[Pki-devel] [PATCH] 297, 298 add validity check for external CA

Endi Sukma Dewata edewata at redhat.com
Fri Apr 22 21:37:47 UTC 2016 

On 4/22/2016 2:37 PM, Ade Lee wrote:
> commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f
> Author: Ade Lee <alee at redhat.com>
> Date:   Fri Apr 22 15:31:43 2016 -0400
>
>      Add validity check for the signing certificate in pkispawn
>
>      When either an existing CA or external CA installation is
>      performed, use the pki-server cert validation tool to check
>      the signing certiticate and chain.
>
>      Ticket #2043
>
> commit 9104fdda145c4f2bbbedec7256c73922e8bffcef
> Author: Ade Lee <alee at redhat.com>
> Date:   Wed Apr 20 17:26:23 2016 -0400
>
>      Add CLI to check system certificate status
>
>      We add two different calls:
>      1. pki client-cert-validate - which checks a certificate in the client
>         certdb and calls the System cert verification call performed by JSS
>        in the system self test.  This does some basic extensions and trust
>        tests, and also validates cert validity and cert trust chain.
>
>      2. pki-server subsystem-cert-validate  <subsystem>
>         This calls pki client-cert-validate using the nssdb for the subsystem
>         on all of the system certificates by default (or just one if the
>         nickname is defined).
>
>         This is a great thing to call when healthchecking an instance,
>         and also will be used by pkispawn to verify the signing cert in the
>         externally signed CA case.
>
>      Trac Ticket 2043
>

In general it's ACKed. I have some minor comments/questions:

1. The SubsystemCertificateVerifier probably should be renamed to 
SystemCertificateVerifier since "system certificate" refers to a cert in 
the subsystem/instance's NSS database and "subsystem certificate" could 
be confused with the "subsystemCert cert-pki-tomcat".

2. Instead of storing a shared SubsystemCertificateVerifier object in 
the PKIDeployer object it might be better to create a factory method, so 
the verifier can be used like this:

   verifier = deployer.create_system_cert_verifier()
   verifier.verify_certificate('signing')

That way the life-cycle of the verifier object will be short.

3. The .classpath got changed to point to a local path on your machine.

4. Is the "hardward-<token>" name used consistently in our code?

   passwd = instance.get_password("hardware-%s" % token)

-- 
Endi S. Dewata

More information about the Pki-devel mailing list