[PATCH] 65 Added cert revocation REST service.
by Endi Sukma Dewata
The cert revocation REST service is based on DoRevoke and DoUnrevoke
servlets. It provides an interface to manage certificate revocation.
Ticket #161
--
Endi S. Dewata
12 years, 4 months
PATCH 34-1 - Restful interface to create certificate requests
by Ade Lee
Please review.
Tests done:
1. Cert issuance and approval from UI (manual, maul dual cert, agent
authenticated server cert)
2. Cert issuance in installation of other subsystems
3. Cert issuance (user and server) from RA.
4. Cert issuance and approval from restful interface using CATest
-- two step (create cert request/ agent approval) user and server certs
-- single step (agent approved user and server certs)
Ade
12 years, 5 months
[PATCH] 67 Added REST error handler.
by Endi Sukma Dewata
If a REST method returns a Response object it has to be handled
manually. A new getEntity() method has been added to obtain the
entity from the Response object and also map HTTP errors into
exceptions.
Ticket #161
--
Endi S. Dewata
12 years, 5 months
[PATCH] 69 Fixed problem removing user certificate.
by Endi Sukma Dewata
Generally the user LDAP entry does not contain a seeAlso attribute
unless it's a special database user. The UGSubsystem.removeUserCert()
would fail because it tried to remove the seeAlso attribute. Now the
code has been fixed to remove the seeAlso using a separate modify
operation and ignore the error if it fails due to missing attribute.
Ticket #182
--
Endi S. Dewata
12 years, 5 months
Re: [Pki-devel] [Pki-users] researches have stolen an RSA private key from an Gemalto Cyberflex RSA Token
by Andrew Wnuk
On 06/26/2012 07:06 AM, Fabian Bertholm wrote:
> Hi,
>
> I am not sure what the implications will be but I think the redhat PKI
> system is at least using the same hardware.
> You should read this paper.
> http://hal.inria.fr/docs/00/70/47/90/PDF/RR-7944.pdf
>
> What does this mean for us as users?
The following response was provided by Robert Relyea:
For most token users, nothing. The researchers have not extracted
the RSA private key, they extracted a symmetric key that is
encrypted to the private key on the token. In environments where the
token does not support decrypt, and operate on FIPS level-3 or
above, this is big news, but for deployments which use a basic
"RSA-op" function, not even separate Sign/Decrypt functions, you can
simply decrypt the blob and get the symmetric key.
The paper is definitely worthy of attention, but for most
deployments it will have little or now impact.
>
> Best regard,
> Fabian Bertholm
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
12 years, 5 months
[PATCH] Add LDAP cert publisher using LDAP auth DN
by Joshua Roys
Hello,
Attached is a patch that I've just tested locally to publish certs to a
LDAP directory easily if you have also setup authentication for user
certs using LDAP. I noticed an attribute stored in the internal db
which was the full DN of the authenticated user and that's what this
uses. (I also specify a predicate on the publish rule of
profileId==caDirUserDualCert to restrict the candidate certs to the
proper set.)
Thanks,
Josh
12 years, 5 months