[Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM
Matthew Harmsen
mharmsen at redhat.com
Sat May 23 01:01:59 UTC 2015
On 05/22/15 18:58, John Magne wrote:
> Based on the changes and the excruciating testing done!
>
> ACK
>
> ----- Original Message -----
> From: "Matthew Harmsen" <mharmsen at redhat.com>
> To: "John Magne" <jmagne at redhat.com>
> Cc: "pki-devel" <pki-devel at redhat.com>
> Sent: Friday, May 22, 2015 5:23:38 PM
> Subject: Re: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM
>
> On 05/22/15 12:51, John Magne wrote:
>> Good we can get this feature going.
>> A couple of comments:
>>
>> 1. I'm sure we have done a bunch of testing to get the hsm case working,
>> if not done, it might be good to try a basic software case to make sure that
>> still works.
> Done.
>
> Successfully build and installed software master/clone, and
> enrolled/approved all four possibilities:
>
> * master/master
> * clone/clone
> * master/clone
> * clone/master
>
>> 2. In SystemConfigService.java line: 1120
>>
>> I think we may replace:
>>
>> throw new BadRequestException("HSM clones must share their HSM master's private keys");
>>
>> with:
>> if (data.getP12File() != null) {
>> throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys");
>> }
>>
>> if (data.getP12Password() != null) {
>> throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys");
>> }
>>
>>
>> Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data.
> Fixed
>> 3.
>>
>> Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix.
> Fixed
>>
>> ----- Original Message -----
>> From: "Matthew Harmsen" <mharmsen at redhat.com>
>> To: "pki-devel" <pki-devel at redhat.com>
>> Sent: Thursday, May 21, 2015 4:40:21 PM
>> Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM
>>
>> Please review the attached patch which addresses the following ticket:
>>
>>
>> * PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
>>
>>
>> This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM.
>>
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
> New patch attached.
>
>
Thanks,
pushed to master:
commit 0bf9c6bc326de463f7ec35efb0ae448419ec579a
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Fri May 22 18:15:31 2015 -0600
disable backup keys and share master keys when using an HSM
- PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys
when using a
HSM (and provide recommendation); allow clones to share keys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150522/c00b09b7/attachment.htm>
More information about the Pki-devel
mailing list