[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM



Based on the changes and the excruciating testing done!

ACK

----- Original Message -----
From: "Matthew Harmsen" <mharmsen redhat com>
To: "John Magne" <jmagne redhat com>
Cc: "pki-devel" <pki-devel redhat com>
Sent: Friday, May 22, 2015 5:23:38 PM
Subject: Re: [Pki-devel] [PATCH] disable backup keys and share master keys when	using an HSM

On 05/22/15 12:51, John Magne wrote:
> Good we can get this feature going.
> A couple of comments:
>
> 1. I'm sure we have done a bunch of testing to get the hsm case working,
> if not done, it might be good to try a basic software case to make sure that
> still works.
Done.

Successfully build and installed software master/clone, and 
enrolled/approved all four possibilities:

  * master/master
  * clone/clone
  * master/clone
  * clone/master

>
> 2. In SystemConfigService.java line: 1120
>
> I think we may replace:
>
> throw new BadRequestException("HSM clones must share their HSM master's private keys");
>
> with:
>                if (data.getP12File() != null) {
>                      throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys");
>                  }
>
>                  if (data.getP12Password() != null) {
>                      throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys");
>                  }
>
>
> Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data.
Fixed
> 3.
>
> Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix.
Fixed
>
>
> ----- Original Message -----
> From: "Matthew Harmsen" <mharmsen redhat com>
> To: "pki-devel" <pki-devel redhat com>
> Sent: Thursday, May 21, 2015 4:40:21 PM
> Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when	using an HSM
>
> Please review the attached patch which addresses the following ticket:
>
>
>      * PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
>
>
> This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM.
>
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel redhat com
> https://www.redhat.com/mailman/listinfo/pki-devel
New patch attached.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]