[Pki-devel] [PATCH] Lightweight CAs

Endi Sukma Dewata edewata at redhat.com
Thu Sep 24 23:26:39 UTC 2015 

On 9/24/2015 9:20 AM, Fraser Tweedale wrote:
> Latest patches attached.  Relative to previous patchset this one:
>
> - fixes a compile error in CATest.java
> - fixes a ton of warnings and some poorly ordered imports
> - adds ACLs and ACL enforcement for privileged operations
>    on AuthorityResource
>
> Here's an ldif snippet for adding the ACLs to an existing database
>
> dn: cn=aclResources,o=ipaca
> changetype: modify
> add: resourceACLS
> resourceACLS: certServer.ca.authorities:list,read:allow (list,read) user="anybody":Anybody may list and read lightweight authorities
> resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify) group="Administrators":Administrators may create and modify lightweight authorities
>
> Cheers,
> Fraser

Some comments:

1. Right now the create & modify operations over non-secure URL will fail:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin 
ca-authority-create o=test --parent 85a2c5c2-869d-467c-9adf-dcc34367e836
ForbiddenException: No user principal provided.

It works with the secure URL:

$ pki -U https://$HOSTNAME:8443 -d ~/.dogtag/pki-tomcat/ca/alias -u 
caadmin -w Secret123 ca-authority-create o=test --parent 
85a2c5c2-869d-467c-9adf-dcc34367e836
   Authority DN: O=test
   ID: 14004c0f-3531-49c2-ae7a-99f715af7cc4
   Parent DN: 85a2c5c2-869d-467c-9adf-dcc34367e836
   Enabled: true

This can be fixed by adding <security-constraint> into the web.xml and 
registering it in auth-method.properties.

2. The "Parent DN" field in the output above should show the DN of the 
parent authority instead of the ID. We probably should show both Parent 
DN and Parent ID.

3. Per discussion with alee, we need a way to find the host/main CA 
using something like:

$ pki ca-authority-show --host-authority

4. I think we also need a way to translate a DN into ID:

$ pki ca-authority-show --dn <DN>

5. Also per discussion with alee, the authority DN should be unique only 
among active CAs. So you should be able to create a CA, disable it, then 
create another one with the same DN. If you try to enable the old CA it 
should fail. This can be implemented later.

6. In AuthorityData.java the @XmlRootElement probably should be changed 
to "authority" for consistency. Also the following fields can be renamed 
because the "a" is redundant:
* aid -> id
* parentAID -> parentID
I think the XML output will look better that way.

7. The method description in ISigningUnit.java doesn't match the method 
name (public vs. private).

I think these are not difficult to fix, and once fixed it should be 
sufficient to push as initial implementation, so consider this a 
conditional ACK (unless alee has other comments). Item #5 (or #4 too) 
can be implemented later.

I also created this page to document the CLI:
http://pki.fedoraproject.org/wiki/PKI_CA_Authority_CLI
Feel free to expand it further.

-- 
Endi S. Dewata

More information about the Pki-devel mailing list