October 2015 - Pki-devel - Dogtag Pki List Archives

[PATCH] 0051 Lightweight CAs: lookup correct issuer for OCSP responses

by Fraser Tweedale

Hi all, The attached patch makes sure that the right authority is used to create OCSP responses. Note that OCSP requests may ask about certs from more than one issuer - even though this is crazy the heuristic used is to simply use issuer of the first CertID in the request. Note that OCSP response validation of certificates issued by sub-CAs currently fails due to a separate issue[1]. [1] https://fedorahosted.org/pki/ticket/1632

8 years, 9 months

2
5
0 / 0

[PATCH] 0052 Lightweight CAs: enrol cert via profile subsystem

by Fraser Tweedale

The attached patch fixes: - #1624 generate lightweight CAs via profile subsystem - #1632 ensure CA certs bear correct Authority Key Identifier Thanks, Fraser

8 years, 10 months

2
2
0 / 0

[PATCH] 0050 Lightweight CAs: ensure disabled CA cannot create sub-CA

by Fraser Tweedale

The attached patch (which replaces an earlier patch 0050) fixes https://fedorahosted.org/pki/ticket/1628. Cheers, Fraser

8 years, 10 months

2
3
0 / 0

[PATCH] 656 Added automatic Tomcat migration.

by Endi Sukma Dewata

The pki-core.spec has been modified to execute pki-server migrate when the package is installed. This way when upgrading from F22 to F23 all PKI instances will be migrated automatically to Tomcat 8. The pki-server migrate command has been modified such that if there is no specific Tomcat version specified it will use the current Tomcat version. The top attribute in the CLI class was not functioning properly, so it has been replaced with get_top_module() method. The getopt() invocations in pki-server subcommands have been replaced with gnu_getopt() to allow intermixing options and arguments. https://fedorahosted.org/pki/ticket/1310 -- Endi S. Dewata

9 years, 1 month

1
1
0 / 0

[PATCH] 650 Refactored LDAPSecurityDomainSessionTable.

by Endi Sukma Dewata

The LDAPSecurityDomainSessionTable has been modified to throw an exception if there is a failure. https://fedorahosted.org/pki/ticket/1633 -- Endi S. Dewata

9 years, 1 month

2
2
0 / 0

[PATCH] pki-cfu-0107-Ticket-1527-TPS-connector-always-goes-to-ca1.patch

by Christina Fu

this patch fixes the issue reported in: https://fedorahosted.org/pki/ticket/1527 TPS Enrollment always goes to "ca1" It has been tested on both format and enrollment operations to work. One thing to note is that there is no longer a default ca "ca1" if the configuration is missing. I think it should be done this way as the configuration is expected to be done correctly and the program will then find the setting. thanks, Christina

9 years, 1 month

2
3
0 / 0

Cannot revoke user certificate becouse of nonce

by Marcin Mierzejewski

I try to revoke certificate from code I got exception with info about nonce. public void revokeAndApprove(int certificateId) { CertId certId = new CertId(certificateId); long nonce = new Random().nextLong(); CertRevokeRequest revokeRequest = new CertRevokeRequest(); revokeRequest.setReason(RevocationReason.KEY_COMPROMISE); revokeRequest.setComments("user request revoke"); revokeRequest.setNonce(nonce); *CertRequestInfo revokeInfo = certClient.revokeCert(certId, revokeRequest);// here comes an exception* CertReviewResponse reviewData = certClient .reviewRequest(revokeInfo.getRequestId()); reviewData.setNonce(""+nonce); log(reviewData.toString()); reviewData.setRequestNotes("revoke approved"); certClient.approveRequest(reviewData.getRequestId(), reviewData); } when I use this I get exception on line(certClient.revokeCert(...)) > > com.netscape.certsrv.base.BadRequestException: Nonce for cert-revoke 64 does not exist. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) at com.company.CAManager.revokeAndApprove(CAManager.java:186) and few other options I'v tried 1. Long nonce = transportCert.getNonce(); // null > > 2. Long nonce = certClient.getCert(certId).getNonce() //also a null > > puting null to setNonce, or not setting it at all give me: com.netscape.certsrv.base.BadRequestException: Missing nonce. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:436) > at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:112) > at com.netscape.certsrv.cert.CertClient.revokeCert(CertClient.java:75) > at com.company.CAManager.revokeAndApprove(CAManager.java:187) > at com.company.Main.main(Main.java:21) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140) > I check browser form from enduser entity and nonce value looks like this:"certId:someLongRandomNumber" Am I not understanding usage of nonce or something in my code is wrong?

9 years, 1 month

2
3
0 / 0

Karma Request for Dogtag 10.2.6 in Fedora 23

by Matthew Harmsen

Everyone, Please provide Karma for the following Dogtag 10.2.6 packages in Fedora 23: * pki-core-10.2.6-11.fc23 <https://bodhi.fedoraproject.org/updates/FEDORA-2015-4a665f0ec0> This build addresses the following two issues related to an IPA issue: * PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface <https://fedorahosted.org/pki/ticket/1120> * PKI TRAC Ticket #342 - Outdated HTTP client <https://fedorahosted.org/pki/ticket/342> Thanks, -- Matt P. S. - A build containing these fixes was also made available for 'rawhide' (Fedora 24): * pki-core-10.2.6-11.fc24 <http://koji.fedoraproject.org/koji/buildinfo?buildID=694023>

9 years, 2 months

1
0
0 / 0

[PATCH] 655 Replaced legacy HttpClient.

by Endi Sukma Dewata

The ConfigurationUtils and CertUtil have been modified to use PKIConnection which uses Apache HttpClient instead of the legacy custom HttpClient. The POST request content is now created using MultivaluedMap. The PKIConnection has been modified to provide a get() method to send an HTTP GET request. The post() method was modified to accept a path parameter. https://fedorahosted.org/pki/ticket/342 -- Endi S. Dewata

9 years, 2 months

1
1
0 / 0

[PATCH] 654 Removed unused WizardServlet.

by Endi Sukma Dewata

The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120 -- Endi S. Dewata

9 years, 2 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel October 2015