From akasurde at redhat.com Tue Aug 2 11:21:25 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Tue, 2 Aug 2016 16:51:25 +0530 Subject: [Pki-devel] [PATCH 0011] Added check for Subsystem data and request in 'pki-server subsystem-cert-export' Message-ID: <0f3d48ec-c59e-be8a-8247-4e32b999dbf0@redhat.com> Hi All, Please review this patch. Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245 -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akasurde-0011-Added-check-for-Subsystem-data-and-request-in-pki-se.patch Type: text/x-patch Size: 2406 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 3 05:04:56 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 3 Aug 2016 00:04:56 -0500 Subject: [Pki-devel] [PATCH] 806 Fixed problem creating links to PKI JAR files. Message-ID: The CMake create_symlink command fails if the link target does not exist already. Since PKI JAR files may not exist at build time, the commands to create the links to those files have been replaced with the ln -sf command which will create the links regardless of the targets' existence. https://fedorahosted.org/pki/ticket/2403 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0806-Fixed-problem-creating-links-to-PKI-JAR-files.patch Type: text/x-patch Size: 4487 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 4 00:39:18 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 3 Aug 2016 19:39:18 -0500 Subject: [Pki-devel] [PATCH] 807-809 Fixed PKCS #12 import for cloning. Message-ID: To fix cloning issue in IPA the security_database.py has been modified to import all certificates and keys in the PKCS #12 file before the PKI server is started. Since the PKCS #12 generated by IPA may not contain the certificate trust flags, the script will also reset the trust flags on the imported certificates (i.e. CT,C,C for CA certificate and u,u,Pu for audit certificate). https://fedorahosted.org/pki/ticket/2424 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0807-Added-log-messages-for-certificate-validation.patch Type: text/x-patch Size: 9203 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0808-Added-log-messages-for-certificate-import-during-clo.patch Type: text/x-patch Size: 3171 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0809-Fixed-PKCS-12-import-for-cloning.patch Type: text/x-patch Size: 8324 bytes Desc: not available URL: From alee at redhat.com Thu Aug 4 03:58:43 2016 From: alee at redhat.com (Ade Lee) Date: Wed, 03 Aug 2016 23:58:43 -0400 Subject: [Pki-devel] [PATCH] 329 - add pkispawn option to disable Master CRL Message-ID: <1470283123.12380.2.camel@redhat.com> Add pkispawn option to disable Master CRL. This is useful in the migration case. Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0329-Add-pkispawn-option-to-disable-Master-CRL.patch Type: text/x-patch Size: 3156 bytes Desc: not available URL: From alee at redhat.com Thu Aug 4 04:19:43 2016 From: alee at redhat.com (Ade Lee) Date: Thu, 04 Aug 2016 00:19:43 -0400 Subject: [Pki-devel] [PATCH] 0128 Fix CA OCSP responder when LWCA's are not in use In-Reply-To: <20160727013250.GV10771@dhcp-40-8.bne.redhat.com> References: <20160727013250.GV10771@dhcp-40-8.bne.redhat.com> Message-ID: <1470284383.12380.3.camel@redhat.com> ACK On Wed, 2016-07-27 at 11:32 +1000, Fraser Tweedale wrote: > Hi team, > > The attached patch fixes https://fedorahosted.org/pki/ticket/2420. > > Thanks, > Fraser > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu Aug 4 04:21:30 2016 From: alee at redhat.com (Ade Lee) Date: Thu, 04 Aug 2016 00:21:30 -0400 Subject: [Pki-devel] [PATCH] 806 Fixed problem creating links to PKI JAR files. In-Reply-To: References: Message-ID: <1470284490.12380.4.camel@redhat.com> ACK. On Wed, 2016-08-03 at 00:04 -0500, Endi Sukma Dewata wrote: > The CMake create_symlink command fails if the link target does not > exist already. Since PKI JAR files may not exist at build time, the > commands to create the links to those files have been replaced with > the ln -sf command which will create the links regardless of the > targets' existence. > > https://fedorahosted.org/pki/ticket/2403 > > Pushed to master under one-liner/trivial rule. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu Aug 4 15:54:24 2016 From: alee at redhat.com (Ade Lee) Date: Thu, 04 Aug 2016 11:54:24 -0400 Subject: [Pki-devel] [PATCH] 329 - add pkispawn option to disable Master CRL In-Reply-To: <1470283123.12380.2.camel@redhat.com> References: <1470283123.12380.2.camel@redhat.com> Message-ID: <1470326064.16278.4.camel@redhat.com> acked by Endi. Pushed to master. On Wed, 2016-08-03 at 23:58 -0400, Ade Lee wrote: > Add pkispawn option to disable Master CRL. > This is useful in the migration case. > > Please review, > Ade > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Thu Aug 4 23:46:11 2016 From: cfu at redhat.com (Christina Fu) Date: Thu, 4 Aug 2016 16:46:11 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0150-Ticket-2428-broken-request-links-for-CA-s-system-cer.patch Message-ID: <994d34f2-6db5-63b1-f1c7-3701790ff226@redhat.com> Attached please find the patch that fixes the broken link from cert->request or just simply visiting request records from agent page on CA's system certs. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0150-Ticket-2428-broken-request-links-for-CA-s-system-cer.patch Type: text/x-patch Size: 1791 bytes Desc: not available URL: From mharmsen at redhat.com Fri Aug 5 00:07:18 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 4 Aug 2016 18:07:18 -0600 Subject: [Pki-devel] [PATCH] pki-cfu-0150-Ticket-2428-broken-request-links-for-CA-s-system-cer.patch In-Reply-To: <994d34f2-6db5-63b1-f1c7-3701790ff226@redhat.com> References: <994d34f2-6db5-63b1-f1c7-3701790ff226@redhat.com> Message-ID: <58a1efc4-64f4-3032-16d1-96ad8aad5ca4@redhat.com> On 08/04/2016 05:46 PM, Christina Fu wrote: > Attached please find the patch that fixes the broken link from > cert->request or just simply visiting request records from agent page > on CA's system certs. > > thanks, > > Christina > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel per discussion on IRC, remove the generic exception ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Fri Aug 5 00:57:16 2016 From: cfu at redhat.com (Christina Fu) Date: Thu, 4 Aug 2016 17:57:16 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0150-Ticket-2428-broken-request-links-for-CA-s-system-cer.patch In-Reply-To: <58a1efc4-64f4-3032-16d1-96ad8aad5ca4@redhat.com> References: <994d34f2-6db5-63b1-f1c7-3701790ff226@redhat.com> <58a1efc4-64f4-3032-16d1-96ad8aad5ca4@redhat.com> Message-ID: pushed to master: commit d2e8c9c5fb54e39884ecf304a234f8cb52c5a40e thanks, Christina On 08/04/2016 05:07 PM, Matthew Harmsen wrote: > On 08/04/2016 05:46 PM, Christina Fu wrote: >> Attached please find the patch that fixes the broken link from >> cert->request or just simply visiting request records from agent page >> on CA's system certs. >> >> thanks, >> >> Christina >> >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > > per discussion on IRC, remove the generic exception > > > ACK > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Aug 5 06:55:14 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 5 Aug 2016 01:55:14 -0500 Subject: [Pki-devel] [PATCH] Fix NumberFormatException for tps-cert-find when given non integer value to size and start option In-Reply-To: <5799B0B8.6020108@redhat.com> References: <5798AB13.90501@redhat.com> <5799B0B8.6020108@redhat.com> Message-ID: Thanks! It's pushed to master with slight modification for consistency. -- Endi S. Dewata On 7/28/2016 2:14 AM, Geetika Kapoor wrote: > Hi Endi, > > I am attaching java code file as well with this patch that i have used > for same testing on rhel7.I thought it will be helpful.I did a quick > test similar ones and nothing looks like breaking with new piece of code. > > On 07/28/2016 12:21 AM, Endi Sukma Dewata wrote: >> Geetika, >> >> Yes, more info would be helpful. I have some comments below. >> >> On 7/27/2016 7:37 AM, Geetika Kapoor wrote: >>> Hi, >>> >>> I tried to fix NumberFormatException when i did tps-cert-find with >>> non-integer/invalid range value for size and start.I was doing testing >>> for tps-cert and then i came across this.I thought giving some >>> additional info to users inplace of numberformat.I have done similar >>> fix on rhel7 compile it and make a jar and test on rhel7 .I can share >>> that patch if needed. Below are the test result. >>> >>> Before fix testing: >>> >>> 1. pki -h pki1.example.com -p 25080 tps-cert-find --start "gy" >>> NumberFormatException: For input string: "gy" >>> >>> 2. pki -h pki1.example.com -p 25080 tps-cert-find --size "gy" >>> NumberFormatException: For input string: "gy" >>> >>> 3. pki -p 25080 tps-cert-find --start >>> 1789999999999999999999999999999999999999999999 >>> NumberFormatException: For input string: >>> "1789999999999999999999999999999999999999999999" >>> >>> >>> After fix testing: >>> >>> 1. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h >>> pki1.example.com -p 25080 tps-cert-find --start "gy" >>> Error: Enter valid integer value for size/start option >>> usage: tps-cert-find [FILTER] [OPTIONS...] >>> --help Show help options >>> --size Page size >>> --start Page start >>> --token Token ID >> >> I think it would be useful to show the user which the parameter has >> the invalid value and also the invalid value itself, so something like >> this: >> >> Error: Invalid value for --start parameter: gy > > Fixed : Now it is showing > > [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h > pki1.example.com -p 25080 tps-cert-find --size tyu > Error: Invalid value for --size parameter:tyu > [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h > pki1.example.com -p 25080 tps-cert-find --start tyu > Error: Invalid value for --start parameter:tyu > >> >>> 2. [root at pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h >>> pki1.example.com -p 25080 tps-cert-find --size "hy" >>> Error: Enter valid integer value for size/start option >>> usage: tps-cert-find [FILTER] [OPTIONS...] >>> --help Show help options >>> --size Page size >>> --start Page start >>> --token Token ID >> >> Same thing here: >> >> Error: Invalid value for --size parameter: hy >> >> So you may need to create separate try-catch blocks for each parameter. >> >> Another thing, I'm not sure if we should display the command usage >> after the failure. The usage could be very long and it may obscure the >> error message. The error message itself should be sufficient to fix >> the problem, and if needed the user can see the usage using --help >> parameter. We probably can display something like this after the error >> message (replace with the actual command name): > > Removed the printhelp() each time because command typed is correct only > values are invalid so that message we have displayed >> >> Try 'pki --help' for more information. >> >> One more thing, please preserve the formatting of the existing code. >> We use 4 spaces instead of tabs for indentation. Thanks. > I have removed tabs. > From gkapoor at redhat.com Fri Aug 5 07:02:32 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Fri, 5 Aug 2016 12:32:32 +0530 Subject: [Pki-devel] [PATCH] Fix NumberFormatException for tps-cert-find when given non integer value to size and start option In-Reply-To: References: <5798AB13.90501@redhat.com> <5799B0B8.6020108@redhat.com> Message-ID: <57A43A08.1090200@redhat.com> Thanks Endi.. Regards, Geetika On 08/05/2016 12:25 PM, Endi Sukma Dewata wrote: > Thanks! > > It's pushed to master with slight modification for consistency. > From edewata at redhat.com Fri Aug 5 07:37:52 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 5 Aug 2016 02:37:52 -0500 Subject: [Pki-devel] [PATCH 0011] Added check for Subsystem data and request in 'pki-server subsystem-cert-export' In-Reply-To: <0f3d48ec-c59e-be8a-8247-4e32b999dbf0@redhat.com> References: <0f3d48ec-c59e-be8a-8247-4e32b999dbf0@redhat.com> Message-ID: <3b3bcf15-f636-a46e-b879-6d301f2b31fe@redhat.com> Thanks! It's pushed to master with a slight modification to include the cert ID in the error message. -- Endi S. Dewata On 8/2/2016 6:21 AM, Abhijeet Kasurde wrote: > Hi All, > > Please review this patch. > > Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245 > > -- > Thanks, > Abhijeet Kasurde > > IRC: akasurde > http://akasurde.github.io From georgewash87 at gmail.com Fri Aug 5 17:10:22 2016 From: georgewash87 at gmail.com (George Wash) Date: Fri, 5 Aug 2016 10:10:22 -0700 Subject: [Pki-devel] JSS/NSS Message-ID: Are there any plans on the dogtag roadmap to ever migrate away from using JSS/NSS? George "Lost time is never found again." - Ben Franklin -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Aug 5 17:53:16 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 5 Aug 2016 12:53:16 -0500 Subject: [Pki-devel] [PATCH] 807-809 Fixed PKCS #12 import for cloning. In-Reply-To: References: Message-ID: <9268e4b5-2ff3-37b4-285e-79fd6219d637@redhat.com> On 8/3/2016 7:39 PM, Endi Sukma Dewata wrote: > To fix cloning issue in IPA the security_database.py has been > modified to import all certificates and keys in the PKCS #12 file > before the PKI server is started. Since the PKCS #12 generated by > IPA may not contain the certificate trust flags, the script will > also reset the trust flags on the imported certificates (i.e. > CT,C,C for CA certificate and u,u,Pu for audit certificate). > > https://fedorahosted.org/pki/ticket/2424 Patch #808 has been updated to add pkcs12.show_certs() and nssdb.show_certs(). Patch #809 has been rebased. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0808-1-Added-log-messages-for-certificate-import-during-clo.patch Type: text/x-patch Size: 6371 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0809-1-Fixed-PKCS-12-import-for-cloning.patch Type: text/x-patch Size: 8451 bytes Desc: not available URL: From mharmsen at redhat.com Fri Aug 5 20:38:24 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 5 Aug 2016 14:38:24 -0600 Subject: [Pki-devel] [PATCH] Added python-urllib3 dependency Message-ID: <53eef5e7-5030-4293-4435-5f9ae3d8ab2d@redhat.com> Please review this patch which addresses the following ticket: * PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20160805-Added-python-urllib3-dependency.patch Type: text/x-patch Size: 1748 bytes Desc: not available URL: From edewata at redhat.com Fri Aug 5 20:43:26 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 5 Aug 2016 15:43:26 -0500 Subject: [Pki-devel] [PATCH] 807-809 Fixed PKCS #12 import for cloning. In-Reply-To: <9268e4b5-2ff3-37b4-285e-79fd6219d637@redhat.com> References: <9268e4b5-2ff3-37b4-285e-79fd6219d637@redhat.com> Message-ID: <048506d2-ab63-0762-7dd0-dc7616f5e6fb@redhat.com> On 8/5/2016 12:53 PM, Endi Sukma Dewata wrote: > On 8/3/2016 7:39 PM, Endi Sukma Dewata wrote: >> To fix cloning issue in IPA the security_database.py has been >> modified to import all certificates and keys in the PKCS #12 file >> before the PKI server is started. Since the PKCS #12 generated by >> IPA may not contain the certificate trust flags, the script will >> also reset the trust flags on the imported certificates (i.e. >> CT,C,C for CA certificate and u,u,Pu for audit certificate). >> >> https://fedorahosted.org/pki/ticket/2424 > > Patch #808 has been updated to add pkcs12.show_certs() and > nssdb.show_certs(). Patch #809 has been rebased. ACKed by alee (thanks!) with additional changes to fix the error message and to add an explanation about NSS database requirement. Pushed to master. -- Endi S. Dewata From jmagne at redhat.com Fri Aug 5 21:11:12 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 5 Aug 2016 17:11:12 -0400 (EDT) Subject: [Pki-devel] [PATCH] Added python-urllib3 dependency In-Reply-To: <53eef5e7-5030-4293-4435-5f9ae3d8ab2d@redhat.com> References: <53eef5e7-5030-4293-4435-5f9ae3d8ab2d@redhat.com> Message-ID: <1301637852.4524152.1470431472448.JavaMail.zimbra@redhat.com> Looks reasonable: ACK with all the customary tested to work disclaimers. This statement has not been evaluated by the FDA.... ----- Original Message ----- From: "Matthew Harmsen" To: "pki-devel" Sent: Friday, August 5, 2016 1:38:24 PM Subject: [Pki-devel] [PATCH] Added python-urllib3 dependency Please review this patch which addresses the following ticket: * PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. -- Matt _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Fri Aug 5 22:58:23 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 5 Aug 2016 16:58:23 -0600 Subject: [Pki-devel] [PATCH] 0128 Fix CA OCSP responder when LWCA's are not in use In-Reply-To: <1470284383.12380.3.camel@redhat.com> References: <20160727013250.GV10771@dhcp-40-8.bne.redhat.com> <1470284383.12380.3.camel@redhat.com> Message-ID: <164e712d-bd6b-f4de-0abf-95eafcdd53ae@redhat.com> On 08/03/2016 10:19 PM, Ade Lee wrote: > ACK > > On Wed, 2016-07-27 at 11:32 +1000, Fraser Tweedale wrote: >> Hi team, >> >> The attached patch fixes https://fedorahosted.org/pki/ticket/2420. >> >> Thanks, >> Fraser >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel Fraser, Please check this into the 'master' branch as we are planning to start creating new builds on Monday, August 8, 2016. -- Matt From edewata at redhat.com Sat Aug 6 01:07:22 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 5 Aug 2016 20:07:22 -0500 Subject: [Pki-devel] [PATCH] 810 Fixed RPM spec for client-only build. Message-ID: The RPM spec has been fixed not to include the %pre script for the pki-server package if --without-server parameter is specified. https://fedorahosted.org/pki/ticket/2403 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0810-Fixed-RPM-spec-for-client-only-build.patch Type: text/x-patch Size: 1074 bytes Desc: not available URL: From edewata at redhat.com Sun Aug 7 21:53:09 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 7 Aug 2016 16:53:09 -0500 Subject: [Pki-devel] [PATCH] 811 Split link customization in RPM spec. Message-ID: <13a832fa-8c20-2bda-3f5c-ac8be8fdda29@redhat.com> The code that customizes the links to the JAR files has been split between client and server packages. https://fedorahosted.org/pki/ticket/2403 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0811-Split-link-customization-in-RPM-spec.patch Type: text/x-patch Size: 3997 bytes Desc: not available URL: From edewata at redhat.com Sun Aug 7 21:53:36 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 7 Aug 2016 16:53:36 -0500 Subject: [Pki-devel] [PATCH] 812 Moved upgrade scripts for RHEL. Message-ID: <07bb5ecd-b932-1b27-9d11-fa1722b601e8@redhat.com> On RHEL the upgrade scripts after 10.3.3 have been moved into the 10.3.3 folder to match RHEL version number. https://fedorahosted.org/pki/ticket/2403 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0812-Moved-upgrade-scripts-for-RHEL.patch Type: text/x-patch Size: 1960 bytes Desc: not available URL: From ftweedal at redhat.com Mon Aug 8 00:05:00 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 8 Aug 2016 10:05:00 +1000 Subject: [Pki-devel] [PATCH] 0128 Fix CA OCSP responder when LWCA's are not in use In-Reply-To: <164e712d-bd6b-f4de-0abf-95eafcdd53ae@redhat.com> References: <20160727013250.GV10771@dhcp-40-8.bne.redhat.com> <1470284383.12380.3.camel@redhat.com> <164e712d-bd6b-f4de-0abf-95eafcdd53ae@redhat.com> Message-ID: <20160808000500.GD11092@dhcp-40-8.bne.redhat.com> On Fri, Aug 05, 2016 at 04:58:23PM -0600, Matthew Harmsen wrote: > On 08/03/2016 10:19 PM, Ade Lee wrote: > > ACK > > > > On Wed, 2016-07-27 at 11:32 +1000, Fraser Tweedale wrote: > > > Hi team, > > > > > > The attached patch fixes https://fedorahosted.org/pki/ticket/2420. > > > > > > Thanks, > > > Fraser > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > Fraser, > > creating new builds on Monday, August 8, 2016. > Pushed to master: 018b5c1f3295fadd263d256d00866dd7b9d31163 From ftweedal at redhat.com Mon Aug 8 01:17:05 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 8 Aug 2016 11:17:05 +1000 Subject: [Pki-devel] JSS/NSS In-Reply-To: References: Message-ID: <20160808011705.GE11092@dhcp-40-8.bne.redhat.com> On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote: > Are there any plans on the dogtag roadmap to ever migrate away from using > JSS/NSS? > Hi George, I dont't think there are any such plans. Why do you ask? Cheers, Fraser From ftweedal at redhat.com Mon Aug 8 04:43:34 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 8 Aug 2016 14:43:34 +1000 Subject: [Pki-devel] [PATCH] 0129 Fix lightweight CA PEM-encoded PKCS #7 cert chain retrieval Message-ID: <20160808044334.GH11092@dhcp-40-8.bne.redhat.com> The attached patch fixes https://fedorahosted.org/pki/ticket/2433; pushed under one-liner rule. master 7bed80ef6b1529f948da260a6b43f2052c6ffb21 Thanks, Fraser From cheimes at redhat.com Mon Aug 8 11:14:28 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 8 Aug 2016 13:14:28 +0200 Subject: [Pki-devel] [PATCH 0063] Improve setup.py for standalone Dogtag client releases Message-ID: <90551d59-4f06-9e3e-319d-52a981a348b9@redhat.com> PyPI requires a different spelling of LGPLv3+ classifier. The correct name for installation requirements is 'install_requires', not 'requirements'. Add a new version_info command that rewrites setup.py in place to include the current version. This fixes a problem with source distributions of the client package. -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cheimes-0063-Improve-setup.py-for-standalone-Dogtag-client-releas.patch Type: text/x-patch Size: 5147 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From cheimes at redhat.com Mon Aug 8 16:22:05 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 8 Aug 2016 18:22:05 +0200 Subject: [Pki-devel] [PATCH 0063] Improve setup.py for standalone Dogtag client releases In-Reply-To: <90551d59-4f06-9e3e-319d-52a981a348b9@redhat.com> References: <90551d59-4f06-9e3e-319d-52a981a348b9@redhat.com> Message-ID: On 2016-08-08 13:14, Christian Heimes wrote: > PyPI requires a different spelling of LGPLv3+ classifier. > > The correct name for installation requirements is 'install_requires', > not 'requirements'. > > Add a new version_info command that rewrites setup.py in place to > include the current version. This fixes a problem with source > distributions of the client package. ACKed by Ade on IRC, pushed to master in e948a42f8bf7823b18ad4551a8fe8a5db991e966 Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From edewata at redhat.com Mon Aug 8 18:42:32 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 8 Aug 2016 13:42:32 -0500 Subject: [Pki-devel] [PATCH] 813 Improved SystemConfigService.configure() error message. Message-ID: The pkispawn has been modified to improve the way it displays the error message returned by SystemConfigService.configure(). If the method throws a PKIException, the response is returned as a JSON message, then pkispawn will parse it and display the error message only. For other exceptions pkispawn will display the entire HTML message returned by Tomcat. https://fedorahosted.org/pki/ticket/2399 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0813-Improved-SystemConfigService.configure-error-message.patch Type: text/x-patch Size: 3247 bytes Desc: not available URL: From edewata at redhat.com Mon Aug 8 19:53:08 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 8 Aug 2016 14:53:08 -0500 Subject: [Pki-devel] [PATCH] 813 Improved SystemConfigService.configure() error message. In-Reply-To: References: Message-ID: <46d29f0d-06a7-36b8-376c-f2c7349bbbc7@redhat.com> On 8/8/2016 1:42 PM, Endi Sukma Dewata wrote: > The pkispawn has been modified to improve the way it displays the > error message returned by SystemConfigService.configure(). If the > method throws a PKIException, the response is returned as a JSON > message, then pkispawn will parse it and display the error message > only. For other exceptions pkispawn will display the entire HTML > message returned by Tomcat. > > https://fedorahosted.org/pki/ticket/2399 ACKed by alee (thanks!) with some adjustments. Pushed to master. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0813-1-Improved-SystemConfigService.configure-error-message.patch Type: text/x-patch Size: 3416 bytes Desc: not available URL: From cfu at redhat.com Wed Aug 10 00:34:56 2016 From: cfu at redhat.com (Christina Fu) Date: Tue, 9 Aug 2016 17:34:56 -0700 Subject: [Pki-devel] JSS/NSS In-Reply-To: <20160808011705.GE11092@dhcp-40-8.bne.redhat.com> References: <20160808011705.GE11092@dhcp-40-8.bne.redhat.com> Message-ID: <26def1e2-1718-6922-4072-1d85bc72857d@redhat.com> On 08/07/2016 06:17 PM, Fraser Tweedale wrote: > On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote: >> Are there any plans on the dogtag roadmap to ever migrate away from using >> JSS/NSS? >> > Hi George, > > I dont't think there are any such plans. Why do you ask? Right, there is no such plan to ditch JSS/NSS. Not sure if this information will help, but we are in the early stage of doing upstream integration into the Mozilla build. Christina > > Cheers, > Fraser > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Wed Aug 10 00:38:19 2016 From: cfu at redhat.com (Christina Fu) Date: Tue, 9 Aug 2016 17:38:19 -0700 Subject: [Pki-devel] JSS/NSS In-Reply-To: <26def1e2-1718-6922-4072-1d85bc72857d@redhat.com> References: <20160808011705.GE11092@dhcp-40-8.bne.redhat.com> <26def1e2-1718-6922-4072-1d85bc72857d@redhat.com> Message-ID: <94c8abba-52e5-37ee-5c28-5bc34c59bad5@redhat.com> On 08/09/2016 05:34 PM, Christina Fu wrote: > > > On 08/07/2016 06:17 PM, Fraser Tweedale wrote: >> On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote: >>> Are there any plans on the dogtag roadmap to ever migrate away from >>> using >>> JSS/NSS? >>> >> Hi George, >> >> I dont't think there are any such plans. Why do you ask? > Right, there is no such plan to ditch JSS/NSS. Not sure if this > information will help, but we are in the early stage of doing upstream > integration into the Mozilla build. for JSS, I mean. > > Christina > >> >> Cheers, >> Fraser >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akasurde at redhat.com Wed Aug 10 06:31:48 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 10 Aug 2016 12:01:48 +0530 Subject: [Pki-devel] [PATCH 0012] Added check for pki-server-nuxwdog parameter Message-ID: Hi All, Please review this patch. Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245 -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akasurde-0012-Added-check-for-pki-server-nuxwdog-parameter.patch Type: text/x-patch Size: 1132 bytes Desc: not available URL: From mharmsen at redhat.com Wed Aug 10 16:21:54 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 10 Aug 2016 10:21:54 -0600 Subject: [Pki-devel] Karma Requests for Dogtag 10.3.5-1 and ldapjdk Message-ID: <42de6a29-ce3d-9cc7-9e48-e5ba123e8491@redhat.com> *The following candidate builds of Dogtag 10.3.5 and ldapjdk on Fedora 24, 25, and 26 (rawhide) consist of the following:* * *Fedora 24:* o *dogtag-pki-10.3.5-1.fc24 * o *dogtag-pki-theme-10.3.5-1.fc24 * o *pki-core-10.3.5-1.fc24 * o *pki-console-10.3.5-1.fc24 * o *ldapjdk-4.18-19.fc24 * * *Fedora 25:* o *dogtag-pki-10.3.5-1.fc25 * o *dogtag-pki-theme-10.3.5-1.fc25 * o *pki-core-10.3.5-1.fc25 * o *pki-console-10.3.5-1.fc25 * o *ldapjdk-4.18-19.fc25 * * *Fedora 26 (rawhide):* o *dogtag-pki-10.3.5-1.fc26 * o *dogtag-pki-theme-10.3.5-1.fc26 * o *pki-core-10.3.5-1.fc26 * o *pki-console-10.3.5-1.fc26 * o *ldapjdk-4.18-19.fc26 * *Please provide Karma for the following builds:* * *Fedora 24:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-059eb8aaee dogtag-pki-10.3.5-1.fc24 * o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f1baf574f dogtag-pki-theme-10.3.5-1.fc24 * o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e pki-core-10.3.5-1.fc24 * o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-dd16599bc7 pki-console-10.3.5-1.fc24 * o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-1835df9b39 ldapjdk-4.18-19.fc24 * * *Fedora 25:* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-85261e13c5 dogtag-pki-10.3.5-1.fc25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f0224b152 dogtag-pki-theme-10.3.5-1.fc25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a384ead60 pki-core-10.3.5-1.fc25 * o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-849cbeecb1 pki-console-10.3.5-1.fc25 * o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f6bc9b601 ldapjdk-4.18-19.fc25 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From blipton at redhat.com Wed Aug 10 16:59:21 2016 From: blipton at redhat.com (Ben Lipton) Date: Wed, 10 Aug 2016 12:59:21 -0400 Subject: [Pki-devel] [Freeipa-devel] Karma Requests for Dogtag 10.3.5-1 and ldapjdk In-Reply-To: <42de6a29-ce3d-9cc7-9e48-e5ba123e8491@redhat.com> References: <42de6a29-ce3d-9cc7-9e48-e5ba123e8491@redhat.com> Message-ID: <45f190c0-04b8-a669-9baa-3ce9e7434e78@redhat.com> On 08/10/2016 12:21 PM, Matthew Harmsen wrote: > > *The following candidate builds of Dogtag 10.3.5 and ldapjdk on Fedora > 24, 25, and 26 (rawhide) consist of the following:* > > * *Fedora 24:* > o *dogtag-pki-10.3.5-1.fc24 > * > o *dogtag-pki-theme-10.3.5-1.fc24 > * > o *pki-core-10.3.5-1.fc24 > * > o *pki-console-10.3.5-1.fc24 > * > o *ldapjdk-4.18-19.fc24 > * > * *Fedora 25:* > o *dogtag-pki-10.3.5-1.fc25 > * > o *dogtag-pki-theme-10.3.5-1.fc25 > * > o *pki-core-10.3.5-1.fc25 > * > o *pki-console-10.3.5-1.fc25 > * > o *ldapjdk-4.18-19.fc25 > * > * *Fedora 26 (rawhide):* > o *dogtag-pki-10.3.5-1.fc26 > * > o *dogtag-pki-theme-10.3.5-1.fc26 > * > o *pki-core-10.3.5-1.fc26 > * > o *pki-console-10.3.5-1.fc26 > * > o *ldapjdk-4.18-19.fc26 > * > > *Please provide Karma for the following builds:* > > * *Fedora 24:* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-059eb8aaee > dogtag-pki-10.3.5-1.fc24 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f1baf574f > dogtag-pki-theme-10.3.5-1.fc24 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e > pki-core-10.3.5-1.fc24 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-dd16599bc7 > pki-console-10.3.5-1.fc24 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-1835df9b39 > ldapjdk-4.18-19.fc24 > > * > * *Fedora 25:* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-85261e13c5 > dogtag-pki-10.3.5-1.fc25* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f0224b152 > dogtag-pki-theme-10.3.5-1.fc25* > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a384ead60 > pki-core-10.3.5-1.fc25 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-849cbeecb1 > pki-console-10.3.5-1.fc25 > * > o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f6bc9b601 > ldapjdk-4.18-19.fc25 > > * > > > On Fedora 24 I am unable to upgrade to these packages without manual intervention: [root at vm freeipa]# dnf update --allowerasing --best Last metadata expiration check: 2:08:29 ago on Wed Aug 10 16:38:24 2016. Error: nothing provides resteasy-atom-provider >= 3.0.17-1 needed by pki-base-java-10.3.5-1.fc24.noarch. package pki-tools-10.3.5-1.fc24.x86_64 requires pki-base-java = 10.3.5-1.fc24, but none of the providers can be installed. nothing provides resteasy-atom-provider >= 3.0.17-1 needed by pki-base-java-10.3.5-1.fc24.noarch. nothing provides resteasy-atom-provider >= 3.0.17-1 needed by pki-base-java-10.3.5-1.fc24.noarch. nothing provides resteasy-atom-provider >= 3.0.17-1 needed by pki-base-java-10.3.5-1.fc24.noarch. nothing provides resteasy-atom-provider >= 3.0.17-1 needed by pki-base-java-10.3.5-1.fc24.noarch [root at vm freeipa]# rpm -q resteasy-atom-provider resteasy-atom-provider-3.0.6-11.fc24.noarch Am I doing something wrong, or does the new resteasy need to be added back to testing? (https://bodhi.fedoraproject.org/updates/FEDORA-2016-d80872c309) Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed Aug 10 23:17:37 2016 From: cfu at redhat.com (Christina Fu) Date: Wed, 10 Aug 2016 16:17:37 -0700 Subject: [Pki-devel] Karma Requests for jss-4.2.6-42 on F24, F25 and rawhide Message-ID: <842f1a95-ea0e-6765-c4b2-f9a55d4ce9a7@redhat.com> The following candidate build of jss-4.2.6-41 on Fedora24 consists of the following: http://koji.fedoraproject.org/koji/buildinfo?buildID=790383 Please provide Karma for this build in Bodhi located at: https://bodhi.fedoraproject.org/updates/FEDORA-2016-35dc802080 And for Fedora 25 http://koji.fedoraproject.org/koji/buildinfo?buildID=790431 Please provide Karma for this build in Bodhi located at: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4036754389 Additionally, the following build has been provided for rawhide: http://koji.fedoraproject.org/koji/buildinfo?buildID=790448 thanks, Christina From mharmsen at redhat.com Wed Aug 10 23:31:40 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 10 Aug 2016 17:31:40 -0600 Subject: [Pki-devel] [Freeipa-devel] Karma Requests for Dogtag 10.3.5-1 and ldapjdk In-Reply-To: <45f190c0-04b8-a669-9baa-3ce9e7434e78@redhat.com> References: <42de6a29-ce3d-9cc7-9e48-e5ba123e8491@redhat.com> <45f190c0-04b8-a669-9baa-3ce9e7434e78@redhat.com> Message-ID: <3f482874-a623-671d-4dc1-0beb063ef362@redhat.com> On 08/10/2016 10:59 AM, Ben Lipton wrote: > On 08/10/2016 12:21 PM, Matthew Harmsen wrote: >> >> *The following candidate builds of Dogtag 10.3.5 and ldapjdk on >> Fedora 24, 25, and 26 (rawhide) consist of the following:* >> >> * *Fedora 24:* >> o *dogtag-pki-10.3.5-1.fc24 >> * >> o *dogtag-pki-theme-10.3.5-1.fc24 >> * >> o *pki-core-10.3.5-1.fc24 >> * >> o *pki-console-10.3.5-1.fc24 >> * >> o *ldapjdk-4.18-19.fc24 >> * >> * *Fedora 25:* >> o *dogtag-pki-10.3.5-1.fc25 >> * >> o *dogtag-pki-theme-10.3.5-1.fc25 >> * >> o *pki-core-10.3.5-1.fc25 >> * >> o *pki-console-10.3.5-1.fc25 >> * >> o *ldapjdk-4.18-19.fc25 >> * >> * *Fedora 26 (rawhide):* >> o *dogtag-pki-10.3.5-1.fc26 >> * >> o *dogtag-pki-theme-10.3.5-1.fc26 >> * >> o *pki-core-10.3.5-1.fc26 >> * >> o *pki-console-10.3.5-1.fc26 >> * >> o *ldapjdk-4.18-19.fc26 >> * >> >> *Please provide Karma for the following builds:* >> >> * *Fedora 24:* >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-059eb8aaee >> dogtag-pki-10.3.5-1.fc24 >> * >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f1baf574f >> dogtag-pki-theme-10.3.5-1.fc24 >> * >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e >> pki-core-10.3.5-1.fc24 >> * >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-dd16599bc7 >> pki-console-10.3.5-1.fc24 >> * >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-1835df9b39 >> ldapjdk-4.18-19.fc24 >> >> * >> * *Fedora 25:* >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-85261e13c5 >> dogtag-pki-10.3.5-1.fc25* >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f0224b152 >> dogtag-pki-theme-10.3.5-1.fc25* >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a384ead60 >> pki-core-10.3.5-1.fc25 >> * >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-849cbeecb1 >> pki-console-10.3.5-1.fc25 >> * >> o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f6bc9b601 >> ldapjdk-4.18-19.fc25 >> >> * >> >> >> > On Fedora 24 I am unable to upgrade to these packages without manual > intervention: > [root at vm freeipa]# dnf update --allowerasing --best > Last metadata expiration check: 2:08:29 ago on Wed Aug 10 16:38:24 2016. > Error: nothing provides resteasy-atom-provider >= 3.0.17-1 needed by > pki-base-java-10.3.5-1.fc24.noarch. > package pki-tools-10.3.5-1.fc24.x86_64 requires pki-base-java = > 10.3.5-1.fc24, but none of the providers can be installed. > nothing provides resteasy-atom-provider >= 3.0.17-1 needed by > pki-base-java-10.3.5-1.fc24.noarch. > nothing provides resteasy-atom-provider >= 3.0.17-1 needed by > pki-base-java-10.3.5-1.fc24.noarch. > nothing provides resteasy-atom-provider >= 3.0.17-1 needed by > pki-base-java-10.3.5-1.fc24.noarch. > nothing provides resteasy-atom-provider >= 3.0.17-1 needed by > pki-base-java-10.3.5-1.fc24.noarch > [root at vm freeipa]# rpm -q resteasy-atom-provider > resteasy-atom-provider-3.0.6-11.fc24.noarch > > Am I doing something wrong, or does the new resteasy need to be added > back to testing? > (https://bodhi.fedoraproject.org/updates/FEDORA-2016-d80872c309) > > Ben Ben, No, the resteasy 3.0.17 builds received bad karma because they were utilized with an incompatible pki-core 10.3.3 as used by FreeIPA and the packages were thus obsoleted. This build fixes that problem, but requires the version of resteasy 3.0.17 that was obsoleted. We are going to inquire if resteasy 3.0.17 for Fedora 24 can be re-issued to bodhi. If the change is going to be backed out permanently, it would require yet another re-spin of the pki-core bits. Stay tuned, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From gkapoor at redhat.com Thu Aug 11 09:56:06 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Thu, 11 Aug 2016 15:26:06 +0530 Subject: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided Message-ID: <57AC4BB6.50303@redhat.com> Hi, This patch fix BZ 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided. If we provide wrong cert nickname it gives "Certificate Nickname subsystemCert cert-topology-02-CA doesn't exist" and also if cert nickname doesn't exist it won't share the number of entries present. If cert nickname match then only it shows how many entries exist. Thanks Geetika -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Patch-to-fix-BZ-1358462.patch Type: text/x-patch Size: 1833 bytes Desc: not available URL: From gkapoor at redhat.com Thu Aug 11 10:21:41 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Thu, 11 Aug 2016 15:51:41 +0530 Subject: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided In-Reply-To: <57AC4BB6.50303@redhat.com> References: <57AC4BB6.50303@redhat.com> Message-ID: <57AC51B5.6070304@redhat.com> Here is the test results after doing changes.. On 08/11/2016 03:26 PM, Geetika Kapoor wrote: > Hi, > > This patch fix BZ 1358462 - pki pkcs12-cert-del shows a successfully > deleted message when a wrong nickname is provided. > If we provide wrong cert nickname it gives "Certificate Nickname > subsystemCert cert-topology-02-CA doesn't exist" and also if cert > nickname doesn't exist it won't share the number of entries present. > If cert nickname match then only it shows how many entries exist. > > Thanks > Geetika > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- Test Results: ------------- [root at pki1 pki]# pki pkcs12-cert-find --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt--------------- 3 entries found --------------- Certificate ID: 8f10550112e84d196c20368492579914900732bc Serial Number: 0x2 Nickname: ocspSigningCert cert-topology-02-CA CA Subject DN: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 3bb6074fa6efe3d0b0e785b0366ccaacc4ca75c8 Serial Number: 0x1 Nickname: caSigningCert cert-topology-02-CA CA Subject DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: CTu,Cu,Cu Has Key: true Certificate ID: 9bf832618b627f34ba17ed2664f5b50e4e0c9e7a Serial Number: 0x3 Nickname: Server-Cert cert-topology-02-CA Subject DN: CN=pki1.example.com,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true [root at pki1 pki]# pki pkcs12-cert-del "subsystemCert cert-topology-02-CA" --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt Certificate Nickname subsystemCert cert-topology-02-CA doesn't exist [root at pki1 pki]# pki pkcs12-cert-del "Server-Cert cert-topology-02-CA" --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt --------------- 3 entries found --------------- ----------------------------------------------------- Deleted certificate "Server-Cert cert-topology-02-CA" ----------------------------------------------------- [root at pki1 pki]# pki pkcs12-cert-find --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt--------------- 2 entries found --------------- Certificate ID: 8f10550112e84d196c20368492579914900732bc Serial Number: 0x2 Nickname: ocspSigningCert cert-topology-02-CA CA Subject DN: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 3bb6074fa6efe3d0b0e785b0366ccaacc4ca75c8 Serial Number: 0x1 Nickname: caSigningCert cert-topology-02-CA CA Subject DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: CTu,Cu,Cu Has Key: true From edewata at redhat.com Fri Aug 12 00:51:12 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2016 19:51:12 -0500 Subject: [Pki-devel] [PATCH] 814 Removed PKCS #7 from add user cert dialog in TPS UI. Message-ID: The dialog box for adding user certificate in TPS UI has been modified to no longer mention PKCS #7. The REST service itself still accepts PKCS #7, but it should be cleaned up in the future. https://fedorahosted.org/pki/ticket/2437 Pushed to master (10.4) under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0814-Removed-PKCS-7-from-add-user-cert-dialog-in-TPS-UI.patch Type: text/x-patch Size: 2071 bytes Desc: not available URL: From edewata at redhat.com Fri Aug 12 01:04:35 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2016 20:04:35 -0500 Subject: [Pki-devel] [PATCH 0012] Added check for pki-server-nuxwdog parameter In-Reply-To: References: Message-ID: On 8/10/2016 1:31 AM, Abhijeet Kasurde wrote: > Hi All, > > Please review this patch. > > Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245 Hi Abhijeet, I added your patch to this ticket to make sure it's not forgotten: https://fedorahosted.org/pki/ticket/2436 Please note that bug #1353245 is already closed (and released). We're using bug #1366353 now which is linked to PKI ticket #2436. If you have more patches please attach it to this ticket. When any of the developers ACKs it the patch will be pushed to master (10.4) and possibly 10.3 branch as well. Thanks. -- Endi S. Dewata From edewata at redhat.com Fri Aug 12 01:25:03 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Aug 2016 20:25:03 -0500 Subject: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided In-Reply-To: <57AC4BB6.50303@redhat.com> References: <57AC4BB6.50303@redhat.com> Message-ID: <71922d6d-05d0-1139-719b-e8845c9368e7@redhat.com> On 8/11/2016 4:56 AM, Geetika Kapoor wrote: > Hi, > > This patch fix BZ 1358462 - pki pkcs12-cert-del shows a successfully > deleted message when a wrong nickname is provided. > If we provide wrong cert nickname it gives "Certificate Nickname > subsystemCert cert-topology-02-CA doesn't exist" and also if cert > nickname doesn't exist it won't share the number of entries present. > If cert nickname match then only it shows how many entries exist. > > Thanks > Geetika Hi Geetika, Similar to what I mentioned to Abhijeet, I added your patch to this ticket to make sure it's not forgotten: https://fedorahosted.org/pki/ticket/2414 I looked at the patch briefly, I think instead of fixing it in PKCS12CertRemoveCLI, it probably should be fixed in the PKCS12.removeCertInfoByNickname(). Basically if the cert to be deleted doesn't exist the method should throw an exception. The CLI then should catch the exception and display the error. This way the error checking will be done consistently regardless who calls the method. If you're going to revise the patch please attach it to this ticket. Thanks. -- Endi S. Dewata From gkapoor at redhat.com Fri Aug 12 03:20:40 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Thu, 11 Aug 2016 23:20:40 -0400 (EDT) Subject: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided In-Reply-To: <71922d6d-05d0-1139-719b-e8845c9368e7@redhat.com> References: <57AC4BB6.50303@redhat.com> <71922d6d-05d0-1139-719b-e8845c9368e7@redhat.com> Message-ID: <1747519168.30894503.1470972040967.JavaMail.zimbra@redhat.com> Yes Endi your right .. Fix should be more generic .. I will fix it in core method and will send for review. Thanks Geetika ----- Original Message ----- From: Endi Sukma Dewata To: Geetika Kapoor , pki-devel at redhat.com Sent: Thu, 11 Aug 2016 21:25:03 -0400 (EDT) Subject: Re: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided On 8/11/2016 4:56 AM, Geetika Kapoor wrote: > Hi, > > This patch fix BZ 1358462 - pki pkcs12-cert-del shows a successfully > deleted message when a wrong nickname is provided. > If we provide wrong cert nickname it gives "Certificate Nickname > subsystemCert cert-topology-02-CA doesn't exist" and also if cert > nickname doesn't exist it won't share the number of entries present. > If cert nickname match then only it shows how many entries exist. > > Thanks > Geetika Hi Geetika, Similar to what I mentioned to Abhijeet, I added your patch to this ticket to make sure it's not forgotten: https://fedorahosted.org/pki/ticket/2414 I looked at the patch briefly, I think instead of fixing it in PKCS12CertRemoveCLI, it probably should be fixed in the PKCS12.removeCertInfoByNickname(). Basically if the cert to be deleted doesn't exist the method should throw an exception. The CLI then should catch the exception and display the error. This way the error checking will be done consistently regardless who calls the method. If you're going to revise the patch please attach it to this ticket. Thanks. -- Endi S. Dewata From akasurde at redhat.com Fri Aug 12 04:04:24 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Fri, 12 Aug 2016 09:34:24 +0530 Subject: [Pki-devel] [PATCH 0012] Added check for pki-server-nuxwdog parameter In-Reply-To: References: Message-ID: Yes, Endi. I will make sure to mention below PKI ticket in future. Thanks for your comments. On 08/12/2016 06:34 AM, Endi Sukma Dewata wrote: > On 8/10/2016 1:31 AM, Abhijeet Kasurde wrote: >> Hi All, >> >> Please review this patch. >> >> Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245 > > Hi Abhijeet, > > I added your patch to this ticket to make sure it's not forgotten: > https://fedorahosted.org/pki/ticket/2436 > > Please note that bug #1353245 is already closed (and released). We're > using bug #1366353 now which is linked to PKI ticket #2436. > > If you have more patches please attach it to this ticket. When any of > the developers ACKs it the patch will be pushed to master (10.4) and > possibly 10.3 branch as well. > > Thanks. > -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io From gkapoor at redhat.com Fri Aug 12 11:24:46 2016 From: gkapoor at redhat.com (Geetika Kapoor) Date: Fri, 12 Aug 2016 16:54:46 +0530 Subject: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided In-Reply-To: <1747519168.30894503.1470972040967.JavaMail.zimbra@redhat.com> References: <57AC4BB6.50303@redhat.com> <71922d6d-05d0-1139-719b-e8845c9368e7@redhat.com> <1747519168.30894503.1470972040967.JavaMail.zimbra@redhat.com> Message-ID: <57ADB1FE.5010707@redhat.com> Hello Endi , Here is the fix with test cases that i tested. Thanks Geetika On 08/12/2016 08:50 AM, Geetika Kapoor wrote: > Yes Endi your right .. Fix should be more generic .. I will fix it in core method and will send for review. > > Thanks > Geetika > ----- Original Message ----- > From: Endi Sukma Dewata > To: Geetika Kapoor , pki-devel at redhat.com > Sent: Thu, 11 Aug 2016 21:25:03 -0400 (EDT) > Subject: Re: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided > > On 8/11/2016 4:56 AM, Geetika Kapoor wrote: >> Hi, >> >> This patch fix BZ 1358462 - pki pkcs12-cert-del shows a successfully >> deleted message when a wrong nickname is provided. >> If we provide wrong cert nickname it gives "Certificate Nickname >> subsystemCert cert-topology-02-CA doesn't exist" and also if cert >> nickname doesn't exist it won't share the number of entries present. >> If cert nickname match then only it shows how many entries exist. >> >> Thanks >> Geetika > Hi Geetika, > > Similar to what I mentioned to Abhijeet, I added your patch to this > ticket to make sure it's not forgotten: > https://fedorahosted.org/pki/ticket/2414 > > I looked at the patch briefly, I think instead of fixing it in > PKCS12CertRemoveCLI, it probably should be fixed in the > PKCS12.removeCertInfoByNickname(). Basically if the cert to be deleted > doesn't exist the method should throw an exception. The CLI then should > catch the exception and display the error. This way the error checking > will be done consistently regardless who calls the method. > > If you're going to revise the patch please attach it to this ticket. > > Thanks. > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-for-BZ-1358462.patch Type: text/x-patch Size: 1463 bytes Desc: not available URL: -------------- next part -------------- Test cases: ---------- 1. Find the certs. [root at pki1 ~]# pki pkcs12-cert-find --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt --------------- 5 entries found --------------- Certificate ID: 8f10550112e84d196c20368492579914900732bc Serial Number: 0x2 Nickname: ocspSigningCert cert-topology-02-CA CA Subject DN: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 3bb6074fa6efe3d0b0e785b0366ccaacc4ca75c8 Serial Number: 0x1 Nickname: caSigningCert cert-topology-02-CA CA Subject DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: CTu,Cu,Cu Has Key: true Certificate ID: 1f32ec27dbb05aa0a305011d0114513b7fd17c6b Serial Number: 0x4 Nickname: subsystemCert cert-topology-02-CA Subject DN: CN=Subsystem Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 9bf832618b627f34ba17ed2664f5b50e4e0c9e7a Serial Number: 0x3 Nickname: Server-Cert cert-topology-02-CA Subject DN: CN=pki1.example.com,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 2d0929b8e6e827b1f7fdf37f915b5a5b0662d42b Serial Number: 0x5 Nickname: auditSigningCert cert-topology-02-CA CA Subject DN: CN=CA Audit Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,Pu Has Key: true 2. Try to remove a cert which doesn't exist. [root at pki1 ~]# pki pkcs12-cert-del "test" --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt Warning : Certificate Nickname test doesn't exist 3. Make sure all 5 entries exist. [root at pki1 ~]# pki pkcs12-cert-find --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt --------------- 5 entries found --------------- Certificate ID: 8f10550112e84d196c20368492579914900732bc Serial Number: 0x2 Nickname: ocspSigningCert cert-topology-02-CA CA Subject DN: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 3bb6074fa6efe3d0b0e785b0366ccaacc4ca75c8 Serial Number: 0x1 Nickname: caSigningCert cert-topology-02-CA CA Subject DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: CTu,Cu,Cu Has Key: true Certificate ID: 1f32ec27dbb05aa0a305011d0114513b7fd17c6b Serial Number: 0x4 Nickname: subsystemCert cert-topology-02-CA Subject DN: CN=Subsystem Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 9bf832618b627f34ba17ed2664f5b50e4e0c9e7a Serial Number: 0x3 Nickname: Server-Cert cert-topology-02-CA Subject DN: CN=pki1.example.com,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 2d0929b8e6e827b1f7fdf37f915b5a5b0662d42b Serial Number: 0x5 Nickname: auditSigningCert cert-topology-02-CA CA Subject DN: CN=CA Audit Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,Pu 4. Remove a valid cert and make sure now 4 entries left. root at pki1 ~]# pki pkcs12-cert-del "auditSigningCert cert-topology-02-CA CA" --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt ------------------------------------------------------------- Deleted certificate "auditSigningCert cert-topology-02-CA CA" ------------------------------------------------------------- 5. Now check number of certs again.Make sure only one deleted. [root at pki1 ~]# pki pkcs12-cert-find --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt --------------- 4 entries found --------------- Certificate ID: 8f10550112e84d196c20368492579914900732bc Serial Number: 0x2 Nickname: ocspSigningCert cert-topology-02-CA CA Subject DN: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 3bb6074fa6efe3d0b0e785b0366ccaacc4ca75c8 Serial Number: 0x1 Nickname: caSigningCert cert-topology-02-CA CA Subject DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: CTu,Cu,Cu Has Key: true Certificate ID: 1f32ec27dbb05aa0a305011d0114513b7fd17c6b Serial Number: 0x4 Nickname: subsystemCert cert-topology-02-CA Subject DN: CN=Subsystem Certificate,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true Certificate ID: 9bf832618b627f34ba17ed2664f5b50e4e0c9e7a Serial Number: 0x3 Nickname: Server-Cert cert-topology-02-CA Subject DN: CN=pki1.example.com,O=topology-02_Foobarmaster.org Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Trust Flags: u,u,u Has Key: true 6. try to remove an empty cert. [root at pki1 ~]# pki pkcs12-cert-del --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt Error: Missing certificate nickname. usage: pkcs12-cert-del [OPTIONS...] --debug Run in debug mode. --help Show help options --pkcs12-file PKCS #12 file --pkcs12-password PKCS #12 password --pkcs12-password-file PKCS #12 password file -v,--verbose Run in verbose mode. From edewata at redhat.com Fri Aug 12 16:34:49 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 12 Aug 2016 11:34:49 -0500 Subject: [Pki-devel] [PATCH] 815 Added cert validation error message in selftest log. Message-ID: <1dfbe9ff-5179-1253-5e9c-9392826b8a4b@redhat.com> To help troubleshooting the selftest log has been modified to include the cert validation error message returned by JSS. https://fedorahosted.org/pki/ticket/2436 Pushed to master (10.4) under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0815-Added-cert-validation-error-message-in-selftest-log.patch Type: text/x-patch Size: 2531 bytes Desc: not available URL: From mharmsen at redhat.com Fri Aug 12 17:11:15 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 12 Aug 2016 11:11:15 -0600 Subject: [Pki-devel] Updated External EPEL CentOS 7 COPR builds are now available . . . Message-ID: <9ae13aa7-d518-ad26-e1e8-f384a45076e0@redhat.com> An updated external EPEL CentOS 7 COPR repo is now available which contains the latest Dogtag 10.3.3-5, tomcatjss, and jss builds: * https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo [group_pki-10.3.3] name=Copr repo for 10.3.3 owned by @pki baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/ skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg enabled=1 enabled_metadata=1 -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Aug 12 21:25:22 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 12 Aug 2016 16:25:22 -0500 Subject: [Pki-devel] [PATCH] 816 Added exception wrapper for invalid LDAP attribute syntax. Message-ID: <6e56f85a-da48-f664-b517-c46034409a0f@redhat.com> The LDAPExceptionConverter has been modified to wrap LDAPException for invalid attribute syntax with BadRequestException. https://fedorahosted.org/pki/ticket/833 Pushed to master (10.4) under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0816-Added-exception-wrapper-for-invalid-LDAP-attribute-s.patch Type: text/x-patch Size: 1909 bytes Desc: not available URL: From edewata at redhat.com Mon Aug 15 22:56:19 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Aug 2016 17:56:19 -0500 Subject: [Pki-devel] [PATCH] 817 Removed misleading log in SelfTestSubsystem. Message-ID: To avoid confusion, the isSelfTestCriticalAtStartup() and isSelfTestCriticalOnDemand() in SelfTestSubsystem have been modified to no longer log an error message if the selftest being checked does not exist in the corresponding property in CS.cfg. https://fedorahosted.org/pki/ticket/2432 Pushed to master (10.4) under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0817-Removed-misleading-log-in-SelfTestSubsystem.patch Type: text/x-patch Size: 2012 bytes Desc: not available URL: From edewata at redhat.com Mon Aug 15 23:50:47 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Aug 2016 18:50:47 -0500 Subject: [Pki-devel] [PATCH] 818 Fixed SelfTestService.findSelfTests(). Message-ID: <72c232aa-0dac-33ce-aa75-b7232f06d422@redhat.com> The SelfTestService.findSelfTests() has been modified to return all selftests defined in the CS.cfg. https://fedorahosted.org/pki/ticket/2432 Pushed to master (10.4) under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0818-Fixed-SelfTestService.findSelfTests.patch Type: text/x-patch Size: 3106 bytes Desc: not available URL: From jmagne at redhat.com Wed Aug 17 00:15:49 2016 From: jmagne at redhat.com (John Magne) Date: Tue, 16 Aug 2016 20:15:49 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch In-Reply-To: <1283689641.3340653.1471392877887.JavaMail.zimbra@redhat.com> Message-ID: <1360037866.3340718.1471392949302.JavaMail.zimbra@redhat.com> [PATCH] Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working. Ticket #1578 The fixing of this problem required the following: 1. Hook up a java callback that is designed to allow the selection of a candidate client auth cert to be sent to Ldap in the LdapSSLSocket factory object. Previously we simply manually set the desired client auth cert nickname, which is provided by the console interface when cofiguring the "removePin" portion of the UidPinDir Authentication method. Doing it this way has the benefit of giving us some logging to show when the actual client auth cert is being requested by the server. We get to see the list of candidate certs and when we match one of those with the requested cert name, established by the console. This client auth problem applies ONLY to the connection pool that is used to remove the pin attribute from an external authentication directory. 2. Previously the code, when setting up client auth for "removePin", would make one single call to create the SSL socket to connect to ldap over client auth. Now, based on some code I saw in the JSS test suite, the socket is constructed in two steps. Doing this causes things to work. Further investigation down the line could figure out what is going on at the lower level. 3. Was able to test this to work with the reported problem directory server provided by QE. Note: for pin removal to work, we must also make sure that the user we authenticating to (through client auth) has the power to actually remove the pin attribute from various users. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch Type: text/x-patch Size: 6142 bytes Desc: not available URL: From edewata at redhat.com Thu Aug 18 15:41:00 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Aug 2016 10:41:00 -0500 Subject: [Pki-devel] [PATCH] 819 Added debug messages for ConfigurationUtils.handleCerts(). Message-ID: To help troubleshooting some debug messages have been added into ConfigurationUtils.handleCerts(). https://fedorahosted.org/pki/ticket/2436 Pushed to master (10.4) under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0819-Added-debug-messages-for-ConfigurationUtils.handleCe.patch Type: text/x-patch Size: 4573 bytes Desc: not available URL: From mharmsen at redhat.com Fri Aug 19 00:46:15 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 18 Aug 2016 18:46:15 -0600 Subject: [Pki-devel] [PATCH] CMCEnroll man page + (proposed) HEADER/FOOTER changes Message-ID: <2d39dc9d-e5eb-bdab-c6e3-7d9ca7b9493c@redhat.com> Please review the following patches which add a CMCEnroll man page AND proposes code changes to the command line tools to allow them to used the preferred RFC 7468 HEADERS and TRAILERS (see https://www.rfc-editor.org/rfc/rfc7468.txt): * PKI TRAC Ticket #690 - [MAN] pki-tools man pages * PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements The first patch contains all of the code changes, and the second patch simply contains the associated spec file change. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20160818-pki-tools-CMCEnroll-man-page-plus-HEADER-FOOTER-changes.patch Type: text/x-patch Size: 37558 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20160818-pki-tools-CMCEnroll-man-page-spec-file.patch Type: text/x-patch Size: 851 bytes Desc: not available URL: From jmagne at redhat.com Fri Aug 19 02:21:05 2016 From: jmagne at redhat.com (John Magne) Date: Thu, 18 Aug 2016 22:21:05 -0400 (EDT) Subject: [Pki-devel] Jack PTO Starting Monday Aug 22 In-Reply-To: <1679210897.3899587.1471573101451.JavaMail.zimbra@redhat.com> Message-ID: <1157589660.3900584.1471573265039.JavaMail.zimbra@redhat.com> Returning Day after labor day. Will be easily reachable if needed by mobile the whole time. From edewata at redhat.com Fri Aug 19 21:26:19 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Aug 2016 16:26:19 -0500 Subject: [Pki-devel] [PATCH] 820 Allowing optional CA signing CSR. Message-ID: <049082f6-db0a-3c8b-65c3-5b0a3b6df0f4@redhat.com> The CA signing CSR is already stored in request record which will be imported as part of migration process, so it's not necessary to export and reimport the CSR file again for migration. To allow optional CSR, the pki-server subsystem-cert-validate CLI has been modified to no longer check the CSR in CS.cfg. The ConfigurationUtils.loadCertRequest() has been modified to ignore the missing CSR in CS.cfg. https://fedorahosted.org/pki/ticket/2440 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0820-Allowing-optional-CA-signing-CSR.patch Type: text/x-patch Size: 2884 bytes Desc: not available URL: From jmagne at redhat.com Fri Aug 19 21:31:09 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 19 Aug 2016 17:31:09 -0400 (EDT) Subject: [Pki-devel] [PATCH] CMCEnroll man page + (proposed) HEADER/FOOTER changes In-Reply-To: <2d39dc9d-e5eb-bdab-c6e3-7d9ca7b9493c@redhat.com> References: <2d39dc9d-e5eb-bdab-c6e3-7d9ca7b9493c@redhat.com> Message-ID: <1935692697.4109774.1471642269838.JavaMail.zimbra@redhat.com> ACK with a couple of caveats to fix: Comments: SYNOPSIS CMCEnroll -d -n -r -p The -d entry might be a little misleading. I think just saying this is a directory with the NSS db containing the agent cert should clarify. (4) Submit the signed certificate through the CA end-entities page: (a) Open the end-entities page. This one I think should be "Submit the signed certificate request" .... That's it ----- Original Message ----- From: "Matthew Harmsen" To: "pki-devel" Sent: Thursday, August 18, 2016 5:46:15 PM Subject: [Pki-devel] [PATCH] CMCEnroll man page + (proposed) HEADER/FOOTER changes Please review the following patches which add a CMCEnroll man page AND proposes code changes to the command line tools to allow them to used the preferred RFC 7468 HEADERS and TRAILERS (see https://www.rfc-editor.org/rfc/rfc7468.txt ): * PKI TRAC Ticket #690 - [MAN] pki-tools man pages * PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements The first patch contains all of the code changes, and the second patch simply contains the associated spec file change. _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From jmagne at redhat.com Fri Aug 19 23:14:09 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 19 Aug 2016 19:14:09 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch In-Reply-To: <1360037866.3340718.1471392949302.JavaMail.zimbra@redhat.com> References: <1360037866.3340718.1471392949302.JavaMail.zimbra@redhat.com> Message-ID: <368773232.4116357.1471648449070.JavaMail.zimbra@redhat.com> Verbal cond ACK from CFU: Minor issue taken care of: commit e5ef4374eae5219a8b5e9a216c1c2ed77fb3e709 Author: Jack Magne Date: Tue Aug 16 16:58:49 2016 -0700 Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working. Pushed to master, closing ticket #1578 ----- Original Message ----- > From: "John Magne" > To: "pki-devel" > Sent: Tuesday, August 16, 2016 5:15:49 PM > Subject: [pki-devel][PATCH] 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch > > [PATCH] Authentication Instance Id PinDirEnrollment with authType > value as SslclientAuth is not working. > > Ticket #1578 > > The fixing of this problem required the following: > > 1. Hook up a java callback that is designed to allow the selection of a > candidate > client auth cert to be sent to Ldap in the LdapSSLSocket factory object. > > Previously we simply manually set the desired client auth cert nickname, > which is provided > by the console interface when cofiguring the "removePin" portion of the > UidPinDir Authentication method. > > Doing it this way has the benefit of giving us some logging to show when the > actual client auth cert is being > requested by the server. We get to see the list of candidate certs and when > we match one of those with the requested > cert name, established by the console. > > This client auth problem applies ONLY to the connection pool that is used to > remove the pin attribute from > an external authentication directory. > > 2. Previously the code, when setting up client auth for "removePin", would > make one single call to create the SSL socket > to connect to ldap over client auth. Now, based on some code I saw in the JSS > test suite, the socket is constructed in two > steps. Doing this causes things to work. Further investigation down the line > could figure out what is going on at the lower level. > > 3. Was able to test this to work with the reported problem directory server > provided by QE. Note: for pin removal to work, we must also > make sure that the user we authenticating to (through client auth) has the > power to actually remove the pin attribute from various users. > From edewata at redhat.com Mon Aug 22 18:47:38 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 22 Aug 2016 13:47:38 -0500 Subject: [Pki-devel] [PATCH] 820 Allowing optional CA signing CSR. In-Reply-To: <049082f6-db0a-3c8b-65c3-5b0a3b6df0f4@redhat.com> References: <049082f6-db0a-3c8b-65c3-5b0a3b6df0f4@redhat.com> Message-ID: <67dea5d0-1dcf-3d2e-6201-6d7546af799d@redhat.com> On 8/19/2016 4:26 PM, Endi Sukma Dewata wrote: > The CA signing CSR is already stored in request record which will > be imported as part of migration process, so it's not necessary to > export and reimport the CSR file again for migration. > > To allow optional CSR, the pki-server subsystem-cert-validate > CLI has been modified to no longer check the CSR in CS.cfg. The > ConfigurationUtils.loadCertRequest() has been modified to ignore > the missing CSR in CS.cfg. > > https://fedorahosted.org/pki/ticket/2440 ACKed by alee (thanks!). Pushed to master (10.4). -- Endi S. Dewata From edewata at redhat.com Mon Aug 22 19:44:29 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 22 Aug 2016 14:44:29 -0500 Subject: [Pki-devel] [PATCH] 821 Updated pki-server subsystem-cert-update CLI. Message-ID: The pki-server subsystem-cert-update CLI has been updated to use certutil to retrieve the certificate data from the proper token. It will also show a warning if the certificate request cannot be found. The NSSDatabase constructor has been modified to normalize the name of internal NSS token to None. If the token name is None, the certutil will be executed without the -h option. The NSSDatabase.get_cert() has been modified to prepend the token name to the certificate nickname. https://fedorahosted.org/pki/ticket/2440 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0821-Updated-pki-server-subsystem-cert-update-CLI.patch Type: text/x-patch Size: 5051 bytes Desc: not available URL: From edewata at redhat.com Mon Aug 22 20:15:00 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 22 Aug 2016 15:15:00 -0500 Subject: [Pki-devel] [PATCH] 821 Updated pki-server subsystem-cert-update CLI. In-Reply-To: References: Message-ID: <8f94f4bd-b957-b4eb-e7a3-b1345ca95682@redhat.com> On 8/22/2016 2:44 PM, Endi Sukma Dewata wrote: > The pki-server subsystem-cert-update CLI has been updated to > use certutil to retrieve the certificate data from the proper > token. It will also show a warning if the certificate request > cannot be found. > > The NSSDatabase constructor has been modified to normalize the > name of internal NSS token to None. If the token name is None, > the certutil will be executed without the -h option. > > The NSSDatabase.get_cert() has been modified to prepend the token > name to the certificate nickname. > > https://fedorahosted.org/pki/ticket/2440 ACKed by alee (thanks!). Pushed to master (10.4). -- Endi S. Dewata From ftweedal at redhat.com Wed Aug 24 05:34:49 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 24 Aug 2016 15:34:49 +1000 Subject: [Pki-devel] [PATCH] 0130 Prevent deletion of host CA cert and key from NSSDB Message-ID: <20160824053449.GG3877@dhcp-40-8.bne.redhat.com> Hi, Attached patch fixes https://fedorahosted.org/pki/ticket/2443. Thanks, Fraser -------------- next part -------------- From e0a546113b65d57e4b00b495f4ef50616ad744c1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 24 Aug 2016 14:40:46 +1000 Subject: [PATCH] Prevent deletion of host CA cert and key from NSSDB If authorityMonitor observes the deletion of the host CA's authority entry, it will treat it the same as any other lightweight CA and delete the signing cert AND KEY from the NSSDB. Because the database is replicated, the change would be observed and deletion immediately effected on all running clones. Unless the main CA private key is backed up somewhere there is no way to recover from this. Although this scenario does not arise in normal operation, the impact is severe so add a check that prevents cert and key deletion for host authority. Fixes: https://fedorahosted.org/pki/ticket/2443 --- base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index a5397da0c0dcea654a15f16e5becc5c430a1bb29..6276100a079ff32757bf2de8540f6e6efa1d1cae 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -2991,6 +2991,13 @@ public class CertificateAuthority /** Delete keys and certs of this authority from NSSDB. */ private void deleteAuthorityNSSDB() throws ECAException { + if (isHostAuthority()) { + String msg = "Attempt to delete host authority signing key; not proceeding"; + log(ILogger.LL_WARN, msg); + CMS.debug(msg); + return; + } + CryptoManager cryptoManager; try { cryptoManager = CryptoManager.getInstance(); -- 2.5.5 From ftweedal at redhat.com Wed Aug 24 05:36:35 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 24 Aug 2016 15:36:35 +1000 Subject: [Pki-devel] [PATCH] 0131..0132 Fix LWCA entryUSN handling Message-ID: <20160824053635.GH3877@dhcp-40-8.bne.redhat.com> The attached patches address a couple of issues related to handling entryUSN attribute when reading lightweight CA entries. https://fedorahosted.org/pki/ticket/2444 Thanks, Fraser -------------- next part -------------- From 5732d0f27b0f26a4125f91732659982609d75aab Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 23 Aug 2016 14:50:03 +1000 Subject: [PATCH 131/132] Accept LWCA entry with missing entryUSN if plugin enabled Currently we abort adding a lightweight CA if its entry does not have an 'entryUSN' attribute, and log a failure, even if the USN plugin is enabled. But if the plugin is enabled, it's fine to proceed. Update the authority monitor to check if the USN plugin is enabled and only log the failure if it is not. Clarify the log message accordingly. Part of: https://fedorahosted.org/pki/ticket/2444 --- .../src/com/netscape/ca/CertificateAuthority.java | 46 ++++++++++++++++++---- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index a5397da0c0dcea654a15f16e5becc5c430a1bb29..856317e1604d8d536af3320562da62a0dab544cb 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -677,6 +677,24 @@ public class CertificateAuthority } } + private boolean entryUSNPluginEnabled() { + try { + LDAPConnection conn = dbFactory.getConn(); + try { + LDAPSearchResults results = conn.search( + "cn=usn,cn=plugins,cn=config", LDAPConnection.SCOPE_BASE, + "(nsslapd-pluginEnabled=on)", null, false); + return results != null && results.hasMoreElements(); + } catch (LDAPException e) { + return false; + } finally { + dbFactory.returnConn(conn); + } + } catch (ELdapException e) { + return false; // oh well + } + } + private void initCRLPublisher() throws EBaseException { // instantiate CRL publisher if (!isHostAuthority()) { @@ -3177,17 +3195,29 @@ public class CertificateAuthority AuthorityID aid = new AuthorityID((String) aidAttr.getStringValues().nextElement()); - LDAPAttribute entryUSN = entry.getAttribute("entryUSN"); - if (entryUSN == null) { - log(ILogger.LL_FAILURE, "Authority entry has no entryUSN. " + - "This is likely because the USN plugin is not enabled in the database"); - return; + Integer newEntryUSN = null; + LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN"); + if (entryUSNAttr == null) { + CMS.debug("readAuthority: no entryUSN"); + if (!entryUSNPluginEnabled()) { + CMS.debug("readAuthority: dirsrv USN plugin is not enabled; skipping entry"); + log(ILogger.LL_FAILURE, "Lightweight authority entry has no" + + " entryUSN attribute and USN plugin not enabled;" + + " skipping. Enable dirsrv USN plugin."); + return; + } else { + CMS.debug("readAuthority: dirsrv USN plugin is enabled; continuing"); + // entryUSN plugin is enabled, but no entryUSN attribute. We + // can proceed because future modifications will result in the + // entryUSN attribute being added. + } + } else { + newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]); + CMS.debug("readAuthority: new entryUSN = " + newEntryUSN); } - Integer newEntryUSN = new Integer(entryUSN.getStringValueArray()[0]); - CMS.debug("readAuthority: new entryUSN = " + newEntryUSN); Integer knownEntryUSN = entryUSNs.get(aid); - if (knownEntryUSN != null) { + if (newEntryUSN != null && knownEntryUSN != null) { CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN); if (newEntryUSN <= knownEntryUSN) { CMS.debug("readAuthority: data is current"); -- 2.5.5 -------------- next part -------------- From 3e324c2f1b30fa0f110052ff083b5ac9b3ce759e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 24 Aug 2016 14:10:55 +1000 Subject: [PATCH 132/132] Perform host authority check before entryUSN check When processing lightweight CAs, currently we perform the entryUSN check before the host authority check. If the entry does not have an entryUSN attribute, and if the DS USN plugin is not enabled, the entry gets skipped and we do not reach the host authority check. This causes the CA to believe that it has not seen the host authority entry, and results in additional entries being added. Move the host authority check before the entryUSN check to avoid this scenario. Fixes: https://fedorahosted.org/pki/ticket/2444 --- .../src/com/netscape/ca/CertificateAuthority.java | 41 +++++++++++----------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 856317e1604d8d536af3320562da62a0dab544cb..020918bbb2f268aea83a242e24fe2f016a2375ec 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -3195,6 +3195,27 @@ public class CertificateAuthority AuthorityID aid = new AuthorityID((String) aidAttr.getStringValues().nextElement()); + X500Name dn = null; + try { + dn = new X500Name((String) dnAttr.getStringValues().nextElement()); + } catch (IOException e) { + CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN()); + } + + String desc = null; + LDAPAttribute descAttr = entry.getAttribute("description"); + if (descAttr != null) + desc = (String) descAttr.getStringValues().nextElement(); + + if (dn.equals(mName)) { + CMS.debug("Found host authority"); + foundHostAuthority = true; + this.authorityID = aid; + this.authorityDescription = desc; + caMap.put(aid, this); + return; + } + Integer newEntryUSN = null; LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN"); if (entryUSNAttr == null) { @@ -3225,26 +3246,6 @@ public class CertificateAuthority } } - X500Name dn = null; - try { - dn = new X500Name((String) dnAttr.getStringValues().nextElement()); - } catch (IOException e) { - CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN()); - } - - String desc = null; - LDAPAttribute descAttr = entry.getAttribute("description"); - if (descAttr != null) - desc = (String) descAttr.getStringValues().nextElement(); - - if (dn.equals(mName)) { - foundHostAuthority = true; - this.authorityID = aid; - this.authorityDescription = desc; - caMap.put(aid, this); - return; - } - @SuppressWarnings("unused") X500Name parentDN = null; if (parentDNAttr != null) { -- 2.5.5 From mharmsen at redhat.com Wed Aug 24 17:01:34 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 24 Aug 2016 11:01:34 -0600 Subject: [Pki-devel] Karma Requests for pki-core-10.3.5-3 Message-ID: *The following updated candidate builds of pki-core 10.3.5 on Fedora 24, 25, and 26 (rawhide) consist of the following:* * *Fedora 24* o *pki-core-10.3.5-3.fc24 * * *Fedora 25* o *pki-core-10.3.5-3.fc25 * * *Fedora 26* o *pki-core-10.3.5-3.fc26 * *Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also updated: * * https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo [group_pki-10.3.3] name=Copr repo for 10.3.3 owned by @pki baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/ skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg enabled=1 enabled_metadata=1 *These builds address the following PKI tickets: * * PKI TRAC Ticket #690 - pki-tools man pages --- CMCEnroll * PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error message "PKIException: LDAP error (21): error result" * PKI TRAC Ticket #2429 - [RFE] TPS UI: profile property needs to be added one by one can we add in bulk * PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. * PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected * PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements o include JSS cert validation error message in selftest log o add debug messages to ConfigurationUtils.handleCerts() o apply RFC 7468 Headers/Trailers to PKI tools * PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from TPSUI pem format with/without header works while pkcs7 with header is not allowed * PKI TRAC Ticket #2440 - Optional CA signing CSR for migration *Please provide Karma for the following builds: * * *Fedora 24* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e pki-core-10.3.5-1.fc24 + resteasy-3.0.17-3.fc24 * + *IMPORTANT: This combination build MUST be pushed first since pki-core-10.3.5-3.fc24 DEPENDS upon resteasy-3.0.17!!! * o *https://bodhi.fedoraproject.org/updates/pki-core-10.3.5-3.fc24 pki-core-10.3.5-3.fc24 * * *Fedora 25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-456eb9f4b7 pki-core-10.3.5-3.fc25 * * * -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu Aug 25 04:18:40 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 25 Aug 2016 14:18:40 +1000 Subject: [Pki-devel] [PATCH] 0133 Revoke lightweight CA certificate on deletion Message-ID: <20160825041840.GL3877@dhcp-40-8.bne.redhat.com> Hi team, The attached patch implements cert revocation on LWCA deletion. The TODO for parametrising over revocation reason and invalid date is intentional - I just want to get the minimal viable solution into 10.3.x ASAP and we can look at what more is wanted/needed later. Thanks, Fraser -------------- next part -------------- From cbbaf433c3b423271233ebf08d52fe95682b9e8f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 25 Aug 2016 12:55:14 +1000 Subject: [PATCH] Revoke lightweight CA certificate on deletion Fixes: https://fedorahosted.org/pki/ticket/1638 --- .../src/com/netscape/ca/CertificateAuthority.java | 39 +++++++++++++++++++++- .../dogtagpki/server/ca/rest/AuthorityService.java | 2 +- .../netscape/certsrv/ca/ICertificateAuthority.java | 2 +- 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index a5397da0c0dcea654a15f16e5becc5c430a1bb29..ab48409d8c3d481b5dc2d0c00b97cc2487f49189 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -124,6 +124,7 @@ import com.netscape.certsrv.util.IStatsSubsystem; import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory; import com.netscape.cms.servlet.cert.EnrollmentProcessor; import com.netscape.cms.servlet.cert.RenewalProcessor; +import com.netscape.cms.servlet.cert.RevocationProcessor; import com.netscape.cms.servlet.processors.CAProcessor; import com.netscape.cmscore.base.ArgBlock; import com.netscape.cmscore.dbs.CRLRepository; @@ -178,6 +179,7 @@ import netscape.security.x509.CertificateChain; import netscape.security.x509.CertificateIssuerName; import netscape.security.x509.CertificateSubjectName; import netscape.security.x509.CertificateVersion; +import netscape.security.x509.RevocationReason; import netscape.security.x509.X500Name; import netscape.security.x509.X500Signer; import netscape.security.x509.X509CRLImpl; @@ -2964,7 +2966,8 @@ public class CertificateAuthority authorityKeyHosts.add(thisClone); } - public synchronized void deleteAuthority() throws EBaseException { + public synchronized void deleteAuthority(HttpServletRequest httpReq) + throws EBaseException { if (isHostAuthority()) throw new CATypeException("Cannot delete the host CA"); @@ -2984,10 +2987,44 @@ public class CertificateAuthority shutdown(); + revokeAuthority(httpReq); deleteAuthorityEntry(authorityID); deleteAuthorityNSSDB(); } + /** Revoke the authority's certificate + * + * TODO: revocation reason, invalidity date parameters + */ + private void revokeAuthority(HttpServletRequest httpReq) + throws EBaseException { + CMS.debug("revokeAuthority: checking serial " + authoritySerial); + ICertRecord certRecord = mCertRepot.readCertificateRecord(authoritySerial); + String curStatus = certRecord.getStatus(); + CMS.debug("revokeAuthority: current cert status: " + curStatus); + if (curStatus.equals(CertRecord.STATUS_REVOKED) + || curStatus.equals(CertRecord.STATUS_REVOKED_EXPIRED)) { + return; // already revoked + } + + CMS.debug("revokeAuthority: revoking cert"); + RevocationProcessor processor = new RevocationProcessor( + "CertificateAuthority.revokeAuthority", httpReq.getLocale()); + processor.setSerialNumber(new CertId(authoritySerial)); + processor.setRevocationReason(RevocationReason.UNSPECIFIED); + processor.setAuthority(this); + try { + processor.createCRLExtension(); + } catch (IOException e) { + throw new ECAException("Unable to create CRL extensions", e); + } + processor.addCertificateToRevoke(mCaCert); + processor.createRevocationRequest(); + processor.auditChangeRequest(ILogger.SUCCESS); + processor.processRevocationRequest(); + processor.auditChangeRequestProcessed(ILogger.SUCCESS); + } + /** Delete keys and certs of this authority from NSSDB. */ private void deleteAuthorityNSSDB() throws ECAException { diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java index 246a3f08c0919807fb39ff0b49d5e37ef30e992c..584ab6e59638beada6c89a1882a176b4743a861d 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java @@ -329,7 +329,7 @@ public class AuthorityService extends PKIService implements AuthorityResource { Map auditParams = new LinkedHashMap<>(); try { - ca.deleteAuthority(); + ca.deleteAuthority(servletRequest); audit(ILogger.SUCCESS, OpDef.OP_DELETE, aidString, null); return createNoContentResponse(); } catch (CATypeException e) { diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java index 308bfba126cf56d4cccae59a9a1550e34b926f08..5218a4cb11773d7922630f2c203670d82a0c82c4 100644 --- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java +++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java @@ -606,6 +606,6 @@ public interface ICertificateAuthority extends ISubsystem { /** * Delete this lightweight CA. */ - public void deleteAuthority() + public void deleteAuthority(HttpServletRequest httpReq) throws EBaseException; } -- 2.5.5 From edewata at redhat.com Thu Aug 25 14:52:38 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Aug 2016 09:52:38 -0500 Subject: [Pki-devel] [PATCH] 822-823 Added upgrade script to fix deployment descriptors. Message-ID: An upgrade script has been added to fix missing deployment descriptors or deployment descriptors that are pointing to non-existent or empty folders. The RPM spec has been modified to move the upgrade script into the correct folder for RHEL. https://fedorahosted.org/pki/ticket/2439 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0822-Added-upgrade-script-to-fix-deployment-descriptors.patch Type: text/x-patch Size: 5166 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0823-Updated-RPM-spec-for-RHEL.patch Type: text/x-patch Size: 1233 bytes Desc: not available URL: From alee at redhat.com Fri Aug 26 14:22:42 2016 From: alee at redhat.com (Ade Lee) Date: Fri, 26 Aug 2016 10:22:42 -0400 Subject: [Pki-devel] [PATCH] 822-823 Added upgrade script to fix deployment descriptors. In-Reply-To: References: Message-ID: <1472221362.6551.0.camel@redhat.com> ACK On Thu, 2016-08-25 at 09:52 -0500, Endi Sukma Dewata wrote: > An upgrade script has been added to fix missing deployment > descriptors or deployment descriptors that are pointing to > non-existent or empty folders. > > The RPM spec has been modified to move the upgrade script into > the correct folder for RHEL. > > https://fedorahosted.org/pki/ticket/2439 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Fri Aug 26 15:25:01 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Aug 2016 10:25:01 -0500 Subject: [Pki-devel] [PATCH] 822-823 Added upgrade script to fix deployment descriptors. In-Reply-To: <1472221362.6551.0.camel@redhat.com> References: <1472221362.6551.0.camel@redhat.com> Message-ID: <7bfb9c17-1713-5626-007a-4dc76bf94780@redhat.com> On 8/26/2016 9:22 AM, Ade Lee wrote: > ACK Thanks! Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon Aug 29 18:06:15 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Aug 2016 13:06:15 -0500 Subject: [Pki-devel] [PATCH] 824-825 Fixed default token name for system certificates. Message-ID: Previously when installing with HSM the token name has to be specified for each system certificate in the pki__token parameters. The deployment tool has been modified such that by default it will use the token name specified in pki_token_name. Previously issues with system certificates that happen during subsystem initialization were reported as database initialization error. Database initialization actually does not depend on subsystem initialization, so to avoid confusion and to simplify the code the reInitSubsystem() in SystemConfigService is now invoked after the initializeDatabase() is complete. https://fedorahosted.org/pki/ticket/2423 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0824-Moved-subsystem-initialization-after-database-initia.patch Type: text/x-patch Size: 1875 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0825-Fixed-default-token-name-for-system-certificates.patch Type: text/x-patch Size: 6837 bytes Desc: not available URL: From edewata at redhat.com Mon Aug 29 20:51:06 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Aug 2016 15:51:06 -0500 Subject: [Pki-devel] [PATCH 0012] Added check for pki-server-nuxwdog parameter In-Reply-To: References: Message-ID: It's ACKed by alee (thanks!). Pushed to master. -- Endi S. Dewata On 8/11/2016 11:04 PM, Abhijeet Kasurde wrote: > Yes, Endi. I will make sure to mention below PKI ticket in future. > > Thanks for your comments. > > > On 08/12/2016 06:34 AM, Endi Sukma Dewata wrote: >> On 8/10/2016 1:31 AM, Abhijeet Kasurde wrote: >>> Hi All, >>> >>> Please review this patch. >>> >>> Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245 >> >> Hi Abhijeet, >> >> I added your patch to this ticket to make sure it's not forgotten: >> https://fedorahosted.org/pki/ticket/2436 >> >> Please note that bug #1353245 is already closed (and released). We're >> using bug #1366353 now which is linked to PKI ticket #2436. >> >> If you have more patches please attach it to this ticket. When any of >> the developers ACKs it the patch will be pushed to master (10.4) and >> possibly 10.3 branch as well. >> >> Thanks. >> > From edewata at redhat.com Mon Aug 29 22:07:14 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Aug 2016 17:07:14 -0500 Subject: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided In-Reply-To: <57ADB1FE.5010707@redhat.com> References: <57AC4BB6.50303@redhat.com> <71922d6d-05d0-1139-719b-e8845c9368e7@redhat.com> <1747519168.30894503.1470972040967.JavaMail.zimbra@redhat.com> <57ADB1FE.5010707@redhat.com> Message-ID: Hi, I pushed the patch to master (10.4) with some changes. Instead of exiting to the system it throws an exception so that the application can decide what to do with the error. I also revised the exception message and fixed the formatting. Thanks! -- Endi S. Dewata On 8/12/2016 6:24 AM, Geetika Kapoor wrote: > Hello Endi , > > Here is the fix with test cases that i tested. > > Thanks > Geetika > > On 08/12/2016 08:50 AM, Geetika Kapoor wrote: >> Yes Endi your right .. Fix should be more generic .. I will fix it in core method and will send for review. >> >> Thanks >> Geetika >> ----- Original Message ----- >> From: Endi Sukma Dewata >> To: Geetika Kapoor , pki-devel at redhat.com >> Sent: Thu, 11 Aug 2016 21:25:03 -0400 (EDT) >> Subject: Re: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided >> >> On 8/11/2016 4:56 AM, Geetika Kapoor wrote: >>> Hi, >>> >>> This patch fix BZ 1358462 - pki pkcs12-cert-del shows a successfully >>> deleted message when a wrong nickname is provided. >>> If we provide wrong cert nickname it gives "Certificate Nickname >>> subsystemCert cert-topology-02-CA doesn't exist" and also if cert >>> nickname doesn't exist it won't share the number of entries present. >>> If cert nickname match then only it shows how many entries exist. >>> >>> Thanks >>> Geetika >> Hi Geetika, >> >> Similar to what I mentioned to Abhijeet, I added your patch to this >> ticket to make sure it's not forgotten: >> https://fedorahosted.org/pki/ticket/2414 >> >> I looked at the patch briefly, I think instead of fixing it in >> PKCS12CertRemoveCLI, it probably should be fixed in the >> PKCS12.removeCertInfoByNickname(). Basically if the cert to be deleted >> doesn't exist the method should throw an exception. The CLI then should >> catch the exception and display the error. This way the error checking >> will be done consistently regardless who calls the method. >> >> If you're going to revise the patch please attach it to this ticket. >> >> Thanks. >> > From edewata at redhat.com Mon Aug 29 22:12:58 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Aug 2016 17:12:58 -0500 Subject: [Pki-devel] [PATCH] 824-825 Fixed default token name for system certificates. In-Reply-To: References: Message-ID: On 8/29/2016 1:06 PM, Endi Sukma Dewata wrote: > Previously when installing with HSM the token name has to be > specified for each system certificate in the pki__token > parameters. The deployment tool has been modified such that by > default it will use the token name specified in pki_token_name. > > Previously issues with system certificates that happen during > subsystem initialization were reported as database initialization > error. Database initialization actually does not depend on > subsystem initialization, so to avoid confusion and to simplify the > code the reInitSubsystem() in SystemConfigService is now invoked > after the initializeDatabase() is complete. > > https://fedorahosted.org/pki/ticket/2423 Patch #825 was ACKed by alee (thanks!). Patch #824 was conditionally ACKed as well, but the test was incomplete due to what seems to be unrelated DS error during IPA cloning. The patch seems to be working fine in non-IPA environment, so I pushed both to master (10.4). -- Endi S. Dewata From mharmsen at redhat.com Wed Aug 31 00:29:01 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 30 Aug 2016 18:29:01 -0600 Subject: [Pki-devel] Karma Requests for pki-core-10.3.5-4 Message-ID: *The following updated candidate builds of pki-core 10.3.5 on Fedora 24, 25, and 26 (rawhide) consist of the following: * * *Fedora 24* o *pki-core-10.3.5-4.fc24 * * *Fedora 25* o *pki-core-10.3.5-4.fc25 * * *Fedora 26* o *pki-core-10.3.5-4.fc26 * *Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also updated: * * *https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo * [group_pki-10.3.3] name=Copr repo for 10.3.3 owned by @pki baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/ skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg enabled=1 enabled_metadata=1 *These builds address the following PKI tickets: * * PKI TRAC Ticket #1578 - Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working * PKI TRAC Ticket #2414 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided * PKI TRAC Ticket #2423 - pki_ca_signing_token when not specified does not fallback to pki_token_name value * PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements o added check for pki-server-nuxwdog parameter * PKI TRAC Ticket #2439 - Outdated deployment descriptors in upgraded server *Please provide Karma for the following builds: * * *Fedora 24* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-36fa3fd8c3 pki-core-10.3.5-4.fc24 * * *Fedora 25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-abb1e5d2a6 pki-core-10.3.5-4.fc25 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Aug 31 14:30:39 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2016 09:30:39 -0500 Subject: [Pki-devel] [PATCH] 826 Fixed debug log in UpdateNumberRange servlet. Message-ID: To help troubleshooting the debug log in UpdateNumberRange servlet has been modified to show the exception stack trace. https://fedorahosted.org/pki/ticket/2436 Pushed to master (10.4) under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0826-Fixed-debug-log-in-UpdateNumberRange-servlet.patch Type: text/x-patch Size: 1429 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 31 19:35:55 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2016 14:35:55 -0500 Subject: [Pki-devel] [PATCH] 827 Added support to create system certificates in different tokens. Message-ID: <9d73b560-17e9-6421-9b92-b54d80851173@redhat.com> Previously all system certificates were always created in the same token specified in the pki_token_name parameter. To allow creating system certificates in different tokens, the configuration.py has been modified to store the system certificate token names specified in pki__token parameters into the CS.cfg before the server is started. After the server is started, the configuration servlet will read the token names from the CS.cfg and create the certificates in the appropriate token. https://fedorahosted.org/pki/ticket/2449 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0827-Added-support-to-create-system-certificates-in-diffe.patch Type: text/x-patch Size: 11697 bytes Desc: not available URL: From cfu at redhat.com Wed Aug 31 21:09:39 2016 From: cfu at redhat.com (Christina Fu) Date: Wed, 31 Aug 2016 14:09:39 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch Message-ID: <6d735caf-daa9-6337-43f1-bef456b07391@redhat.com> Patch for https://fedorahosted.org/pki/ticket/2446 pkispawn: make subject_dn defaults unique per instance name (for shared HSM) Please review. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch Type: text/x-patch Size: 8619 bytes Desc: not available URL: From edewata at redhat.com Wed Aug 31 22:29:41 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 Aug 2016 18:29:41 -0400 (EDT) Subject: [Pki-devel] [PATCH] pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch In-Reply-To: <6d735caf-daa9-6337-43f1-bef456b07391@redhat.com> References: <6d735caf-daa9-6337-43f1-bef456b07391@redhat.com> Message-ID: <1977213116.7332169.1472682581671.JavaMail.zimbra@redhat.com> ACK. -- Endi S. Dewata ----- Original Message ----- > Patch for https://fedorahosted.org/pki/ticket/2446 pkispawn: make > subject_dn defaults unique per instance name (for shared HSM) > > Please review. > > thanks, > > Christina > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Wed Aug 31 23:12:53 2016 From: cfu at redhat.com (Christina Fu) Date: Wed, 31 Aug 2016 16:12:53 -0700 Subject: [Pki-devel] [PATCH] 827 Added support to create system certificates in different tokens. In-Reply-To: <9d73b560-17e9-6421-9b92-b54d80851173@redhat.com> References: <9d73b560-17e9-6421-9b92-b54d80851173@redhat.com> Message-ID: <93be7cad-3aa8-d858-1bbc-ac618219ea75@redhat.com> I'm less familiar with the area, so I'm just going to ask a question. Where in the new code does it handle taking in passwords and logging into the extra token(s)? thanks, Christina On 08/31/2016 12:35 PM, Endi Sukma Dewata wrote: > Previously all system certificates were always created in the same > token specified in the pki_token_name parameter. > > To allow creating system certificates in different tokens, the > configuration.py has been modified to store the system certificate > token names specified in pki__token parameters into the > CS.cfg before the server is started. > > After the server is started, the configuration servlet will read > the token names from the CS.cfg and create the certificates in the > appropriate token. > > https://fedorahosted.org/pki/ticket/2449 > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed Aug 31 23:59:40 2016 From: cfu at redhat.com (Christina Fu) Date: Wed, 31 Aug 2016 16:59:40 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch In-Reply-To: <1977213116.7332169.1472682581671.JavaMail.zimbra@redhat.com> References: <6d735caf-daa9-6337-43f1-bef456b07391@redhat.com> <1977213116.7332169.1472682581671.JavaMail.zimbra@redhat.com> Message-ID: pushed to master: commit 1195ee9d6e45783d238edc1799363c21590febce thanks, Christina On 08/31/2016 03:29 PM, Endi Sukma Dewata wrote: > ACK. > > -- > Endi S. Dewata > > ----- Original Message ----- >> Patch for https://fedorahosted.org/pki/ticket/2446 pkispawn: make >> subject_dn defaults unique per instance name (for shared HSM) >> >> Please review. >> >> thanks, >> >> Christina >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel