[Pki-devel] [PATCH] pki-cfu-0133-Ticket-2298-exclude-some-ldap-record-attributes-with.patch

Christina Fu cfu at redhat.com
Fri Jun 17 00:41:40 UTC 2016 

Thanks for Jack's sharp eye, i accidentally messed up the git wit one 
new profile.  This new patch
1. fixed the git issue
2. change the CS.cfg config names to not include "ca" as they apply to 
kra too
3. Also after discussing with Jack, we decided to change the default of 
excludedLdapAttrs.enabled to false.

thanks,
Christina

On 06/16/2016 03:50 PM, Christina Fu wrote:
> This is part 2 of:
> https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key 
> archival/recovery, not to record certain data in ldap and logs
>
> This patch allows one to exclude certain ldap attributes from the 
> enrollment records for crmf requests
> (both CRMF, and CMC CRMF).  The following are the highlights:
> * CRMF Manual approval profile is disabled: caDualCert.cfg
>   - By default, if ca.excludedLDAPattrs.enabled is true, then this 
> profile will not work, as the crmf requests
>     are not written to ldap record for agents to act on
> * ca.excludedLDAPattrs.attrs can be used to configure the attribute 
> list to be excluded
> * a new CRMF "auto approval" (directory based, needs to be setup) is 
> provided
> * By default, the following fields are no longer written to the ldap 
> record in case of CRMF:
> (note: the code deliberately use literal strings on purpose for the 
> reason that the exact literal strings need to be spelled out
> in ca.excludedLDAPattrs.attrs if the admin chooses to override the 
> default)
>            "req_x509info",
>            "publickey",
>             "req_extensions",
>             "cert_request",
>             "req_archive_options",
>             "req_key"
> * a sleepOneMinute() method is added for debugging purpose.  It is not 
> called in the final code, but is left there for future debugging purpose
> * code was fixed so that in KRA request will display subject name even 
> though the x509info is missing from request
> * cmc requests did not have request type in records, so they had to be 
> added for differentiation
>
> The following have been tested:
> * CRMF auto enroll
> * CRMF manual enroll/approval
> * CMC-CRMF enroll
> *  both CA and KRA interla ldap are exampled for correct data exclusion
>
> Note: CRMF could potentially not include key archival option, however, 
> I am not going to differentiate them at the moment.  An earlier 
> prototype I had built attempted to do that and the signing cert's 
> record isn't excluded for attrs write while it's CRMF request is the 
> same as that of its encryption cert counterpart within the same 
> request.  Due to this factor (multiple cert reqs with the same request 
> blob), I am treating them the same for exclusion.
>
> thanks,
> Christina
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160616/4d7f68c1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cfu-0137-Ticket-2298-exclude-some-ldap-record-attributes-with.patch
Type: text/x-patch
Size: 38629 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160616/4d7f68c1/attachment.bin>

More information about the Pki-devel mailing list