April 2016 - Pki-devel - Dogtag Pki List Archives

[pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch

by John Magne

Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge pki-symkey into jss What is supported: 1. Everything that is needed to support Secure Channel Protocol 01. 2. Supports the nist sp800 kdf and the original kdf. 3. Supports key unwrapping used by TPS which was formerly in the symkey JNI. Requires: 1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming. Still to do: 1. Port over the 2 or 3 SCP02 routines from Symkey to use this code. 2. The original symkey will remain in place until we can port over everything. 3. SCP03 support can be added later.

8 years, 7 months

3
6
0 / 0

[pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch

by John Magne

TPS auth special characters fix. Ticket #1636. Smartcard token enroll/format fails when the ldap user has special characters in userid or password Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes the authentication creds and the server needs to decode them.

8 years, 7 months

2
2
0 / 0

[pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch

by John Magne

Enhance tkstool for capabilities and security This simple ticket is to fix tkstool to allow it to create the master key with the proper flags to make the key data private such that it can't be easily viewed when using tools to print out sym keys on the token. Fix tested on the "internal" token by trying the various tkstool cmds to make sure having the key private does not cause issues. Also tried a simple key changeover operation with tpsclient to make sure that symkey can still do what it needs to do witht the master key. Further testing with a full hsm will be required. The goal was the create the key with the same flags that are used with the previous "PK11_GenKeyOnToken" (name approx) is used. This version had no flags and created a default set. This fix uses the version With flags and does what the old one did, but made sure the key is private and sensitive. Master key can be tested by using the tool: /usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L

8 years, 7 months

2
2
0 / 0

[PATCH] 734 Removed unsupported token states from TPS CS.cfg.

by Endi Sukma Dewata

The in-line documentation in CS.cfg for TPS has been updated to remove unsupported token states in the corresponding properties: * tokendb.allowedTransitions * tps.operations.allowedTransitions -- Endi S. Dewata

8 years, 7 months

1
2
0 / 0

[PATCH] 0100 Fix NSSDB certificate search method

by Fraser Tweedale

Hi all, Please review the attached patch, which fixes https://fedorahosted.org/pki/ticket/2301. Cheers, Fraser

8 years, 7 months

2
2
0 / 0

[PATCH] 0084..0086 Lightweight CA replication support

by Fraser Tweedale

Hi all, The attached patches implement replication support for lightweight CAs. These patches do not implement key replication via Custodia (my next task) but they do implement the persistent search thread and appropriate** API behaviour when the signing keys are not yet available. ** In most cases, we respond 503 Service Unavailable; this is open for discussion. ca-authority-find and ca-authority-show include a boolean field indicating whether the CA is ready to sign. There might be (probably are) endpoints I've missed. Cheers, Fraser

8 years, 7 months

3
22
0 / 0

[PATCH] 731-733 Renamed TPS token states.

by Endi Sukma Dewata

To improve clarity and to anticipate future expansion (ticket #2287) some TPS token states have been renamed. -- Endi S. Dewata

8 years, 7 months

1
1
0 / 0

[PATCH] 297, 298 add validity check for external CA

by Ade Lee

commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f Author: Ade Lee <alee(a)redhat.com> Date: Fri Apr 22 15:31:43 2016 -0400 Add validity check for the signing certificate in pkispawn When either an existing CA or external CA installation is performed, use the pki-server cert validation tool to check the signing certiticate and chain. Ticket #2043 commit 9104fdda145c4f2bbbedec7256c73922e8bffcef Author: Ade Lee <alee(a)redhat.com> Date: Wed Apr 20 17:26:23 2016 -0400 Add CLI to check system certificate status We add two different calls: 1. pki client-cert-validate - which checks a certificate in the client certdb and calls the System cert verification call performed by JSS in the system self test. This does some basic extensions and trust tests, and also validates cert validity and cert trust chain. 2. pki-server subsystem-cert-validate <subsystem> This calls pki client-cert-validate using the nssdb for the subsystem on all of the system certificates by default (or just one if the nickname is defined). This is a great thing to call when healthchecking an instance, and also will be used by pkispawn to verify the signing cert in the externally signed CA case. Trac Ticket 2043

8 years, 7 months

2
2
0 / 0

[PATCH] 730 Fixed duplicate executions of finalization scriptlet.

by Endi Sukma Dewata

Previously the finalization scriptlet was always executed in each pkispawn execution. In multi-step installations (e.g. external CA, standalone, or installation/configuration-only mode) some of the code in the scriptlet such as enabling systemd service, restarting the service, and purging client database will be redundant. Now the scriptlet has been modified to execute only in the final step of the installation. The code that archives the deployment and manifest files has been moved into pkispawn to ensure that it is always executed in each pkispawn execution. For clarity the method that displays the installation summary has been broken up into separate methods for standalone step 1, installation-only mode, and configuration-only/full installation. -- Endi S. Dewata

8 years, 7 months

2
3
0 / 0

[PATCH] 728 Removed unused code for existing CA installation.

by Endi Sukma Dewata

The print_existing_ca_step_one_information() has been removed from pkispawn since existing CA installation no longer requires two-step operation. https://fedorahosted.org/pki/ticket/1736 -- Endi S. Dewata

8 years, 7 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel April 2016