2:57 a.m.
Hi all,
These patches implement support for copying the ExtendedKeyUsage
extension from a signing request to the certificate, addressing
https://fedorahosted.org/freeipa/ticket/2915.
My email from a few days ago goes into a bit more detail and puts
forward the question of whether this is even a reasonable approach
to solving #2915. Since I haven't yet received any feedback I
figured I'd go ahead and publish the patches.
Patch 0002:
Add appropriate ExtendedKeyUsage constraints to all profiles that
support this extension. To check that none were missed:
$ ag -l extendedKeyUsageExtDefaultImpl \
| xargs ag -L extendedKeyUsageExtConstraintImpl
Patch 0003:
The actual fix: EKU extension is copied from signing request, or the
default is used when the extension does not appear in the request.
12:54 a.m.
On Mon, Jun 16, 2014 at 05:57:03PM +1000, Fraser Tweedale wrote:
Hi all,
These patches implement support for copying the ExtendedKeyUsage
extension from a signing request to the certificate, addressing
https://fedorahosted.org/freeipa/ticket/2915.
My email from a few days ago goes into a bit more detail and puts
forward the question of whether this is even a reasonable approach
to solving #2915. Since I haven't yet received any feedback I
figured I'd go ahead and publish the patches.
Patch 0002:
Add appropriate ExtendedKeyUsage constraints to all profiles that
support this extension. To check that none were missed:
$ ag -l extendedKeyUsageExtDefaultImpl \
| xargs ag -L extendedKeyUsageExtConstraintImpl
Patch 0003:
The actual fix: EKU extension is copied from signing request, or the
default is used when the extension does not appear in the request.
New patch versions; fixed commit author (hadn't changed .gitconfig
from personal email address :). Rebased also, but no other changes.
10:33 a.m.
I have replied to your original email. Please let us know whether you
have tried the existing method I suggested in the email and what the
result was.
thanks,
Christina
On 06/17/2014 10:54 PM, Fraser Tweedale wrote:
On Mon, Jun 16, 2014 at 05:57:03PM +1000, Fraser Tweedale wrote:
> Hi all,
>
> These patches implement support for copying the ExtendedKeyUsage
> extension from a signing request to the certificate, addressing
> https://fedorahosted.org/freeipa/ticket/2915.
>
> My email from a few days ago goes into a bit more detail and puts
> forward the question of whether this is even a reasonable approach
> to solving #2915. Since I haven't yet received any feedback I
> figured I'd go ahead and publish the patches.
>
>
> Patch 0002:
>
> Add appropriate ExtendedKeyUsage constraints to all profiles that
> support this extension. To check that none were missed:
>
> $ ag -l extendedKeyUsageExtDefaultImpl \
> | xargs ag -L extendedKeyUsageExtConstraintImpl
>
> Patch 0003:
>
> The actual fix: EKU extension is copied from signing request, or the
> default is used when the extension does not appear in the request.
New patch versions; fixed commit author (hadn't changed .gitconfig
from personal email address :). Rebased also, but no other changes.
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
4150
days inactive
4158
days old
2 comments
2 participants
participants (2)
-
Christina Fu -
Fraser Tweedale