From cfu at redhat.com Tue May 2 00:54:19 2017 From: cfu at redhat.com (Christina Fu) Date: Mon, 1 May 2017 17:54:19 -0700 Subject: [Pki-devel] [PATCH] Bug-1447145-CMC-cmc.popLinkWitnessRequired-false-wou.patch Message-ID: <1cbb5cc2-c09d-eacf-8240-d184762c349c@redhat.com> The popLinkWitnessRequired check was placed in the wrong location which resulted in 0 requests if popLinkWitnessRequired=false. Workaround was to always set it to true. This patch fixes it. It also adds a missing authenticator CMCUserSignedAuth in CS.cfg for ca. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Bug-1447145-CMC-cmc.popLinkWitnessRequired-false-wou.patch Type: text/x-patch Size: 2791 bytes Desc: not available URL: From jmagne at redhat.com Tue May 2 18:43:56 2017 From: jmagne at redhat.com (John Magne) Date: Tue, 2 May 2017 14:43:56 -0400 (EDT) Subject: [Pki-devel] [PATCH] Bug-1447145-CMC-cmc.popLinkWitnessRequired-false-wou.patch In-Reply-To: <1cbb5cc2-c09d-eacf-8240-d184762c349c@redhat.com> References: <1cbb5cc2-c09d-eacf-8240-d184762c349c@redhat.com> Message-ID: <831913429.2755881.1493750636319.JavaMail.zimbra@redhat.com> Makes sense. ACK if tested to work. ----- Original Message ----- From: "Christina Fu" To: pki-devel at redhat.com Sent: Monday, May 1, 2017 5:54:19 PM Subject: [Pki-devel] [PATCH] Bug-1447145-CMC-cmc.popLinkWitnessRequired-false-wou.patch The popLinkWitnessRequired check was placed in the wrong location which resulted in 0 requests if popLinkWitnessRequired=false. Workaround was to always set it to true. This patch fixes it. It also adds a missing authenticator CMCUserSignedAuth in CS.cfg for ca. thanks, Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Tue May 2 18:49:34 2017 From: cfu at redhat.com (Christina Fu) Date: Tue, 2 May 2017 11:49:34 -0700 Subject: [Pki-devel] [PATCH] Bug-1447145-CMC-cmc.popLinkWitnessRequired-false-wou.patch In-Reply-To: <831913429.2755881.1493750636319.JavaMail.zimbra@redhat.com> References: <1cbb5cc2-c09d-eacf-8240-d184762c349c@redhat.com> <831913429.2755881.1493750636319.JavaMail.zimbra@redhat.com> Message-ID: <3f318c95-29c8-7aee-c594-5b07cc65b4ab@redhat.com> pushed to master: commit c95cff5899e2975b16db61b811b626742e5e7114 thanks! Christina On 05/02/2017 11:43 AM, John Magne wrote: > Makes sense. > > ACK if tested to work. > > > ----- Original Message ----- > From: "Christina Fu" > To: pki-devel at redhat.com > Sent: Monday, May 1, 2017 5:54:19 PM > Subject: [Pki-devel] [PATCH] Bug-1447145-CMC-cmc.popLinkWitnessRequired-false-wou.patch > > The popLinkWitnessRequired check was placed in the wrong location which > resulted in 0 requests if > > popLinkWitnessRequired=false. > > Workaround was to always set it to true. > > This patch fixes it. > > It also adds a missing authenticator CMCUserSignedAuth in CS.cfg for ca. > > thanks, > > Christina > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From jmagne at redhat.com Fri May 5 20:12:38 2017 From: jmagne at redhat.com (John Magne) Date: Fri, 5 May 2017 16:12:38 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] Non server keygen issue in SCP03. In-Reply-To: <1234961601.4213282.1494015135071.JavaMail.zimbra@redhat.com> Message-ID: <1888392200.4213302.1494015158963.JavaMail.zimbra@redhat.com> [PATCH] Non server keygen issue in SCP03. Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663 We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0093-Non-server-keygen-issue-in-SCP03.patch Type: text/x-patch Size: 5627 bytes Desc: not available URL: From mharmsen at redhat.com Fri May 5 22:28:54 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 5 May 2017 16:28:54 -0600 Subject: [Pki-devel] [pki-devel][PATCH] Non server keygen issue in SCP03. In-Reply-To: <1888392200.4213302.1494015158963.JavaMail.zimbra@redhat.com> References: <1888392200.4213302.1494015158963.JavaMail.zimbra@redhat.com> Message-ID: <1907424a-c2aa-9285-6169-be6e3a3452cd@redhat.com> On 05/05/2017 02:12 PM, John Magne wrote: > [PATCH] Non server keygen issue in SCP03. > > Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663 > > We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel These changes look fine; ACK if tested to work. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mharmsen at redhat.com Fri May 12 23:24:14 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 12 May 2017 17:24:14 -0600 Subject: [Pki-devel] [PATCH] - CA installation with HSM in FIPS mode fails Message-ID: <0dcb8ea7-d11d-c8fe-c4a6-590ab2073438@redhat.com> Please review the attached patch for: * Bugizilla Bug #1450143 - CA installation with HSM in FIPS mode fails Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20170512-Fix-CA-installation-with-HSM-in-FIPS-mode.patch Type: text/x-patch Size: 3180 bytes Desc: not available URL: From jmagne at redhat.com Fri May 12 23:35:53 2017 From: jmagne at redhat.com (John Magne) Date: Fri, 12 May 2017 19:35:53 -0400 (EDT) Subject: [Pki-devel] [PATCH] - CA installation with HSM in FIPS mode fails In-Reply-To: <0dcb8ea7-d11d-c8fe-c4a6-590ab2073438@redhat.com> References: <0dcb8ea7-d11d-c8fe-c4a6-590ab2073438@redhat.com> Message-ID: <1098397960.7335384.1494632153611.JavaMail.zimbra@redhat.com> This looks nice and simple and solves the problem. I agree that using http is ok here since the servlet in question is public anyway. I have also participated in and seen the results of a successful test of this patch working. ACK. ----- Original Message ----- > From: "Matthew Harmsen" > To: "pki-devel" , "Jack Magne" > Sent: Friday, May 12, 2017 4:24:14 PM > Subject: [PATCH] - CA installation with HSM in FIPS mode fails > > Please review the attached patch for: > > * Bugizilla Bug #1450143 - CA installation with HSM in FIPS mode fails > > > Thanks, > -- Matt > > From cfu at redhat.com Tue May 16 01:29:19 2017 From: cfu at redhat.com (Christina Fu) Date: Mon, 15 May 2017 18:29:19 -0700 Subject: [Pki-devel] [PATCH] Bug-1447080-CC-CMC-allow-enrollment-key-signed-self-.patch Message-ID: (pague ticket is yet to be cloned) Bug 1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC with identity proof This patch implements handling of the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. thanks! Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Bug-1447080-CC-CMC-allow-enrollment-key-signed-self-.patch Type: text/x-patch Size: 151290 bytes Desc: not available URL: From mharmsen at redhat.com Tue May 16 02:47:45 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 15 May 2017 20:47:45 -0600 Subject: [Pki-devel] [PATCH] - Added FIPS class to pkispawn Message-ID: <9d19be2a-ac95-2a0e-c922-32595d83f9c9@redhat.com> Please review the attached patches for: * Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails Thanks, -- Matt P. S. - The patches were tested on a FIPS-enabled box, and the output looks similar to the following: pkispawn : INFO ... finalizing 'pki.server.deployment.scriptlets.finalization' pkispawn : INFO ....... executing 'systemctl enable pki-tomcatd.target' Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target. pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd at pki-tomcat.service' *pkispawn : INFO ........... FIPS mode is enabled on this operating system.* pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) pkispawn : DEBUG ........... 1CArunning10.4.1-4.el7 pkispawn : INFO ....... rm -rf /opt/RootCA/ca pkispawn : INFO END spawning subsystem 'CA' of instance 'pki-tomcat' pkispawn : INFO ... archiving configuration into '/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006 pkispawn : DEBUG ........... chmod 660 /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006 pkispawn : DEBUG ........... chown 17:17 /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006 pkispawn : INFO ... archiving manifest into '/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006 pkispawn : DEBUG ........... chmod 660 /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006 pkispawn : DEBUG ........... chown 17:17 /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006 ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin Administrator's PKCS #12 file: /opt/RootCA/caadmincert.p12 * This CA subsystem of the 'pki-tomcat' instance** ** has FIPS mode enabled on this operating system.** **** ** REMINDER: Don't forget to update the appropriate FIPS** ** algorithms in server.xml in the 'pki-tomcat' instance.** *** To check the status of the subsystem: systemctl status pki-tomcatd at pki-tomcat.service To restart the subsystem: systemctl restart pki-tomcatd at pki-tomcat.service The URL for the subsystem is: https://pki.example.com:8443/ca PKI instances will be enabled upon system boot ========================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-core-Added-FIPS-class-to-pkispawn.patch Type: text/x-patch Size: 6735 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-core-Added-runtime-requirement-on-sysctl-to-pki-core-spec.patch Type: text/x-patch Size: 692 bytes Desc: not available URL: From cfu at redhat.com Tue May 16 18:36:55 2017 From: cfu at redhat.com (Christina Fu) Date: Tue, 16 May 2017 11:36:55 -0700 Subject: [Pki-devel] [PATCH] Bug-1447080-CC-CMC-allow-enrollment-key-signed-self-.patch In-Reply-To: References: Message-ID: Per discussion with Ade and Endi on unrelated audit-event-specific topic, we decide to not split events into SUCCESS and FAILURE. This updated patch un-split the events that I split prior to the conversation/decision. thanks, Christina On 05/15/2017 06:29 PM, Christina Fu wrote: > (pague ticket is yet to be cloned) > > Bug 1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC > with identity proof > > This patch implements handling of the self-signed CMC requests, where > the request is signed by the public key of the underlying request > (PKCS#10 or CRMF). The scenario for when this method is used is when > there was no existing signing cert for the user has been issued > before, and once it is issued, it can be used to sign subsequent cert > requests by the same user. > > The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg > > The new option introduced to both CRMFPopClient and PKCS10Client is > "-y" which will add the required SubjectKeyIdentifier to the > underlying request. > > When a CMC request is self-signed, no auditSubjectID is available > until Identification Proof (v2) is verified, however, the cert subject > DN is recorded in log as soon as it was available for additional > information. > > thanks! > > Christina > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Tocket2673-CMC-allow-enrollment-key-signed-self-sign.patch Type: text/x-patch Size: 152815 bytes Desc: not available URL: From jmagne at redhat.com Wed May 17 00:39:15 2017 From: jmagne at redhat.com (John Magne) Date: Tue, 16 May 2017 20:39:15 -0400 (EDT) Subject: [Pki-devel] [PATCH] Bug-1447080-CC-CMC-allow-enrollment-key-signed-self-.patch In-Reply-To: References: Message-ID: <964624419.8337757.1494981555898.JavaMail.zimbra@redhat.com> I have already seen the demo for this. Seems to make sense. I've called out some extraneous calls to System.out.println,that might pollute the logs and the output for a client. Conditional ACK. Also, some of this affects the CRMFPopClient class when we add the switch for self signed. We should at least check with Endi to make sure this doesn't have any negative effect on the pki command which uses the same code in certain situations. ----- Original Message ----- From: "Christina Fu" To: pki-devel at redhat.com Sent: Tuesday, May 16, 2017 11:36:55 AM Subject: Re: [Pki-devel] [PATCH] Bug-1447080-CC-CMC-allow-enrollment-key-signed-self-.patch Per discussion with Ade and Endi on unrelated audit-event-specific topic, we decide to not split events into SUCCESS and FAILURE. This updated patch un-split the events that I split prior to the conversation/decision. thanks, Christina On 05/15/2017 06:29 PM, Christina Fu wrote: (pague ticket is yet to be cloned) Bug 1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC with identity proof This patch implements handling of the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. thanks! Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Wed May 17 01:09:31 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 May 2017 21:09:31 -0400 (EDT) Subject: [Pki-devel] [PATCH] Fixed audit event outcome for agent-rejected cert request. In-Reply-To: <492373868.9779145.1494983249455.JavaMail.zimbra@redhat.com> Message-ID: <493799641.9779463.1494983371643.JavaMail.zimbra@redhat.com> The outcome of CERT_REQUEST_PROCESSED event has been changed to Failure when the certificate request is rejected by an agent. https://pagure.io/dogtagpki/issue/2693 Pushed to master under trivial rule: https://github.com/dogtagpki/pki/commit/dcbe7ce08fcf9512a6cf1ecf22ed080c0085e28a -- Endi S. Dewata From mharmsen at redhat.com Wed May 17 18:54:45 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 17 May 2017 12:54:45 -0600 Subject: [Pki-devel] [PATCH] - Correct section headings in user deployment configuration file Message-ID: <9d5de74f-8b25-8099-5a90-6a9ad6e4224b@redhat.com> Please review the attached patch for: * Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation Note that the Python method itself was tested in a standalone fashion against various sample configuration files to make certain that the only thing altered was an invalid section heading. It was run against the previously modified files noted in the bug and made the following changes to the user deployment configuration files: # diff mlh_ca.cfg.orig mlh_ca.cfg 24c24 < [TOMCAT] --- > [Tomcat] # diff mlh_kra.cfg.orig mlh_kra.cfg 31c31 < [TOMCAT] --- > [Tomcat] Application of this patch allowed the KRA to be installed successfully, and did not shutdown the CA. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20170517-Correct-section-headings-in-user-deployment-config.patch Type: text/x-patch Size: 2691 bytes Desc: not available URL: From jmagne at redhat.com Wed May 17 20:59:10 2017 From: jmagne at redhat.com (John Magne) Date: Wed, 17 May 2017 16:59:10 -0400 (EDT) Subject: [Pki-devel] [PATCH] - Correct section headings in user deployment configuration file In-Reply-To: <9d5de74f-8b25-8099-5a90-6a9ad6e4224b@redhat.com> References: <9d5de74f-8b25-8099-5a90-6a9ad6e4224b@redhat.com> Message-ID: <1207502040.8717859.1495054750293.JavaMail.zimbra@redhat.com> Looks simple and valuable to clean up a few possible error cases. Conditional ACK with one minor thing. Maybe just check for "[KEYWORD" to catch a case where someone might leave out the closing bracket. Who knows what havoc that might have on an install. ----- Original Message ----- > From: "Matthew Harmsen" > To: "pki-devel" > Sent: Wednesday, May 17, 2017 11:54:45 AM > Subject: [Pki-devel] [PATCH] - Correct section headings in user deployment configuration file > > > > Please review the attached patch for: > > * Bugzilla Bug #1447144 - CA brought down during separate KRA instance > creation > > > Note that the Python method itself was tested in a standalone fashion against > various sample configuration files to make certain that the only thing > altered was an invalid section heading. > > It was run against the previously modified files noted in the bug and made > the following changes to the user deployment configuration files: > > > > # diff mlh_ca.cfg.orig mlh_ca.cfg > 24c24 > < [TOMCAT] > --- > > [Tomcat] > > # diff mlh_kra.cfg.orig mlh_kra.cfg > 31c31 > < [TOMCAT] > --- > > [Tomcat] > Application of this patch allowed the KRA to be installed successfully, and > did not shutdown the CA. > > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Sat May 20 00:31:37 2017 From: cfu at redhat.com (Christina Fu) Date: Fri, 19 May 2017 17:31:37 -0700 Subject: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch Message-ID: <1d66e0f3-d43c-781e-d18c-0cea0eb4f265@redhat.com> This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process pre-signed CMC renewal cert requests Ticket#2618 feature: pre-signed CMC renewal request This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true. Thanks, Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Ticket-2618-feature-pre-signed-CMC-renewal-request.patch Type: text/x-patch Size: 18384 bytes Desc: not available URL: From jmagne at redhat.com Sat May 20 01:36:52 2017 From: jmagne at redhat.com (John Magne) Date: Fri, 19 May 2017 21:36:52 -0400 (EDT) Subject: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch In-Reply-To: <1d66e0f3-d43c-781e-d18c-0cea0eb4f265@redhat.com> References: <1d66e0f3-d43c-781e-d18c-0cea0eb4f265@redhat.com> Message-ID: <1081838551.193093.1495244212520.JavaMail.zimbra@redhat.com> ACK: Just make sure these changed constraints don't have any negative effect on existing profiles that use those constraints.. ----- Original Message ----- From: "Christina Fu" To: pki-devel at redhat.com Sent: Friday, May 19, 2017 5:31:37 PM Subject: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process pre-signed CMC renewal cert requests Ticket#2618 feature: pre-signed CMC renewal request This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true. Thanks, Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Mon May 22 16:45:35 2017 From: cfu at redhat.com (Christina Fu) Date: Mon, 22 May 2017 09:45:35 -0700 Subject: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch In-Reply-To: <1081838551.193093.1495244212520.JavaMail.zimbra@redhat.com> References: <1d66e0f3-d43c-781e-d18c-0cea0eb4f265@redhat.com> <1081838551.193093.1495244212520.JavaMail.zimbra@redhat.com> Message-ID: <508307d4-0785-f13f-9938-40be8cad8ca1@redhat.com> pushed to master: commit 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb thanks, Christina On 05/19/2017 06:36 PM, John Magne wrote: > ACK: > > Just make sure these changed constraints don't have any negative effect on existing profiles that use those constraints.. > > ----- Original Message ----- > From: "Christina Fu" > To: pki-devel at redhat.com > Sent: Friday, May 19, 2017 5:31:37 PM > Subject: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch > > > > This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process pre-signed CMC renewal cert requests > > Ticket#2618 feature: pre-signed CMC renewal request > > This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. > The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. > UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. > The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true. > > > Thanks, > > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Tue May 23 01:27:37 2017 From: jmagne at redhat.com (John Magne) Date: Mon, 22 May 2017 21:27:37 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-fix.patch In-Reply-To: <1665445431.1266295.1495502796367.JavaMail.zimbra@redhat.com> Message-ID: <161928520.1266327.1495502857311.JavaMail.zimbra@redhat.com> #2540 Creating symmetric key (sharedSecret) using tkstool is failing when operating system is in FIPS mode. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0094-Tkstool-FIPS-Mode-fix.patch Type: text/x-patch Size: 7549 bytes Desc: not available URL: From mharmsen at redhat.com Tue May 23 17:54:06 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 23 May 2017 11:54:06 -0600 Subject: [Pki-devel] [PATCH] Always check FIPS mode at initialization time . . . Message-ID: <3a049dd1-d602-2656-93ca-605c3863fd58@redhat.com> Please review the attached patch which addresses the following bug: * Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error It was given a quick smoke test to determine if it eliminated the Python KeyError of 'pki_fips_mode_enabled' not being set which previously occurred whenever 'pki_restart_configured_instance' had been overridden to be False (which it is on certain FreeIPA deployments). -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20170523-Always-check-FIPS-mode-at-installation-time.patch Type: text/x-patch Size: 1242 bytes Desc: not available URL: From mharmsen at redhat.com Tue May 23 23:44:42 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 23 May 2017 17:44:42 -0600 Subject: [Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-fix.patch In-Reply-To: <161928520.1266327.1495502857311.JavaMail.zimbra@redhat.com> References: <161928520.1266327.1495502857311.JavaMail.zimbra@redhat.com> Message-ID: On 05/22/2017 07:27 PM, John Magne wrote: > #2540 Creating symmetric key (sharedSecret) using tkstool is failing when operating system is in FIPS mode. > > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel Be sure to cleanup "context" if it exists in the "cleanup:" section. Conditional ACK if tested to work. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Wed May 24 17:47:52 2017 From: jmagne at redhat.com (John Magne) Date: Wed, 24 May 2017 13:47:52 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-fix.patch In-Reply-To: References: <161928520.1266327.1495502857311.JavaMail.zimbra@redhat.com> Message-ID: <60776499.2134135.1495648072905.JavaMail.zimbra@redhat.com> Provided cleanup and checked in: commit 84f3958dc9c1c5bfab4a8789e621d621a28cbdd6 Author: Jack Magne Date: Mon Apr 10 11:27:12 2017 -0700 Now the program can create and import shared secret keys while under FIPS mode. Closed #2540 Creating symmetric key (sharedSecret) using tkstool is failing when operating system is in FIPS mode. ----- Original Message ----- > From: "Matthew Harmsen" > To: "John Magne" , "pki-devel" > Sent: Tuesday, May 23, 2017 4:44:42 PM > Subject: Re: [Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-fix.patch > > On 05/22/2017 07:27 PM, John Magne wrote: > > #2540 Creating symmetric key (sharedSecret) using tkstool is failing when > > operating system is in FIPS mode. > > > > > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > Be sure to cleanup "context" if it exists in the "cleanup:" section. > > Conditional ACK if tested to work. > > From ftweedal at redhat.com Fri May 26 07:57:02 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 26 May 2017 17:57:02 +1000 Subject: [Pki-devel] [PATCH] 0180 Fix NPE in lightweight CA created Message-ID: <20170526075702.GQ7168@dhcp-40-8.bne.redhat.com> Hi team, The attached patch was pushed to master under trivial rule. It fixes https://pagure.io/dogtagpki/issue/2711. Thanks, Fraser -------------- next part -------------- From 2866f6195eb49012cf7c42089a9fbf1be819129a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 26 May 2017 17:47:14 +1000 Subject: [PATCH] Fix NPE in lightweight CA creation Fixes: https://pagure.io/dogtagpki/issue/2711 --- .../cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java index 908cbe4aecf96c24e2d356394c7ba1ead2cd3a56..4b0f68c51d963a27f0c1314ce25589893068d2ab 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java @@ -148,7 +148,9 @@ public class EnrollmentProcessor extends CertProcessor { IProfileContext ctx = profile.createContext(); // set arbitrary user data into request, if any - String userData = request.getParameter("user-data"); + String userData = null; + if (request != null) + userData = request.getParameter("user-data"); if (userData != null) ctx.set(IEnrollProfile.REQUEST_USER_DATA, userData); -- 2.9.4 From mharmsen at redhat.com Wed May 31 20:38:28 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 31 May 2017 14:38:28 -0600 Subject: [Pki-devel] [PATCH] Fixed pylint errors Message-ID: <54e0fc9f-c57d-022e-e405-3f741a434463@redhat.com> Please review the attached patch which addresses the following issues: * dogtagpki Pagure Issue #2713 - Build failure due to Pylint issues These changes were successfully compiled on a Fedora 27 machine with the following packages: * python2-2.7.13-10.fc27.x86_64 * python3-3.6.1-7.fc27.x86_64 * pylint-1.7.1-1.fc27.noarch -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20170531-Fixed-pylint-issues.patch Type: text/x-patch Size: 14524 bytes Desc: not available URL: From mharmsen at redhat.com Wed May 31 23:30:36 2017 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 31 May 2017 17:30:36 -0600 Subject: [Pki-devel] [PATCH] Fixed pylint errors (re-sent) Message-ID: <5bc449c1-3746-1617-f03c-ac59e7cb45f6@redhat.com> The attached patch was altered to change "args" ==> "argv" rather than "argv" ==> "args" since it was discovered that a number of the routines utilized "args" as a local variable that would have to be changed since if the "argv" input parameter were changed to "args". Consequently, this patch converts "args" ==> "argv". Please review the attached patch which addresses the following issues: * dogtagpki Pagure Issue #2713 - Build failure due to Pylint issues These changes were successfully compiled on a Fedora 27 machine with the following packages: * python2-2.7.13-10.fc27.x86_64 * python3-3.6.1-7.fc27.x86_64 * pylint-1.7.1-1.fc27.noarch Additionally, a CA instance was installed and configured, and the following smoke test was run: * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for example.com" -p 8080 ca-user-add testuser --fullName "Test User" * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for example.com" -p 8080 client-cert-request uid=testuser * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for example.com" -p 8080 ca-cert-request-review 7 --action approve * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for example.com" -p 8080 ca-user-cert-add testuser --serial 0x7 * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for example.com" -p 8080 client-cert-import testuser --serial 0x7 * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20170531-Fixed-pylint-issues.patch Type: text/x-patch Size: 14756 bytes Desc: not available URL: From edewata at redhat.com Wed May 31 23:47:38 2017 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 31 May 2017 18:47:38 -0500 Subject: [Pki-devel] [PATCH] Fixed pylint errors (re-sent) In-Reply-To: <5bc449c1-3746-1617-f03c-ac59e7cb45f6@redhat.com> References: <5bc449c1-3746-1617-f03c-ac59e7cb45f6@redhat.com> Message-ID: On 5/31/2017 6:30 PM, Matthew Harmsen wrote: > The attached patch was altered to change "args" ==> "argv" rather than > "argv" ==> "args" since it was discovered that a number of the routines > utilized "args" as a local variable that would have to be changed since > if the "argv" input parameter were changed to "args". Consequently, > this patch converts "args" ==> "argv". > > Please review the attached patch which addresses the following issues: > > * dogtagpki Pagure Issue #2713 - Build failure due to Pylint issues > > > These changes were successfully compiled on a Fedora 27 machine with the > following packages: > > * python2-2.7.13-10.fc27.x86_64 > * python3-3.6.1-7.fc27.x86_64 > * pylint-1.7.1-1.fc27.noarch > > Additionally, a CA instance was installed and configured, and the > following smoke test was run: > > * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L > * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C > /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for > example.com" -p 8080 ca-user-add testuser --fullName "Test User" > * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L > * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C > /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for > example.com" -p 8080 client-cert-request uid=testuser > * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C > /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for > example.com" -p 8080 ca-cert-request-review 7 --action approve > * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C > /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for > example.com" -p 8080 ca-user-cert-add testuser --serial 0x7 > * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C > /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for > example.com" -p 8080 client-cert-import testuser --serial 0x7 > * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L > Just one thing, I was under the impression that we're supposed to remove PKIServerUpgradeScriptlet.__init__() altogether. Christian, could you take a look a this? Everything else is good. -- Endi S. Dewata From saurav.srivastav006 at gmail.com Wed May 10 11:30:31 2017 From: saurav.srivastav006 at gmail.com (SAURAV .) Date: Wed, 10 May 2017 11:30:31 -0000 Subject: [Pki-devel] Need help to store NSS DB response error message in variable using shell script Message-ID: Hi Dev Team, I am writing a shell script for adding and deleting certificate in NSS DB at system level. I have a question that if I have to delete the CA certificate from NSS DB and suppose if its CRL file is also stored in DB, so I am thinking to delete the CRL file first and then CA certificate from NSS DB, for deleting the CRL we will use crlutil command and lets assume that if I have to delete CA certificate from NSS DB and its CRL file is not store there but delete command of CRL file has to execute before executing the delete command certificate. If CRL is not there then in command prompt it will show database error message that SEC_ERROR_CRL_NOT_FOUND: No matching CRL was found. So my question is that can I get this error message in variable to check and log it. I have executed code like this to store the response of crlutil delete command but it has directly printed on console. Below command I have used result=$(crlutil -D -d sql:/etc/pki/nssdb -n "Nickname"). If it possible to store response error message then please guide me so that I can use it in my code. Regards, Saurav -------------- next part -------------- An HTML attachment was scrubbed... URL: