[Pki-devel] [PATCH] pki-cfu-0133-Ticket-2298-exclude-some-ldap-record-attributes-with.patch

Christina Fu cfu at redhat.com
Fri Jun 17 01:32:52 UTC 2016 

Received verbal ACK from Jack.

Pushed to master:
commit 51f34c3edb73a78b42468b756b89d07fc9ec7839

thanks,
Christina

On 06/16/2016 05:41 PM, Christina Fu wrote:
> Thanks for Jack's sharp eye, i accidentally messed up the git wit one 
> new profile.  This new patch
> 1. fixed the git issue
> 2. change the CS.cfg config names to not include "ca" as they apply to 
> kra too
> 3. Also after discussing with Jack, we decided to change the default 
> of excludedLdapAttrs.enabled to false.
>
> thanks,
> Christina
>
> On 06/16/2016 03:50 PM, Christina Fu wrote:
>> This is part 2 of:
>> https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key 
>> archival/recovery, not to record certain data in ldap and logs
>>
>> This patch allows one to exclude certain ldap attributes from the 
>> enrollment records for crmf requests
>> (both CRMF, and CMC CRMF).  The following are the highlights:
>> * CRMF Manual approval profile is disabled: caDualCert.cfg
>>   - By default, if ca.excludedLDAPattrs.enabled is true, then this 
>> profile will not work, as the crmf requests
>>     are not written to ldap record for agents to act on
>> * ca.excludedLDAPattrs.attrs can be used to configure the attribute 
>> list to be excluded
>> * a new CRMF "auto approval" (directory based, needs to be setup) is 
>> provided
>> * By default, the following fields are no longer written to the ldap 
>> record in case of CRMF:
>> (note: the code deliberately use literal strings on purpose for the 
>> reason that the exact literal strings need to be spelled out
>> in ca.excludedLDAPattrs.attrs if the admin chooses to override the 
>> default)
>>            "req_x509info",
>>            "publickey",
>>             "req_extensions",
>>             "cert_request",
>>             "req_archive_options",
>>             "req_key"
>> * a sleepOneMinute() method is added for debugging purpose.  It is 
>> not called in the final code, but is left there for future debugging 
>> purpose
>> * code was fixed so that in KRA request will display subject name 
>> even though the x509info is missing from request
>> * cmc requests did not have request type in records, so they had to 
>> be added for differentiation
>>
>> The following have been tested:
>> * CRMF auto enroll
>> * CRMF manual enroll/approval
>> * CMC-CRMF enroll
>> *  both CA and KRA interla ldap are exampled for correct data exclusion
>>
>> Note: CRMF could potentially not include key archival option, 
>> however, I am not going to differentiate them at the moment.  An 
>> earlier prototype I had built attempted to do that and the signing 
>> cert's record isn't excluded for attrs write while it's CRMF request 
>> is the same as that of its encryption cert counterpart within the 
>> same request.  Due to this factor (multiple cert reqs with the same 
>> request blob), I am treating them the same for exclusion.
>>
>> thanks,
>> Christina
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160616/387073a2/attachment.htm>

More information about the Pki-devel mailing list