From cfu at redhat.com Fri Feb 2 18:04:49 2018 From: cfu at redhat.com (Christina Fu) Date: Fri, 2 Feb 2018 10:04:49 -0800 Subject: [Pki-devel] [REVIEW] Ticket 2880 - Need to record CMC requests and responses Message-ID: <89dbe1d5-cf11-83bf-6d4a-20ca70b3e218@redhat.com> Up for review: https://pagure.io/dogtagpki/issue/2880#comment-491865 Assigned reviewer: jmagne thanks, Christina From jmagne at redhat.com Fri Feb 2 19:21:36 2018 From: jmagne at redhat.com (John Magne) Date: Fri, 2 Feb 2018 14:21:36 -0500 (EST) Subject: [Pki-devel] dogtag: #2878 Missing faillure resumption detection and audit event logging at startup In-Reply-To: <2085797427.5304599.1517599264254.JavaMail.zimbra@redhat.com> Message-ID: <1537933558.5304689.1517599296805.JavaMail.zimbra@redhat.com> Review: https://review.gerrithub.io/#/c/398121/ cfu has already accepted.. https://pagure.io/dogtagpki/issue/2878 From cfu at redhat.com Sat Feb 3 00:44:42 2018 From: cfu at redhat.com (Christina Fu) Date: Fri, 2 Feb 2018 16:44:42 -0800 Subject: [Pki-devel] [REVIEW] Ticket 2920 - CMC: Audit Events needed for failures in SharedToken scenarios Message-ID: Up for review: https://review.gerrithub.io/398279 Volunteered reviewer: jmagne thanks, Christina From cfu at redhat.com Sat Feb 3 23:54:04 2018 From: cfu at redhat.com (Christina Fu) Date: Sat, 3 Feb 2018 15:54:04 -0800 Subject: [Pki-devel] [REVIEW] Ticket #2921 CMC: Revocation works with an unknown revRequest.issuer Message-ID: <9dbb444c-d375-351b-2825-6d6108d135b5@redhat.com> Up for review: https://review.gerrithub.io/398312 Volunteered reviewer: jmagne thanks, Christina From cfu at redhat.com Thu Feb 8 00:40:41 2018 From: cfu at redhat.com (Christina Fu) Date: Wed, 7 Feb 2018 16:40:41 -0800 Subject: [Pki-devel] Issues with certmonger SCEP enrollment with Dogtag In-Reply-To: References: Message-ID: <96f16e8a-0e91-d2c3-51ad-bb51ed243037@redhat.com> Hi Trevor, I'll need a bit of clarification and some info... On 01/31/2018 10:52 AM, Trevor Vaughan wrote: > Hi All, > > I've hit a bit of a roadblock with debugging SCEP enrollment from > certmonger to Dogtag and I'm hoping that someone can help. > > I am attempting to register with a subordinate CA that has a KRA set > up and will successfully sign certificate requests from certmonger. > > Unfortunately, there is an issue with receiving the signed certificate > and I've been unable to figure out how to successfully debug the issue. So, the scep client has issue receiving the scep response from the server? And you have determined that the response is indeed a signed certificate (like, not error response)? > > The error that is returned is "Error: failed to verify signature on > server response." and is triggered from > https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065. Is your scep client trusting the subordinate ca's scep signing cert? > > I've tried dumping the p7 data but, from what I can tell, the response > is empty in that block of code and I'm not quite sure where to go from > there. Wait, so the received response is empty? If the scep response from the subCA is not empty, could you show the Base64 encoded response and maybe I can take a look? Also, if you could attach relevant portion of the sub-CA's debug log it might be helpful. > > Any assistance is appreciated. > > Thanks, > > Trevor > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 > > -- This account not approved for unencrypted proprietary information -- > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From tvaughan at onyxpoint.com Thu Feb 8 18:10:31 2018 From: tvaughan at onyxpoint.com (Trevor Vaughan) Date: Thu, 8 Feb 2018 13:10:31 -0500 Subject: [Pki-devel] Issues with certmonger SCEP enrollment with Dogtag In-Reply-To: <96f16e8a-0e91-d2c3-51ad-bb51ed243037@redhat.com> References: <96f16e8a-0e91-d2c3-51ad-bb51ed243037@redhat.com> Message-ID: Hi Christina, Thanks for getting back to me. At the time, I thought this was a Dogtag issue but I have since discovered that it appears to be solely an issue on the Certmonger side and is being tracked at https://pagure.io/certmonger/issue/93. Also, thanks for jumping in on the Dogtag AES patch, getting that in place will be great. Trevor On Wed, Feb 7, 2018 at 7:40 PM, Christina Fu wrote: > Hi Trevor, > > I'll need a bit of clarification and some info... > > On 01/31/2018 10:52 AM, Trevor Vaughan wrote: > > Hi All, > > I've hit a bit of a roadblock with debugging SCEP enrollment from > certmonger to Dogtag and I'm hoping that someone can help. > > I am attempting to register with a subordinate CA that has a KRA set up > and will successfully sign certificate requests from certmonger. > > Unfortunately, there is an issue with receiving the signed certificate and > I've been unable to figure out how to successfully debug the issue. > > So, the scep client has issue receiving the scep response from the > server? And you have determined that the response is indeed a signed > certificate (like, not error response)? > > > > The error that is returned is "Error: failed to verify signature on server > response." and is triggered from https://pagure.io/certmonger/ > blob/master/f/src/pkcs7.c#_1065. > > > Is your scep client trusting the subordinate ca's scep signing cert? > > > I've tried dumping the p7 data but, from what I can tell, the response is > empty in that block of code and I'm not quite sure where to go from there. > > > Wait, so the received response is empty? > > If the scep response from the subCA is not empty, could you show the > Base64 encoded response and maybe I can take a look? > > Also, if you could attach relevant portion of the sub-CA's debug log it > might be helpful. > > > Any assistance is appreciated. > > Thanks, > > Trevor > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 <(410)%20541-6699> > > -- This account not approved for unencrypted proprietary information -- > > > _______________________________________________ > Pki-devel mailing listPki-devel at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-devel > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed Feb 28 05:38:07 2018 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 28 Feb 2018 15:38:07 +1000 Subject: [Pki-devel] IPAddress General Name patches Message-ID: <20180228053807.GM3703@T470s> Hi Christina et al, Could someone with a familiarity/interest in IPAddress altnames / name constraints please review this patchset and the three related patchsets, when you have time? https://review.gerrithub.io/#/c/398356/ The related BZ is https://bugzilla.redhat.com/show_bug.cgi?id=1538311 (Using a Netmask produces an odd entry in a certifcate). Any questions, you can reply or note them in gerrit. Thanks, Fraser