November 2014 - Pki-devel - Dogtag Pki List Archives

[PATCH] 0010..0013 DNP3/IECUserRoles extension support

by Fraser Tweedale

Here is the first (rough) cut of IEC 62351-8 (IECUserRoles) extension support and a DNP3 profile that makes use of it. This is to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure Authentication v5 (SAv5) standard. In brief, the SN and all the IECUserRoles params will be given in profile inputs, and the key is taken from a CertReqInput. There's still a bit of work to go - notably, some of the IECUserRoles fields are unimplemented, and some of those that *are* implemented are not yet read out of the profile input but rather are hardcoded. The extension *does* appear on the certificate, so I should get that all completed tomorrow. Cheers, Fraser

7 years, 11 months

2
6
0 / 0

CLI for editing profiles

by Fraser Tweedale

Along with LDAP profiles, we will be adding modules to the CLI for adding and editing profiles in the ConfigStore format that was used for file-based profiles. For more info, see: http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Command-line_utili... There is an existing CLI for adding and modifying profiles, in the XML format, e.g. ``pki ca profile add caCustomProfile.xml``. The XML format carries information including the profile ID and class_id, but these data must be supplied out-of-band when dealing with the ConfigStore format. Because of this, I intend to: - add new commands to the existing profile CLI for working with the "raw" (i.e., ConfigStore) format, e.g. "edit-raw", "add-raw". Where necessary, these commands will take compulsory ``--profile-id`` and/or ``--class-id`` arguments, to account for the absense of such information in the profile ConfigStore format; and - transport this information in the XML format - not in the "raw" format - so that it will be unnecessary to make changes to ProfileClient or the ProfileService API. As usual, I welcome feedback - especially if you feel I am going the wrong way ^_^

8 years, 1 month

3
26
0 / 0

[PATCH] pki-ftweedal-0015-Monitor-database-for-changes-to-LDAP-profiles.patch

by Fraser Tweedale

This is the first cut of the LDAP profile change monitoring. It depends on patches 0004..0009 and 0014 (https://www.redhat.com/archives/pki-devel/2014-September/msg00052.html). To summarise the implementation: a separate thread carries out a persistent LDAP search and calls back into the ProfileSubsystem when changes occur. I haven't had much experience with persistent searches or multithreaded programming in Java, so eyeballs familiar with those areas are needed. I haven't yet tested with changes replicating between clones (a task for tomorrow) but I wanted to get the patch on list for feedback as early as possible. Cheers, Fraser

8 years, 1 month

2
9
0 / 0

[PATCH] 531 Moved web application deployment locations.

by Endi Sukma Dewata

Currently web applications are deployed into Host's appBase (i.e. <instance>/webapps). To allow better control of individual subsystem deployments, the web applications have to be moved out of the appBase so that the autoDeploy can work properly later. This patch moves the common web applications to <instance>/ common/webapps and subsystem web applications to <instance>/ <subsystem>/webapps. An upgrade script has been added to update existing deployments. https://fedorahosted.org/pki/ticket/1183 -- Endi S. Dewata

8 years, 4 months

2
6
0 / 0

[PATCH] 0017 Enable Authority Key Identifier CRL extension

by Fraser Tweedale

This patch enables the Authority Key Identifier CRL Extension, which is REQUIRED by RFC 5280, by default. Should existing instances be left alone or should I also look at an upgrade script that offers to upgrade CS.cfg to be conformant? Fraser

8 years, 5 months

3
12
0 / 0

[PATCH] 0016 - Fix BasicConstraints min/max path length check

by Fraser Tweedale

This patch fixes https://fedorahosted.org/pki/ticket/1035

8 years, 6 months

2
10
0 / 0

[PATCH] 536 Improvements for KeyClient.archive_encrypted_data().

by Endi Sukma Dewata

The archive_encrypted_data() in KeyClient has been modified to have a default value for the algorithm OID and to take a nonce IV object instead of the base-64 encoded value. https://fedorahosted.org/pki/ticket/1155 https://fedorahosted.org/pki/ticket/1156 The drmtest.py works just fine. -- Endi S. Dewata

8 years, 6 months

2
2
0 / 0

[PATCH] 535 Removed profile input/output IDs from CLI output.

by Endi Sukma Dewata

The current profile inputs/outputs do not have meaningful IDs (e.g. i1, i2, o1) and are not used by the client so they should not be displayed in the CLI output. In the future the IDs should be renamed into something meaningful (e.g. keygen, sn, cert) and the inputs/outputs should be retrieved by ID. New methods have been added to retrieve by ID. https://fedorahosted.org/pki/ticket/1147 -- Endi S. Dewata

8 years, 6 months

2
2
0 / 0

[PATCH] Ticket-1206-java-console-TLS-range-support-code-chan.patch

by Christina Fu

attached is the java console part of client side changes for TLS range support: https://fedorahosted.org/pki/ticket/1206 TLS range support: code change needed for cs when acting as client Please review. thanks, Christina

8 years, 6 months

2
3
0 / 0

[PATCH] Remove legacy multilib JNI_JAR_DIR logic

by Matthew Harmsen

Please review the attached patch which addresses the following bug: * Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages not found <https://bugzilla.redhat.com/show_bug.cgi?id=1165351> At one point in time, there was a effort to try to support multilib JNI. This patch removes that legacy code and attempts to add support to allow a user the ability to override this variable. The patch has been successfully tested: * Upgrade * Verify (this used to fail due to the multilib code; now that the problematic code is not present, this test passes) * Downgrade NOTE: Obviously, if 'Verify' is run on the 'pki-base' package after Downgrade, the verification will most likely fail since the downgraded package will probably still contain the problematic 'multilib' code.

8 years, 6 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel November 2014