Ade's request to use six.moves and fixes Endi's pylint warnings. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0024-Py3-modernization-libmodernize.fixes.fix_import.patch Type: text/x-patch Size: 40249 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0025-Py3-modernization-libmodernize.fixes.fix_print.patch Type: text/x-patch Size: 119829 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0026-Py3-modernization-libmodernize.fixes.fix_input_six.patch Type: text/x-patch Size: 4819 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0027-Py3-modernization-libmodernize.fixes.fix_xrange_six.patch Type: text/x-patch Size: 1541 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0028-Py3-modernization-lib2to3.fixes.fix_execfile.patch Type: text/x-patch Size: 1218 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0029-Py3-modernization-libmodernize.fixes.fix_metaclass.patch Type: text/x-patch Size: 2101 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0030-Py3-modernization-libmodernize.fixes.fix_unicode_typ.patch Type: text/x-patch Size: 7180 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0031-Py3-modernization-libmodernize.fixes.fix_dict_six.patch Type: text/x-patch Size: 12696 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0032-Fix-encoding-issue.-On-Python-3-requests-requires-by.patch Type: text/x-patch Size: 2213 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0033-policycoreutils-python3-lacks-sepolgen-on-Fedora-22.patch Type: text/x-patch Size: 3174 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0034-Py3-modernization-misc-manual-fixes.patch Type: text/x-patch Size: 20073 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mharmsen at redhat.com Mon Aug 17 06:33:31 2015 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 17 Aug 2015 00:33:31 -0600 Subject: [Pki-devel] Karma Request for Dogtag 10.2.6 in Fedora 22 & 23 Message-ID: <55D1803B.1040408@redhat.com> Everyone, Please provide Karma for the following Dogtag 10.2.6 packages for Fedora 22: * dogtag-pki-theme-10.2.6-1.fc22 * pki-core-10.2.6-1.fc22 * pki-core-10.2.6-2.fc22 * pki-core-10.2.6-4.fc22 * pki-core-10.2.6-5.fc22 * *pki-core-10.2.6-6.fc22 * * pki-console-10.2.6-1.fc22 * dogtag-pki-10.2.6-1.fc22 and for Fedora 23: * pki-core-10.2.6-5.fc23 * *pki-core-10.2.6-6.fc23 * Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From cheimes at redhat.com Mon Aug 17 06:45:23 2015 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 17 Aug 2015 08:45:23 +0200 Subject: [Pki-devel] [PATCH 035-038] Python 3 compatibility Message-ID: <55D18303.8060006@redhat.com> Hi, the second large patch makes the code work on Python 3.4. It mostly fixes a couple of str/bytes related issues. With the patches I'm able to pkispawn a CA, KRA and OCSP with Python 3.4. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0035-Py3-compatibility-write-XML-as-encoded-bytes.patch Type: text/x-patch Size: 10598 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0036-Py3-compatibility-encode-output-of-subprocess-call.patch Type: text/x-patch Size: 9270 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0037-Py3-compatibility-set-default-for-verbosity-to-0.patch Type: text/x-patch Size: 1220 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0038-Py3-compatibility-__eq__-blocks-inheritance-of-__has.patch Type: text/x-patch Size: 1179 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Mon Aug 17 07:01:07 2015 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 17 Aug 2015 09:01:07 +0200 Subject: [Pki-devel] Dogtag PKI is Python 3.4 compatible (mostly) Message-ID: <55D186B3.1020305@redhat.com> Hello, Good news everybody! I got Dogtag's Python code working under Python 3.4. With my patches 24-38 I'm able to run pkispawn and pkidestroy under Python 2.7 and 3.4 from the same code base. I was able to spawn a CA, KRA and OCSP responder with Python 3.4 successfully. There is still much work to do, though. I have neither tested the PKI client API nor the upgrade framework. I also suspect problems with non-ASCII paths and internationalized domain names. Packaging has to be addressed, too. I like to thank John and Miro for their hard work on Python 3 ports of NSS and pyldap. How to test under Python 3.4 ---------------------------- Install Python 3 versions of Python dependencies: # dnf install python3-lxml python3-sphinx python3-requests python3-six libselinux-python3 policycoreutils3-python Install build dependencies for pyldap and python-nss # dnf install python-dnf-plugins-core python3-pip python-tox # dnf builddep python-nss # dnf builddep python-ldap You also have to disable SELinux enforcement because seobject is missing: # setenforce 0 Now you can use a tox virtual env to install the dependencies and test the Python 3 port $ tox -e py34 (ignore the error) $ .tox/py34/bin/pip3.4 install pyldap $ .tox/py34/bin/pip3.4 install hg+https://fedorapeople.org/~jdennis/python-nss/repos/python-nss/ # .tox/py34/bin/python3.4 .tox/py34/bin/pkispawn Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From alee at redhat.com Mon Aug 17 15:36:37 2015 From: alee at redhat.com (Ade Lee) Date: Mon, 17 Aug 2015 11:36:37 -0400 Subject: [Pki-devel] [PATCH 024-034] Python 3 modernizations In-Reply-To: <55D17D69.20309@redhat.com> References: <55D17D69.20309@redhat.com> Message-ID: <1439825797.965.15.camel@redhat.com> ACK on all patches. Thanks for the explanations. Question on the selinux patch. I can see based on the following bugs: https://bugzilla.redhat.com/show_bug.cgi?id=988304 https://bugzilla.redhat.com/show_bug.cgi?id=1194577#c4 that sepolgen will only be in F23+. I guess this is fine considering that the default python will not be Python 3 until F23. That still raises the question of how we should handle the case where someone tries to run pkispawn/pkidestroy on Python 3 in F22. Your patch will allow the pkispawn python code to complete, but will fail later when the tomcat server starts up if selinux is enabled and non -standard (not previously selinux defined) ports are defined. As you mentioned on IRC, it takes some work to try to run pkispawn on f22 with python 3. But it might make sense to warn folks to disable selinux in this case. At the very least, it would be nice to have a specific error message that indicates that the selinux setup is being skipped because sepolgen is unavailable on py3, rather than lumping it into the "selinux disabled" message. Additionally, it would be nice to do some check ahead of time to confirm that selinux is disabled if (1) python 3 (2) sepolgen unavailable (3) non-standard ports/ non-standard file locations. But given that it will be IPA folks who will be testing this (and they use standard locations), the additional test is probably not needed. Ade On Mon, 2015-08-17 at 08:21 +0200, Christian Heimes wrote: > Hello, > > this patch set replaces patch 22 and 23. > > The patches 24 to 31 are the same as the patches from my git fork > https://github.com/tiran/pki/commits/modernize. I just have squashed > some related patches into one patch and added long descriptions. > > Patch 32 is the same as patch 23 > > Patch 33 also fixes a second occurrence of 'import seobject'. > > Patch 34 addresses Ade's request to use six.moves and fixes Endi's > pylint warnings. > > Christian From alee at redhat.com Mon Aug 17 15:40:48 2015 From: alee at redhat.com (Ade Lee) Date: Mon, 17 Aug 2015 11:40:48 -0400 Subject: [Pki-devel] [PATCH 035-038] Python 3 compatibility In-Reply-To: <55D18303.8060006@redhat.com> References: <55D18303.8060006@redhat.com> Message-ID: <1439826048.965.16.camel@redhat.com> Looks good. ACK. On Mon, 2015-08-17 at 08:45 +0200, Christian Heimes wrote: > Hi, > > the second large patch makes the code work on Python 3.4. It mostly > fixes a couple of str/bytes related issues. With the patches I'm able > to > pkispawn a CA, KRA and OCSP with Python 3.4. > > Christian > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cheimes at redhat.com Tue Aug 18 09:37:37 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 18 Aug 2015 11:37:37 +0200 Subject: [Pki-devel] [PATCH 039] Unit tests for upgraders and pki.crypto Message-ID: <55D2FCE1.1050600@redhat.com> The new unit test import files like deployment scriptlets and upgrade scriptlets that were not executed in tests before. The basic operations of pki.crypto are also covered. -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0039-Unit-tests-for-upgraders-and-pki.crypto.patch Type: text/x-patch Size: 11600 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Tue Aug 18 15:15:03 2015 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 18 Aug 2015 17:15:03 +0200 Subject: [Pki-devel] [PATCH 040] Silence no-name-in-module error Message-ID: <55D34BF7.1010206@redhat.com> Endi has found a problem with F21: http://www.fpaste.org/256300/08336143/ . The attached patch silences the pylint warning. Some versions of pylint complain about six's moves magic: No name 'urllib' in module '_MovedItems' (no-name-in-module) -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0040-Silence-no-name-in-module-error.patch Type: text/x-patch Size: 1726 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From edewata at redhat.com Tue Aug 18 17:00:43 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 18 Aug 2015 12:00:43 -0500 Subject: [Pki-devel] [PATCH 040] Silence no-name-in-module error In-Reply-To: <55D34BF7.1010206@redhat.com> References: <55D34BF7.1010206@redhat.com> Message-ID: <55D364BB.2020008@redhat.com> On 8/18/2015 10:15 AM, Christian Heimes wrote: > Endi has found a problem with F21: > http://www.fpaste.org/256300/08336143/ . The attached patch silences the > pylint warning. > > Some versions of pylint complain about six's moves magic: > > No name 'urllib' in module '_MovedItems' (no-name-in-module) > ACK. It fixes the pylint errors. However, there are still some pylint warnings which will also break the F21 build. The warnings didn't exist last week (see below). ################################################################### Below is the pylint messages using the latest on master: ################################################################### ************* Module pylint-build-scan I: 33, 0: Locally disabling import-error (F0401) (locally-disabled) ************* Module pki I: 33, 0: Locally disabling redefined-builtin (W0622) (locally-disabled) I: 33, 0: Locally disabling import-error (F0401) (locally-disabled) I:127, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:141, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:149, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:161, 0: Locally disabling invalid-name (C0103) (locally-disabled) ************* Module pki.encoder I: 36, 0: Locally disabling method-hidden (E0202) (locally-disabled) ************* Module pki.profile I:1361, 0: Locally disabling broad-except (W0703) (locally-disabled) I:1398, 0: Locally disabling broad-except (W0703) (locally-disabled) ************* Module pki.key I: 33, 0: Locally disabling import-error (F0401) (locally-disabled) I: 33, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) I: 40, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I: 51, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I: 63, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:115, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:147, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:183, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:219, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:255, 0: Locally disabling invalid-name (C0103) (locally-disabled) ************* Module pki.upgrade I:551, 0: Locally disabling exec-used (W0122) (locally-disabled) I:638, 0: Locally disabling broad-except (W0703) (locally-disabled) I:705, 0: Locally disabling broad-except (W0703) (locally-disabled) ************* Module pki.server.cli.migrate I:167, 0: Locally disabling protected-access (W0212) (locally-disabled) I:280, 0: Locally disabling protected-access (W0212) (locally-disabled) ************* Module pki.server.cli.instance I:327, 0: Locally disabling no-member (E1101) (locally-disabled) I:327, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) I:383, 0: Locally disabling no-member (E1101) (locally-disabled) I:383, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) I:439, 0: Locally disabling no-member (E1101) (locally-disabled) I:439, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) ************* Module pki.server.deployment.pkiparser I: 37, 0: Locally disabling redefined-builtin (W0622) (locally-disabled) I: 37, 0: Locally disabling import-error (F0401) (locally-disabled) I: 38, 0: Locally disabling import-error (F0401) (locally-disabled) I: 39, 0: Locally disabling import-error (F0401) (locally-disabled) I: 39, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) I:363, 0: Locally disabling no-member (E1101) (locally-disabled) I:378, 0: Locally disabling no-member (E1101) (locally-disabled) ************* Module pki.server.deployment.pkiscriptlet I: 36, 0: Locally disabling unused-argument (W0613) (locally-disabled) W: 29, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.pkihelper I: 35, 0: Locally disabling no-name-in-module (E0611) (locally-disabled) I:1091, 0: Locally disabling broad-except (W0703) (locally-disabled) I:2978, 0: Locally disabling broad-except (W0703) (locally-disabled) I:2999, 0: Locally disabling broad-except (W0703) (locally-disabled) I:3905, 0: Locally disabling no-member (E1101) (locally-disabled) ************* Module pki.server.deployment.pkiconfig I: 25, 0: Locally disabling redefined-builtin (W0622) (locally-disabled) I: 25, 0: Locally disabling import-error (F0401) (locally-disabled) ************* Module pki.server.deployment.scriptlets.security_databases W: 31, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.webapp_deployment W: 33, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.instance_layout W: 33, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.finalization W: 32, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.infrastructure_layout W: 32, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.subsystem_layout W: 31, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.selinux_setup W: 45, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.slot_substitution W: 31, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.initialization W: 31, 0: Class has no __init__ method (no-init) ************* Module pki.server.deployment.scriptlets.configuration W: 34, 0: Class has no __init__ method (no-init) I: 83, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pkispawn I: 58, 0: Locally disabling unused-argument (W0613) (locally-disabled) I:601, 0: Locally disabling broad-except (W0703) (locally-disabled) ************* Module pkidestroy I: 55, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pki-upgrade I: 31, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pki-server-upgrade I: 33, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module 01-RemoveInaccessableURLsFromServerXML I: 34, 0: Locally disabling anomalous-backslash-in-string (W1401) (locally-disabled) ************* Module 01-AddKraAuditEvents I: 48, 0: Locally disabling unused-argument (W0613) (locally-disabled) ################################################################### Below is the pylint messages using revision f60846e025ff5492e8c05ccf525fe8df1b59bba6: ################################################################### ************* Module pylint-build-scan I: 31, 0: Locally disabling import-error (F0401) (locally-disabled) ************* Module pki I:121, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:135, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:143, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:155, 0: Locally disabling invalid-name (C0103) (locally-disabled) ************* Module pki.encoder I: 34, 0: Locally disabling method-hidden (E0202) (locally-disabled) ************* Module pki.profile I:1353, 0: Locally disabling broad-except (W0703) (locally-disabled) I:1390, 0: Locally disabling broad-except (W0703) (locally-disabled) ************* Module pki.key I: 36, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I: 47, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I: 59, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:110, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:142, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:178, 0: Locally disabling invalid-name (C0103) (locally-disabled) I:214, 0: Locally disabling too-few-public-methods (R0903) (locally-disabled) I:250, 0: Locally disabling invalid-name (C0103) (locally-disabled) ************* Module pki.upgrade I:625, 0: Locally disabling broad-except (W0703) (locally-disabled) I:692, 0: Locally disabling broad-except (W0703) (locally-disabled) ************* Module pki.server.cli.migrate I:153, 0: Locally disabling protected-access (W0212) (locally-disabled) I:271, 0: Locally disabling protected-access (W0212) (locally-disabled) ************* Module pki.server.cli.instance I:325, 0: Locally disabling no-member (E1101) (locally-disabled) I:325, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) I:379, 0: Locally disabling no-member (E1101) (locally-disabled) I:379, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) I:433, 0: Locally disabling no-member (E1101) (locally-disabled) I:433, 0: Locally disabling maybe-no-member (E1103) (locally-disabled) ************* Module pki.server.deployment.pkiscriptlet I: 30, 0: Locally disabling unused-argument (W0613) (locally-disabled) I: 37, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pki.server.deployment.pkihelper I:1073, 0: Locally disabling broad-except (W0703) (locally-disabled) I:2939, 0: Locally disabling broad-except (W0703) (locally-disabled) I:2959, 0: Locally disabling broad-except (W0703) (locally-disabled) I: 81, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pkispawn I: 56, 0: Locally disabling unused-argument (W0613) (locally-disabled) I:598, 0: Locally disabling broad-except (W0703) (locally-disabled) ************* Module pkidestroy I: 53, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pki-upgrade I: 29, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module pki-server-upgrade I: 31, 0: Locally disabling unused-argument (W0613) (locally-disabled) ************* Module 01-RemoveInaccessableURLsFromServerXML I: 33, 0: Locally disabling anomalous-backslash-in-string (W1401) (locally-disabled) ************* Module 01-AddKraAuditEvents I: 47, 0: Locally disabling unused-argument (W0613) (locally-disabled) -- Endi S. Dewata From edewata at redhat.com Tue Aug 18 22:34:36 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 18 Aug 2015 17:34:36 -0500 Subject: [Pki-devel] [PATCH 040] Silence no-name-in-module error In-Reply-To: <55D364BB.2020008@redhat.com> References: <55D34BF7.1010206@redhat.com> <55D364BB.2020008@redhat.com> Message-ID: <55D3B2FC.2020605@redhat.com> On 8/18/2015 12:00 PM, Endi Sukma Dewata wrote: > On 8/18/2015 10:15 AM, Christian Heimes wrote: >> Endi has found a problem with F21: >> http://www.fpaste.org/256300/08336143/ . The attached patch silences the >> pylint warning. >> >> Some versions of pylint complain about six's moves magic: >> >> No name 'urllib' in module '_MovedItems' (no-name-in-module) >> > > ACK. It fixes the pylint errors. However, there are still some pylint > warnings which will also break the F21 build. The warnings didn't exist > last week (see below). Pushed to master. I also pushed your suggested change to suppress the warnings, so F21 build is working now. Thanks. -- Endi S. Dewata From cheimes at redhat.com Wed Aug 19 14:03:14 2015 From: cheimes at redhat.com (Christian Heimes) Date: Wed, 19 Aug 2015 16:03:14 +0200 Subject: [Pki-devel] PATCH 005] Replace legacy Python base64 invocations with Py3-safe code In-Reply-To: <55912FF5.1000201@redhat.com> References: <55912FF5.1000201@redhat.com> Message-ID: <55D48CA2.8070003@redhat.com> On 2015-06-29 13:45, Christian Heimes wrote: > Patch for https://fedorahosted.org/pki/ticket/1102 > > b64encode() and base64.encodestring() work slightly different. > encodestring() includes an extra newline at the end of the string. It > seems the server treats both representations equally. > > I ran the KRA tests according to base/kra/functional/drmtest.readme.txt. > The tests are passing, too. Here is another take on my old patch. The new patch also fixes a compatibility issue with Python 3. -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0005-2-Replace-legacy-Python-base64-invocations.patch Type: text/x-patch Size: 11667 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cfu at redhat.com Wed Aug 19 19:46:19 2015 From: cfu at redhat.com (Christina Fu) Date: Wed, 19 Aug 2015 12:46:19 -0700 Subject: [Pki-devel] [PATCH] Ticket 1566 on HSM, non-CA subystem installations failing, while trying to join security domain Message-ID: <55D4DD0B.8020609@redhat.com> this patch is to address: https://fedorahosted.org/pki/ticket/1566 non-CA subystem installations failing while trying to join security domain Please note that the two TLS_RSA ciphers have been left under ecc for installation in place of the TLS_ECDHE_RSA ones. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0098-Ticket-1566-on-HSM-non-CA-subystem-installations-fai.patch Type: text/x-patch Size: 11823 bytes Desc: not available URL: From mharmsen at redhat.com Wed Aug 19 22:02:00 2015 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 19 Aug 2015 16:02:00 -0600 Subject: [Pki-devel] [PATCH] Ticket 1566 on HSM, non-CA subystem installations failing, while trying to join security domain In-Reply-To: <55D4DD0B.8020609@redhat.com> References: <55D4DD0B.8020609@redhat.com> Message-ID: <55D4FCD8.9030900@redhat.com> On 08/19/15 13:46, Christina Fu wrote: > this patch is to address: > https://fedorahosted.org/pki/ticket/1566 non-CA subystem installations > failing while trying to join security domain > > Please note that the two TLS_RSA ciphers have been left under ecc for > installation in place of the TLS_ECDHE_RSA ones. > > thanks, > Christina > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel (1) in pkiparser.py for ECC, +TLS_RSA_WITH_AES_256_CBC_SHA256 and +TLS_RSA_WITH_AES_128_GCM_SHA256 are turned on (this is for installation) (2) in ciphers.info, for ECC, you have -TLS_RSA_WITH_AES_256_CBC_SHA256 and -TLS_RSA_WITH_AES_128_GCM_SHA256 are turned off for sslRangeCiphers=... After conversation, it is understood that the signs should be flipped in ciphers.info to match these changes in pkiparser.py. Conditional ACK based upon correcting ciphers.info. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed Aug 19 23:51:54 2015 From: cfu at redhat.com (Christina Fu) Date: Wed, 19 Aug 2015 16:51:54 -0700 Subject: [Pki-devel] [PATCH] Ticket 1566 on HSM, non-CA subystem installations failing, while trying to join security domain In-Reply-To: <55D4FCD8.9030900@redhat.com> References: <55D4DD0B.8020609@redhat.com> <55D4FCD8.9030900@redhat.com> Message-ID: <55D5169A.3030503@redhat.com> Thanks! Pushed to master: commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8 Author: Christina Fu Date: Wed Aug 19 13:52:53 2015 +0200 Ticket 1566 on HSM, non-CA subystem installations failing while trying to join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations A new ticket has been filed for further investigation on hsm: https://fedorahosted.org/pki/ticket/1576 substem -> subsytem SSL handshake issue with TLS_ECDHE_RSA_* on Thales HSM Christina On 08/19/2015 03:02 PM, Matthew Harmsen wrote: > On 08/19/15 13:46, Christina Fu wrote: >> this patch is to address: >> https://fedorahosted.org/pki/ticket/1566 non-CA subystem >> installations failing while trying to join security domain >> >> Please note that the two TLS_RSA ciphers have been left under ecc for >> installation in place of the TLS_ECDHE_RSA ones. >> >> thanks, >> Christina >> >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > (1) in pkiparser.py for ECC, +TLS_RSA_WITH_AES_256_CBC_SHA256 and > +TLS_RSA_WITH_AES_128_GCM_SHA256 are turned on (this is for installation) > (2) in ciphers.info, for ECC, you have > -TLS_RSA_WITH_AES_256_CBC_SHA256 and -TLS_RSA_WITH_AES_128_GCM_SHA256 > are turned off for sslRangeCiphers=... > > After conversation, it is understood that the signs should be flipped > in ciphers.info to match these changes in pkiparser.py. > > Conditional ACK based upon correcting ciphers.info. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Thu Aug 20 20:47:24 2015 From: jmagne at redhat.com (John Magne) Date: Thu, 20 Aug 2015 16:47:24 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0050-Internet-Explorer-11-not-working-browser-warning.patch In-Reply-To: <202572840.20526194.1440103635959.JavaMail.zimbra@redhat.com> Message-ID: <1105604952.20526215.1440103644646.JavaMail.zimbra@redhat.com> [PATCH] Internet Explorer 11 not working browser warning. Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page. This patch will only do the following: Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox. Detect IE11 specifically and warn the user that there is no support. This ticket will live to se we can fix this properly by porting the current VBS script to Javascript to support cert enrollment on IE 11. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0050-Internet-Explorer-11-not-working-browser-warning.patch Type: text/x-patch Size: 7394 bytes Desc: not available URL: From mharmsen at redhat.com Thu Aug 20 22:39:41 2015 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 20 Aug 2015 16:39:41 -0600 Subject: [Pki-devel] [pki-devel][PATCH] 0050-Internet-Explorer-11-not-working-browser-warning.patch In-Reply-To: <1105604952.20526215.1440103644646.JavaMail.zimbra@redhat.com> References: <1105604952.20526215.1440103644646.JavaMail.zimbra@redhat.com> Message-ID: <55D6572D.6050103@redhat.com> jmagne walked me through a successful test on IE 9 on an old Windows Vista box. As he had previously succesfully tested IE 11 and Firefox, ACK (after correcting whitespace issues). On 08/20/15 14:47, John Magne wrote: > [PATCH] Internet Explorer 11 not working browser warning. > > Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page. > > This patch will only do the following: > > Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox. > Detect IE11 specifically and warn the user that there is no support. > > This ticket will live to se we can fix this properly by porting the current > VBS script to Javascript to support cert enrollment on IE 11. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Thu Aug 20 23:01:15 2015 From: jmagne at redhat.com (John Magne) Date: Thu, 20 Aug 2015 19:01:15 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0050-Internet-Explorer-11-not-working-browser-warning.patch In-Reply-To: <55D6572D.6050103@redhat.com> References: <1105604952.20526215.1440103644646.JavaMail.zimbra@redhat.com> <55D6572D.6050103@redhat.com> Message-ID: <2136634463.20799236.1440111675779.JavaMail.zimbra@redhat.com> PUshed to master: Ticket updated, but not closed. ----- Original Message ----- From: "Matthew Harmsen" To: "John Magne" , "pki-devel" Sent: Thursday, August 20, 2015 3:39:41 PM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0050-Internet-Explorer-11-not-working-browser-warning.patch jmagne walked me through a successful test on IE 9 on an old Windows Vista box. As he had previously succesfully tested IE 11 and Firefox, ACK (after correcting whitespace issues). On 08/20/15 14:47, John Magne wrote: > [PATCH] Internet Explorer 11 not working browser warning. > > Related to ticket #1575 Internet Explorer 11: caUserCert request submission fails using the EE page. > > This patch will only do the following: > > Detect IE when IE11 is being used. Before this IE11 was mistaken for Firefox. > Detect IE11 specifically and warn the user that there is no support. > > This ticket will live to se we can fix this properly by porting the current > VBS script to Javascript to support cert enrollment on IE 11. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Fri Aug 21 06:01:40 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 21 Aug 2015 16:01:40 +1000 Subject: [Pki-devel] [PATCH] 0045 remove obsolete code from CertificateAuthority class Message-ID: <20150821060140.GR16439@dhcp-40-8.bne.redhat.com> The attached patch removes the empty, private and apparently unused `initWebGateway' method from CertificateAuthority. Cheers, Fraser -------------- next part -------------- From 53b5252fec01b2af401f119c7e00bb552266ba2c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 19 Aug 2015 02:00:36 -0400 Subject: [PATCH 45/46] remove obsolete code from CertificateAuthority class --- base/ca/src/com/netscape/ca/CertificateAuthority.java | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 158ecff1f72ec2d3cfa3c73b7599bf2c3b59bc6e..acf07b9bde2a05f7c62740293a0c66cf92f50771 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -349,9 +349,6 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori throw e; } - // init web gateway. - initWebGateway(); - mUseNonces = mConfig.getBoolean("enableNonces", true); mMaxNonces = mConfig.getInteger("maxNumberOfNonces", 100); @@ -1493,14 +1490,6 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori mReplicaRepot = new ReplicaIDRepository( DBSubsystem.getInstance(), 1, replicaReposDN); CMS.debug("Replica Repot inited"); - - } - - /** - * init web gateway - just gets the ee gateway for this CA. - */ - private void initWebGateway() - throws EBaseException { } private void startPublish() -- 2.4.3 From ftweedal at redhat.com Fri Aug 21 06:05:52 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 21 Aug 2015 16:05:52 +1000 Subject: [Pki-devel] [PATCH] 0046 API: add support for generic entities Message-ID: <20150821060552.GS16439@dhcp-40-8.bne.redhat.com> This patch adds support to retrieving generic entities (e.g. List) from Response objects. Thanks, Fraser -------------- next part -------------- From ee37cbd4a371fa803c71d0b012c874cd734e54a9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 21 Aug 2015 00:49:06 -0400 Subject: [PATCH] API: add support for generic entities --- .../src/com/netscape/certsrv/client/PKIClient.java | 5 ++++ .../com/netscape/certsrv/client/PKIConnection.java | 27 ++++++++++++++++------ 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/client/PKIClient.java b/base/common/src/com/netscape/certsrv/client/PKIClient.java index 9015cfa38f76ac9b23e4baf7e79af06af6566888..5c13554fe87257bd4606c2a1e6e8828962a19d32 100644 --- a/base/common/src/com/netscape/certsrv/client/PKIClient.java +++ b/base/common/src/com/netscape/certsrv/client/PKIClient.java @@ -26,6 +26,7 @@ import java.security.cert.CertificateEncodingException; import java.util.Collection; import java.util.HashSet; +import javax.ws.rs.core.GenericType; import javax.ws.rs.core.Response; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -112,6 +113,10 @@ public class PKIClient { return connection.getEntity(response, clazz); } + public T getEntity(Response response, GenericType clazz) { + return connection.getEntity(response, clazz); + } + public ClientConfig getConfig() { return config; } diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java index 85b6c208227c0f079e69abfab3a24d953bb26716..fb7694615ed94aa21f3631ea39fbb243d63248a2 100644 --- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java +++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java @@ -35,6 +35,7 @@ import java.util.Arrays; import java.util.List; import javax.ws.rs.client.Entity; +import javax.ws.rs.core.GenericType; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; @@ -408,15 +409,27 @@ public class PKIConnection { } public T getEntity(Response response, Class clazz) { + Family family = response.getStatusInfo().getFamily(); + if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { + if (response.hasEntity()) return response.readEntity(clazz); + return null; + } + handleErrorResponse(response); + return null; + } - // handle HTTP status code 4xx and 5xx only + public T getEntity(Response response, GenericType clazz) { + Family family = response.getStatusInfo().getFamily(); + if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { + if (response.hasEntity()) return response.readEntity(clazz); + return null; + } + handleErrorResponse(response); + return null; + } + + private void handleErrorResponse(Response response) { StatusType status = response.getStatusInfo(); - Family family = status.getFamily(); - if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) { - if (response.hasEntity()) return response.readEntity(clazz); - return null; - } - MediaType contentType = response.getMediaType(); if (!MediaType.APPLICATION_XML_TYPE.equals(contentType) -- 2.4.3 From mharmsen at redhat.com Fri Aug 21 15:44:37 2015 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 21 Aug 2015 09:44:37 -0600 Subject: [Pki-devel] Karma Request for Dogtag 10.2.6 in Fedora 22 & 23 Message-ID: <55D74765.90509@redhat.com> Everyone, Please provide Karma for the following Dogtag 10.2.6 packages for Fedora 22: * dogtag-pki-theme-10.2.6-1.fc22 * pki-core-10.2.6-1.fc22 * pki-core-10.2.6-2.fc22 * pki-core-10.2.6-4.fc22 * pki-core-10.2.6-5.fc22 * pki-core-10.2.6-6.fc22 * *pki-core-10.2.6-7.fc22 * * pki-console-10.2.6-1.fc22 * dogtag-pki-10.2.6-1.fc22 and for Fedora 23: * pki-core-10.2.6-5.fc23 * pki-core-10.2.6-6.fc23 * *pki-core-10.2.6-7.fc23 * Thanks, -- Matt P. S. - It is our hope that these will be the last re-spins for a while! -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Aug 24 07:27:21 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 24 Aug 2015 17:27:21 +1000 Subject: [Pki-devel] [PATCH] 0026-5, 0044-3 Lightweight sub-CAs Message-ID: <20150824072721.GY16439@dhcp-40-8.bne.redhat.com> Hi team, The latest sub-CAs patches are attached. It has been a while since the last patchset (that was posted here, anyway) and there have been some significant changes, outlined below. (The patchset version skipped a couple numbers due to versions distributed privately that I felt were not stable enough to warrant posting to pki-devel.) Major changes: - The Java client and CLI were extracted to a separate patch (0044). - An LDAP entry for each sub-CA is written to database. - Database searched and sub-CAs are initialised at startup - Key nickname is store in / read from LDAP entry - Sub-CA "list" API call, client method and CLI was added - More resources are shared between top-level CA and sub-CAs - Suprious task threads and LDAP connections hunted down :) Dependencies: - Patch 0026-5 probably depends on 0045[1] for a clean merge. - Patch 0044-3 depends on my patch 0046[2]. [1] https://www.redhat.com/archives/pki-devel/2015-August/msg00072.html [2] https://www.redhat.com/archives/pki-devel/2015-August/msg00073.html Cheers, Fraser -------------- next part -------------- From d7efe6286bd7b6e561cadc3f4b6cb5c3a1f56873 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 28 Jan 2015 02:41:10 -0500 Subject: [PATCH] Add lightweight sub-CA support --- base/ca/shared/conf/catalina.properties | 2 + base/ca/shared/conf/db.ldif | 5 + .../shared/webapps/ca/agent/ca/queryCert.template | 9 +- .../webapps/ca/agent/ca/reasonToRevoke.template | 8 +- .../shared/webapps/ca/agent/ca/srchCert.template | 2 + base/ca/shared/webapps/ca/ee/ca/queryCert.template | 6 +- .../webapps/ca/ee/ca/reasonToRevoke.template | 8 +- base/ca/src/com/netscape/ca/CAService.java | 51 +-- .../src/com/netscape/ca/CertificateAuthority.java | 416 ++++++++++++++++++--- base/ca/src/com/netscape/ca/SigningUnit.java | 22 +- .../dogtagpki/server/ca/rest/CAApplication.java | 3 + .../org/dogtagpki/server/ca/rest/SubCAService.java | 156 ++++++++ .../src/com/netscape/certsrv/ca/ICAService.java | 10 +- .../netscape/certsrv/ca/ICertificateAuthority.java | 35 ++ .../netscape/certsrv/profile/IEnrollProfile.java | 5 + .../netscape/certsrv/security/ISigningUnit.java | 8 + .../src/com/netscape/certsrv/subca/CAData.java | 88 +++++ .../com/netscape/certsrv/subca/SubCAResource.java | 36 ++ .../cms/profile/common/CAEnrollProfile.java | 7 +- .../netscape/cms/profile/common/EnrollProfile.java | 3 + .../cms/profile/def/AuthInfoAccessExtDefault.java | 8 +- .../def/AuthorityKeyIdentifierExtDefault.java | 15 +- .../netscape/cms/profile/def/CAEnrollDefault.java | 4 +- .../netscape/cms/servlet/cert/DisplayBySerial.java | 31 +- .../com/netscape/cms/servlet/cert/DoRevoke.java | 15 +- .../cms/servlet/cert/EnrollmentProcessor.java | 9 + .../com/netscape/cms/servlet/cert/ListCerts.java | 22 +- .../netscape/cms/servlet/cert/ReasonToRevoke.java | 13 +- .../com/netscape/cms/servlet/cert/SrchCerts.java | 24 +- .../com/netscape/cms/servlet/csadmin/CertUtil.java | 38 +- .../com/netscape/cms/servlet/ocsp/OCSPServlet.java | 5 +- base/server/share/conf/schema-subCA.ldif | 3 + base/server/share/conf/schema.ldif | 8 + 33 files changed, 902 insertions(+), 173 deletions(-) create mode 100644 base/ca/src/org/dogtagpki/server/ca/rest/SubCAService.java create mode 100644 base/common/src/com/netscape/certsrv/subca/CAData.java create mode 100644 base/common/src/com/netscape/certsrv/subca/SubCAResource.java create mode 100644 base/server/share/conf/schema-subCA.ldif diff --git a/base/ca/shared/conf/catalina.properties b/base/ca/shared/conf/catalina.properties index 70cb7c05e78e0c4ab4b64a74d3f9eaadf96a1420..7e104e52d14852a785b49013520e5102ff356c64 100644 --- a/base/ca/shared/conf/catalina.properties +++ b/base/ca/shared/conf/catalina.properties @@ -85,3 +85,5 @@ tomcat.util.buf.StringCache.byte.enabled=true #tomcat.util.buf.StringCache.char.enabled=true #tomcat.util.buf.StringCache.trainThreshold=500000 #tomcat.util.buf.StringCache.cacheSize=5000 + +org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true diff --git a/base/ca/shared/conf/db.ldif b/base/ca/shared/conf/db.ldif index 8a2e0b07274a83b317fb1ba56e8ef32b96857118..8918c5a22566dd5f6bd52a7dd33da46169060e54 100644 --- a/base/ca/shared/conf/db.ldif +++ b/base/ca/shared/conf/db.ldif @@ -164,3 +164,8 @@ dn: ou=certificateProfiles,ou=ca,{rootSuffix} objectClass: top objectClass: organizationalUnit ou: certificateProfiles + +dn: ou=subCAs,ou=ca,{rootSuffix} +objectClass: top +objectClass: organizationalUnit +ou: subCAs diff --git a/base/ca/shared/webapps/ca/agent/ca/queryCert.template b/base/ca/shared/webapps/ca/agent/ca/queryCert.template index 0a423823fe874253f5bff5fad44608eae471c401..aed9655de924f72d9d74d91bd3d546d8cc504870 100644 --- a/base/ca/shared/webapps/ca/agent/ca/queryCert.template +++ b/base/ca/shared/webapps/ca/agent/ca/queryCert.template @@ -321,8 +321,10 @@ function displayCertificateRecord(i, cert) ""+ " \n"+ " "+ ""+ @@ -419,6 +421,7 @@ function doNext(element) var form = element.form; // form.action = "/"+result.header.op; form.action = "/ca/agent/ca/listCerts"; + form.caRef.value = result.header.caRef || ""; form.op.value = result.header.op; form.queryCertFilter.value = result.header.queryCertFilter; form.direction.value= "down"; @@ -472,6 +475,8 @@ document.write( "\n"+ "\n"+ +"\n"+ "\n"+ ""+ " \n"+ " "+ ""+ diff --git a/base/ca/shared/webapps/ca/ee/ca/reasonToRevoke.template b/base/ca/shared/webapps/ca/ee/ca/reasonToRevoke.template index 2a608438b1f46b7695a8692ed857ce7de6e07d42..d81e37a1dab30b079fcbb82c19f6a8ec940deb46 100644 --- a/base/ca/shared/webapps/ca/ee/ca/reasonToRevoke.template +++ b/base/ca/shared/webapps/ca/ee/ca/reasonToRevoke.template @@ -187,9 +187,9 @@ function displayCertInfo() document.write(""); for (var i = 0; i < result.recordSet.length; ++i ) { if (result.recordSet[i].serialNumber != null) { - if (result.header.caSerialNumber != null && - result.recordSet[i].serialNumber == - result.header.caSerialNumber) { + if (result.header.caSerialNumber != null + && result.recordSet[i].serialNumber == result.header.caSerialNumber + && (result.header.caRef || "") == "") { document.write(renderRowWithoutCheckbox("Serial Number: ", toHex(result.recordSet[i].serialNumber))); } else { @@ -448,6 +448,8 @@ function revokeCert(serialNumber)