[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM



On 05/22/15 18:58, John Magne wrote:
Based on the changes and the excruciating testing done!

ACK

----- Original Message -----
From: "Matthew Harmsen" <mharmsen redhat com>
To: "John Magne" <jmagne redhat com>
Cc: "pki-devel" <pki-devel redhat com>
Sent: Friday, May 22, 2015 5:23:38 PM
Subject: Re: [Pki-devel] [PATCH] disable backup keys and share master keys when	using an HSM

On 05/22/15 12:51, John Magne wrote:
Good we can get this feature going.
A couple of comments:

1. I'm sure we have done a bunch of testing to get the hsm case working,
if not done, it might be good to try a basic software case to make sure that
still works.
Done.

Successfully build and installed software master/clone, and 
enrolled/approved all four possibilities:

  * master/master
  * clone/clone
  * master/clone
  * clone/master

2. In SystemConfigService.java line: 1120

I think we may replace:

throw new BadRequestException("HSM clones must share their HSM master's private keys");

with:
               if (data.getP12File() != null) {
                     throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys");
                 }

                 if (data.getP12Password() != null) {
                     throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys");
                 }


Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data.
Fixed
3.

Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix.
Fixed

----- Original Message -----
From: "Matthew Harmsen" <mharmsen redhat com>
To: "pki-devel" <pki-devel redhat com>
Sent: Thursday, May 21, 2015 4:40:21 PM
Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when	using an HSM

Please review the attached patch which addresses the following ticket:


     * PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys


This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM.




_______________________________________________
Pki-devel mailing list
Pki-devel redhat com
https://www.redhat.com/mailman/listinfo/pki-devel
New patch attached.


Thanks,


pushed to master:
commit 0bf9c6bc326de463f7ec35efb0ae448419ec579a
Author: Matthew Harmsen <mharmsen redhat com>
Date:   Fri May 22 18:15:31 2015 -0600

    disable backup keys and share master keys when using an HSM
   
    - PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using a
      HSM (and provide recommendation); allow clones to share keys




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]