[Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM
John Magne
jmagne at redhat.com
Fri May 22 18:51:40 UTC 2015
Good we can get this feature going.
A couple of comments:
1. I'm sure we have done a bunch of testing to get the hsm case working,
if not done, it might be good to try a basic software case to make sure that
still works.
2. In SystemConfigService.java line: 1120
I think we may replace:
throw new BadRequestException("HSM clones must share their HSM master's private keys");
with:
if (data.getP12File() != null) {
throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys");
}
if (data.getP12Password() != null) {
throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys");
}
Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data.
3.
Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix.
----- Original Message -----
From: "Matthew Harmsen" <mharmsen at redhat.com>
To: "pki-devel" <pki-devel at redhat.com>
Sent: Thursday, May 21, 2015 4:40:21 PM
Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM
Please review the attached patch which addresses the following ticket:
* PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM.
_______________________________________________
Pki-devel mailing list
Pki-devel at redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list