The deployment tool has been modified to deploy TPS directly from the
share folder. This way the TPS UI can be upgraded automatically with
RPM upgrade without having to write upgrade scripts.
For this to work, the TPS web application files cannot contain any
customization. So, the cfgPath parameter has been removed from web.xml,
and the CMSStartServlet has been modified such that if the parameter is
missing it would generate a default path matching the original value in
web.xml. Also, the velocity.properties has been modified to use a fixed
value for the file.resource.loader.path parameter pointing to the share
In the future other subsystems may be modified to use the same
Ticket #748, #752, #499
Endi S. Dewata
Previously if the CLI requires SSL but the security database doesn't
exist it would throw an IOException. Now it has been replaced with an
The exception handler also has been modified to generate better error
Endi S. Dewata
First cut at Java TPS Buffer class and APDU classes.
1. Also simple framework for working with APDU commands.
2. Implemented a few APDU commands in TPS_Processor class.
3. Can now attempt a format operation with TPS client.
The code can perform a few apdu's talking to the client
and return a success "EndOp" apdu to terminate the conversation.
4. APDU are being encoded/decoded properly to appease tpsclient.
1. Patch is large but most of it consists of many similar apdu and msg classes.
2. APDU and msg classes are now bare bones and may need more work. Will address when class is needed.
3. A test tpsclient script call it (format.tst) to test this out is as follows:
op=var_set name=ra_host value=localhost
op=var_set name=ra_port value=8080
op=var_set name=ra_uri value=/tps/tps
op=token_set cuid=40906145C76224192D2B msn=0120304 app_ver=6FBBC105 key_info=0101 major_ver=1 minor_ver=1
op=ra_format uid=jmagne pwd=redhat new_pin=rehat num_threads=1
4: Execute as follows:
tpsclient < format.tst
The @Consumes and @Provides annotations have been removed from all
methods (except from methods that consume forms) to allow client
to use the default consumes and provides specified in the proxy.
Endi S. Dewata
A new CLI parameter has been added to specify the format of the HTTP
messages exchanged between the client and server. This is done by
setting the default consumes and produces when creating the proxy.
For this to work the @Consumes and @Produces annotations will be
removed in the subsequent patch.
Endi S. Dewata
This patch causes the 'sslserver' certificate for a CA clone to be
signed by its associated master CA during configuration, and resolves
the following bug:
* Dogtag TRAC Ticket #816 - pki-tomcat cannot be started after
installation of ipa replica with ca
This was necessary to avoid any changes which may have been made to the
X500Name directory string encoding order (i. e. - creating a Cloned CA
on Fedora 20 from a Master CA on Fedora 19).
The code was tested (applying the CAVEAT below) via end-to-end
'pkispawn' installation and batch-based configuration; it has not yet
been tested with GUI-based configuration.
During the preparation of this patch it was discovered that an
end-to-end test of functionality cannot be accomplished due to the
389 TRAC Ticket #47721 - Schema Replication Issue
<https://fedorahosted.org/389/ticket/47721> which prevents the
'99user.ldif' file from being properly replicated from the Master CA
to the Cloned CA. However, I verified that this code does work by
shutting down DS on the cloned CA machine, manually replacing
'/etc/dirsrv/slapd-<master>/schema/99user.ldif, restarting DS and
the Cloned CA, and successfully performing a test enrollment.
The Dogtag client library has been modified to use RESTEasy 3.0 client
library. A new upgrade script has been added to update existing servers.
The JAXB annotation in ResourceMessage has been modified to require
explicit property mapping.
Endi S. Dewata
Two patches attached which do as follows:
Add ability to archive without sending pkiArchiveOptions object.
With this patch, you can now either send a pkiArchiveOptions object
or the exploded parameters. This reduces the processing required on
the client side.
Make generate_symmetric_key more generic.
Added a method generate_session_key() which should be used when
wrapping secrets for the drm. For now, this has to be a 168-bit
3DES symmetric key.
Endi, Jack and I met to discuss various improvements to the
Key/KeyResource client/server parts. Some of these are addressed in the
attached patches. Some will be handled in separate tickets.
Separate Tickets to be filed:
1. Add nonce mechanism for approvals.
2. Add openssl subclass for CryptoUtil
3. Extend generate_session_key() to return key in same call
4. Allow CLI to call python? (to be filed as separate ticket)
Done in attached patches:
5. Change kraclient.generate_sym_key -> kraclient.generate_symmetric_key
and extend to allow addition of trans_wrapped_session_key.
6. Add getActiveKey() to python client.
7. client_id -> client_key_id
8. constants in python API for key status
9. Add sanity checks to python client code
10. Move functions out of KRAClient.py and into key.py
11. from_dict() -> from)json()
12. Add methods to create nss certdb and import transport cert
13. All inputs/outputs from CryptoUtil are unencoded.
14. Fix usages in main function of SymKeyGenerationRequest
15. Fix bugs when retrieving invalid keyId.
16. Fix bugs when generating key with only clientID provided.
To be done in next patch:
17. Rewrite cryptoutil.generate_symmetric_key() to be more generic and
provide a more restricted convenience function generate_session_key()
To be considered further:
1. rename session_key -> encryption_key/ wrapping_key?
2. revamp archival to not require client to generate PkiArchiveOptions
3. should retrieve functions return unwrapped key?
Please review attached patches.