[PATCH] 0010..0013 DNP3/IECUserRoles extension support
by Fraser Tweedale
Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
extension support and a DNP3 profile that makes use of it. This is
to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
Authentication v5 (SAv5) standard.
In brief, the SN and all the IECUserRoles params will be given in
profile inputs, and the key is taken from a CertReqInput.
There's still a bit of work to go - notably, some of the
IECUserRoles fields are unimplemented, and some of those that *are*
implemented are not yet read out of the profile input but rather are
hardcoded. The extension *does* appear on the certificate, so I
should get that all completed tomorrow.
Cheers,
Fraser
9 years, 6 months
remove RAEnrollProfile.java?
by Fraser Tweedale
The RAEnrollProfile class is not used or referenced anywhere in the
codebase. I presume it was related to the RA, but even immediately
before removal of the RA it did not seem to be used, so it seems
safe to remove it.
Comments?
Fraser
9 years, 6 months
CLI for editing profiles
by Fraser Tweedale
Along with LDAP profiles, we will be adding modules to the CLI for
adding and editing profiles in the ConfigStore format that was used
for file-based profiles. For more info, see:
http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Command-line_utili...
There is an existing CLI for adding and modifying profiles, in the
XML format, e.g. ``pki ca profile add caCustomProfile.xml``. The
XML format carries information including the profile ID and
class_id, but these data must be supplied out-of-band when dealing
with the ConfigStore format.
Because of this, I intend to:
- add new commands to the existing profile CLI for working with the
"raw" (i.e., ConfigStore) format, e.g. "edit-raw", "add-raw".
Where necessary, these commands will take compulsory
``--profile-id`` and/or ``--class-id`` arguments, to account for
the absense of such information in the profile ConfigStore format;
and
- transport this information in the XML format - not in the "raw"
format - so that it will be unnecessary to make changes to
ProfileClient or the ProfileService API.
As usual, I welcome feedback - especially if you feel I am going the
wrong way ^_^
9 years, 8 months
[PATCH] pki-ftweedal-0015-Monitor-database-for-changes-to-LDAP-profiles.patch
by Fraser Tweedale
This is the first cut of the LDAP profile change monitoring. It
depends on patches 0004..0009 and 0014
(https://www.redhat.com/archives/pki-devel/2014-September/msg00052.html).
To summarise the implementation: a separate thread carries out a
persistent LDAP search and calls back into the ProfileSubsystem when
changes occur. I haven't had much experience with persistent
searches or multithreaded programming in Java, so eyeballs familiar
with those areas are needed.
I haven't yet tested with changes replicating between clones (a task
for tomorrow) but I wanted to get the patch on list for feedback as
early as possible.
Cheers,
Fraser
9 years, 8 months
[PATCH] 548 Updated CRMFPopClient parameter handling.
by Endi Sukma Dewata
The CRMFPopClient has been modified to use Apache Commons CLI
library to handle the parameters. The help message has been
rewritten to make it more readable. The submitRequest() will
now display the error reason.
The options in ClientCertRequestCLI have been simplified. A new
option was added to generate CRMF request without POP.
https://fedorahosted.org/pki/ticket/1074
--
Endi S. Dewata
9 years, 10 months
[PATCH] Ticket#1028 Phase1:TPS rewrite: provide externalReg functionality
by Christina Fu
attached please find the Phase 1 code for
https://fedorahosted.org/pki/ticket/1028
Ticket#1028 TPS rewrite: provide externalReg functionality
Due to a recent change of task priorities, I am to check in this feature
in two phases (coming back to phase 2 at a later time).
In this Phase 1, the code for this feature is in place, but may not be
in the most optimal condition.
The goal for Phase 1 is to:
1. not break existing functionality (non ExternalReg -- which is default)
2. when ExternalReg is turned on, it works for the basic case (didn't
test for more complicated cases)... e.g. I don't know if say an existing
cert on the token is missing from the externalReg user record, whether
it will be removed or not.
3. it is not guaranteed to work with more complicated scenario
4. code has been run through and cleaned up in Eclipse
Later, for Phase 2:
1. really clean up and add bells and whistles (more error checkings, more efficient code,
proper logging, etc.)
2. test/cover all cases
Jack has already helped testing it with a real token with ExternalReg turned off (didn't seem to break the existing functionalities);
Jack has also helped testing it with a real token with ExternalReg turned on for simple enrollment/recovery
and Jack is going to review this Phase 1 code. Thank you Jack!
Christina
9 years, 10 months
[PATCH] 547 Refactored CRMFPopClient.
by Endi Sukma Dewata
The CRMFPopClient has been refactored such that it is easier
to understand and reuse. The code has been fixed such that it
can read a normal PEM transport certificate. It also has been
fixed to parse the request submission result properly.
The client-cert-request CLI command was modified to support CRMF
requests.
The MainCLI and ClientConfig were modified to accept a security
token name.
The pki_java_command_wrapper.in was modified to include the Apache
Commons IO library.
https://fedorahosted.org/pki/ticket/1074
--
Endi S. Dewata
9 years, 11 months
[PATCH] 546 Disabling subsystem on selftest failure.
by Endi Sukma Dewata
The SelfTestSubsystem has been modified such that if the selftest
fails it will invoke the pki-server CLI to undeploy and disable the
failing subsystem. The Tomcat instance and other subsystems not
depending on this subsystem will continue to run. Once the problem
is fixed, the admin can enable the subsystem again with the
pki-server CLI.
https://fedorahosted.org/pki/ticket/745
--
Endi S. Dewata
9 years, 11 months
[PATCH] 545 Added server management CLI.
by Endi Sukma Dewata
A new pki-server CLI has been added to manage the instances and
subsystems using the server management library. This CLI manages
the system files directly, so it can only be run locally on the
server by the system administrator.
The autoDeploy setting in server.xml has been enabled by default.
An upgrade script has been added to enable the autoDeploy setting
in existing instances.
https://fedorahosted.org/pki/ticket/1183
--
Endi S. Dewata
9 years, 11 months