[Pki-devel] [PATCH] add pkiuser to nfast group

John Magne jmagne at redhat.com
Wed Jun 17 00:09:20 UTC 2015 

Ran the included test drivers and the changes appear to work fine.
If the main features with the HSM test to work :

ACK

Caveat:

I noticed that one of the changes involved creating a class called "HSM".
This simple class seems to focus only on the ncipher hardware specifically.

As part of a future effort, might be nice to make use of some inheritance to
have a base HSM class for common functionality and separate sub classes for nethsm and lunasa.

For instance one method in there is called "restart_nciper". An OO breakdown would allow us to
simply call "restart" instead.

A discussion with mharmsen indicated this might be a candidate for a more general ticket
to work on the classes in the file pkihelper.py to bring a little more OO flavor to the table.



----- Original Message -----
> From: "Matthew Harmsen" <mharmsen at redhat.com>
> To: "pki-devel" <pki-devel at redhat.com>
> Sent: Monday, June 15, 2015 3:36:43 PM
> Subject: [Pki-devel] [PATCH] add pkiuser to nfast group
> 
> Please review the attached patch that resolves the following issue:
> 
> 
>     * PKI TRAC Ticket #1415 - nCipher HSM: Add 'pkiuser' to 'nfast' group
> 
> 
> The patch was applied and successfully tested on a VM containing an nCipher
> nethsm:
> 
> 
> # cat /etc/group | grep nfast
> nfast:x:995:
> 
> # pkispawn -s CA -f /root/mlh/pki-master-mlh.inf -vvv
> 
> # cat /etc/group | grep nfast
> nfast:x:995:pkiuser
> 
> # cd /var/lib/pki/pki-master-mlh/alias
> 
> # modutil -dbdir . -list
> 
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal PKCS #11 Module
> slots: 2 slots attached
> status: loaded
> 
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
> 
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
> 
> 2. nfast
> library name: /opt/nfast/toolkits/pkcs11/libcknfast.so
> slots: 2 slots attached
> status: loaded
> 
> slot: 061C-37A2-3CB3 Rt1
> token: accelerator
> 
> slot: 061C-37A2-3CB3 Rt1 slot 0
> token: NHSM6000
> -----------------------------------------------------------
> 
> # certutil -d . -L
> 
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
> 
> casigningcert-MLH CT,C,C
> caauditsigningcert-MLH ,,P
> 
> # certutil -d . -h NHSM6000 -f /root/mlh/hsm_password -L
> 
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
> 
> NHSM6000:casigningcert-MLH CTu,Cu,Cu
> NHSM6000:caocspsigningcert-MLH u,u,u
> NHSM6000:Server-Cert cert-pki-RootCA-MLH u,u,u
> NHSM6000:casubsystemcert-MLH u,u,u
> NHSM6000:caauditsigningcert-MLH u,u,Pu
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list