On Mon, Sep 14, 2015 at 05:25:00PM +1000, Fraser Tweedale wrote:
The latest lightweight CAs (f.k.a. Sub-CAs) patches are attached.
This cut has significant changes and additions including:
- CAs are now stored in a flat structure with references to parents
- CAs are now identified by "AuthorityID" (which for now is a UUID
underneath). Many variables, method names and user-visible
strings were updated accordingly. Out with "caRef" terminology.
- "Sub-CA" terminology is (mostly) out; "Authority" is in. This is
to support lightweight CAs that are not descendents of top-level
CA (which can be implemented later).
- ca-cert-request-submit command and related client / service
classes were updated to add "authority" parameter
- Some more specific use of exception (including some new exception
classes) to indicate / catch particular errors.
- More appropriate HTTP status codes return when client has send
invalid data (400), referenced unknown authority (404) or attempts
to create an authority with Subject DN already uesd by another
authority (409 Conflict)
- LDAP entry now gets added before key generation and signing. If
something goes wrong, the DB entry is removed in the catch block.
There are still notable gaps in functionality that are in progress
or will be implemented soon:
- Audit log events
- Resources to enable/disable/delete authority
- Resources to access cert and pkcs7 chain of authority
- Keygen params
- Param to specify token on which to generate authority key
Latest patches attached. Along with some minor improvements to the
original patches, three new patches 0048-0050 add ability to enable
and disable lightweight CAs.
Commit messages for the earlier patches have also been updated for
consistency and to include ticket references.
Thanks,
Fraser