[Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM

Matthew Harmsen mharmsen at redhat.com
Sat May 23 00:23:38 UTC 2015 

On 05/22/15 12:51, John Magne wrote:
> Good we can get this feature going.
> A couple of comments:
>
> 1. I'm sure we have done a bunch of testing to get the hsm case working,
> if not done, it might be good to try a basic software case to make sure that
> still works.
Done.

Successfully build and installed software master/clone, and 
enrolled/approved all four possibilities:

  * master/master
  * clone/clone
  * master/clone
  * clone/master

>
> 2. In SystemConfigService.java line: 1120
>
> I think we may replace:
>
> throw new BadRequestException("HSM clones must share their HSM master's private keys");
>
> with:
>                if (data.getP12File() != null) {
>                      throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys");
>                  }
>
>                  if (data.getP12Password() != null) {
>                      throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys");
>                  }
>
>
> Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data.
Fixed
> 3.
>
> Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix.
Fixed
>
>
> ----- Original Message -----
> From: "Matthew Harmsen" <mharmsen at redhat.com>
> To: "pki-devel" <pki-devel at redhat.com>
> Sent: Thursday, May 21, 2015 4:40:21 PM
> Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when	using an HSM
>
> Please review the attached patch which addresses the following ticket:
>
>
>      * PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
>
>
> This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM.
>
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
New patch attached.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150522/a0006b96/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20150522-disable-backup-keys-and-share-master-keys-when-using.patch
Type: text/x-patch
Size: 7872 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150522/a0006b96/attachment.bin>

More information about the Pki-devel mailing list