[Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM

Matthew Harmsen mharmsen at redhat.com
Sat May 23 01:01:59 UTC 2015


On 05/22/15 18:58, John Magne wrote:
> Based on the changes and the excruciating testing done!
>
> ACK
>
> ----- Original Message -----
> From: "Matthew Harmsen" <mharmsen at redhat.com>
> To: "John Magne" <jmagne at redhat.com>
> Cc: "pki-devel" <pki-devel at redhat.com>
> Sent: Friday, May 22, 2015 5:23:38 PM
> Subject: Re: [Pki-devel] [PATCH] disable backup keys and share master keys when	using an HSM
>
> On 05/22/15 12:51, John Magne wrote:
>> Good we can get this feature going.
>> A couple of comments:
>>
>> 1. I'm sure we have done a bunch of testing to get the hsm case working,
>> if not done, it might be good to try a basic software case to make sure that
>> still works.
> Done.
>
> Successfully build and installed software master/clone, and
> enrolled/approved all four possibilities:
>
>    * master/master
>    * clone/clone
>    * master/clone
>    * clone/master
>
>> 2. In SystemConfigService.java line: 1120
>>
>> I think we may replace:
>>
>> throw new BadRequestException("HSM clones must share their HSM master's private keys");
>>
>> with:
>>                 if (data.getP12File() != null) {
>>                       throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys");
>>                   }
>>
>>                   if (data.getP12Password() != null) {
>>                       throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys");
>>                   }
>>
>>
>> Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data.
> Fixed
>> 3.
>>
>> Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix.
> Fixed
>>
>> ----- Original Message -----
>> From: "Matthew Harmsen" <mharmsen at redhat.com>
>> To: "pki-devel" <pki-devel at redhat.com>
>> Sent: Thursday, May 21, 2015 4:40:21 PM
>> Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when	using an HSM
>>
>> Please review the attached patch which addresses the following ticket:
>>
>>
>>       * PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
>>
>>
>> This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM.
>>
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
> New patch attached.
>
>
Thanks,


pushed to master:

    commit 0bf9c6bc326de463f7ec35efb0ae448419ec579a
    Author: Matthew Harmsen <mharmsen at redhat.com>
    Date:   Fri May 22 18:15:31 2015 -0600

         disable backup keys and share master keys when using an HSM

         - PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys
    when using a
           HSM (and provide recommendation); allow clones to share keys



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150522/c00b09b7/attachment.htm>


More information about the Pki-devel mailing list