[Pki-devel] [PATCH] pki-cfu-0133-Ticket-2298-exclude-some-ldap-record-attributes-with.patch
Christina Fu
cfu at redhat.com
Fri Jun 17 01:32:52 UTC 2016
Received verbal ACK from Jack.
Pushed to master:
commit 51f34c3edb73a78b42468b756b89d07fc9ec7839
thanks,
Christina
On 06/16/2016 05:41 PM, Christina Fu wrote:
> Thanks for Jack's sharp eye, i accidentally messed up the git wit one
> new profile. This new patch
> 1. fixed the git issue
> 2. change the CS.cfg config names to not include "ca" as they apply to
> kra too
> 3. Also after discussing with Jack, we decided to change the default
> of excludedLdapAttrs.enabled to false.
>
> thanks,
> Christina
>
> On 06/16/2016 03:50 PM, Christina Fu wrote:
>> This is part 2 of:
>> https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key
>> archival/recovery, not to record certain data in ldap and logs
>>
>> This patch allows one to exclude certain ldap attributes from the
>> enrollment records for crmf requests
>> (both CRMF, and CMC CRMF). The following are the highlights:
>> * CRMF Manual approval profile is disabled: caDualCert.cfg
>> - By default, if ca.excludedLDAPattrs.enabled is true, then this
>> profile will not work, as the crmf requests
>> are not written to ldap record for agents to act on
>> * ca.excludedLDAPattrs.attrs can be used to configure the attribute
>> list to be excluded
>> * a new CRMF "auto approval" (directory based, needs to be setup) is
>> provided
>> * By default, the following fields are no longer written to the ldap
>> record in case of CRMF:
>> (note: the code deliberately use literal strings on purpose for the
>> reason that the exact literal strings need to be spelled out
>> in ca.excludedLDAPattrs.attrs if the admin chooses to override the
>> default)
>> "req_x509info",
>> "publickey",
>> "req_extensions",
>> "cert_request",
>> "req_archive_options",
>> "req_key"
>> * a sleepOneMinute() method is added for debugging purpose. It is
>> not called in the final code, but is left there for future debugging
>> purpose
>> * code was fixed so that in KRA request will display subject name
>> even though the x509info is missing from request
>> * cmc requests did not have request type in records, so they had to
>> be added for differentiation
>>
>> The following have been tested:
>> * CRMF auto enroll
>> * CRMF manual enroll/approval
>> * CMC-CRMF enroll
>> * both CA and KRA interla ldap are exampled for correct data exclusion
>>
>> Note: CRMF could potentially not include key archival option,
>> however, I am not going to differentiate them at the moment. An
>> earlier prototype I had built attempted to do that and the signing
>> cert's record isn't excluded for attrs write while it's CRMF request
>> is the same as that of its encryption cert counterpart within the
>> same request. Due to this factor (multiple cert reqs with the same
>> request blob), I am treating them the same for exclusion.
>>
>> thanks,
>> Christina
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160616/387073a2/attachment.htm>
More information about the Pki-devel
mailing list