[PATCH] 0010..0013 DNP3/IECUserRoles extension support
by Fraser Tweedale
Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
extension support and a DNP3 profile that makes use of it. This is
to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
Authentication v5 (SAv5) standard.
In brief, the SN and all the IECUserRoles params will be given in
profile inputs, and the key is taken from a CertReqInput.
There's still a bit of work to go - notably, some of the
IECUserRoles fields are unimplemented, and some of those that *are*
implemented are not yet read out of the profile input but rather are
hardcoded. The extension *does* appear on the certificate, so I
should get that all completed tomorrow.
Cheers,
Fraser
9 years, 7 months
CLI for editing profiles
by Fraser Tweedale
Along with LDAP profiles, we will be adding modules to the CLI for
adding and editing profiles in the ConfigStore format that was used
for file-based profiles. For more info, see:
http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Command-line_utili...
There is an existing CLI for adding and modifying profiles, in the
XML format, e.g. ``pki ca profile add caCustomProfile.xml``. The
XML format carries information including the profile ID and
class_id, but these data must be supplied out-of-band when dealing
with the ConfigStore format.
Because of this, I intend to:
- add new commands to the existing profile CLI for working with the
"raw" (i.e., ConfigStore) format, e.g. "edit-raw", "add-raw".
Where necessary, these commands will take compulsory
``--profile-id`` and/or ``--class-id`` arguments, to account for
the absense of such information in the profile ConfigStore format;
and
- transport this information in the XML format - not in the "raw"
format - so that it will be unnecessary to make changes to
ProfileClient or the ProfileService API.
As usual, I welcome feedback - especially if you feel I am going the
wrong way ^_^
9 years, 9 months
[PATCH] Enroll/Reenroll/Recovery/Renew Policy 3rd cut; Renewal code; RetrieveCert code
by Christina Fu
This is the 3rd cut of the policy code plus renewal code (up to the
point it gets renewed cert from CA), plus the retrieveCertificate code
needed for recovery.
This is part of ticket #941
The is a "pre-agreed" code to merge with Jack to speed up the dev as
well as providing parts of the code he needs. More testing/polishing to
come;
please review.
thanks,
Christina
10 years, 4 months
[PATCH] 104 Make the return type of the secrets returned by the KeyClient consistent on both Java and Python sides
by Abhishek Koneru
Currently, the secrets retrieved using the retrieveKey method of the KeyClient are of the type byte[]. (Attribute of the Key object).
But the public key, which is returned in a KeyInfo object, is being accessible as a string (base64 encoded binary data).
This patch changes getter/setter of the publicKey attribute of the KeyInfo object to do the conversion from base64 encoded string to byte[] and vice versa.
With this patch all the keys retrieved are of the type byte[].
Please review the attached patch.
-- Abhishek
10 years, 5 months
[PATCH] 522 Fixed NPE in client-cert-import.
by Endi Sukma Dewata
The client-cert-import command has been modified to propertly
initialize the CLI environment to avoid a null pointer exception.
Ticket #1126
--
Endi S. Dewata
10 years, 5 months
[PATCH] 521 Fixed problems with CLI authentication parameters.
by Endi Sukma Dewata
Previously specifying a security database password in the CLI would
require a certificate nickname to be specified as well. While this
is correct for client certificate authentication, it caused a
problem for operations that do not authenticate against the server
such as client-init. The CLI has been modified to require a security
database password only if the nickname is specified for client
certificate authentication.
Similar changes have been made to require user password only if
the username is specified for basic authentication.
The CLI also has been modified to store all specified parameters
in the config object regardless of parameter validation.
The manual page has been modified accordingly.
Ticket #1125
--
Endi S. Dewata
10 years, 5 months
[PATCH] Remove RA and pkicreate and pkisilent
by Matthew Harmsen
Please review the following patch which addresses:
* PKI TRAC Ticket #1127 - Remove 'pki-ra', 'pki-setup', and
'pki-silent' packages . . . <https://fedorahosted.org/pki/ticket/1127>
NOTE: Although it may not be necessary, this patch was applied on top
of the patch to 'Disable PKI GUI Configuration'.
A CA was installed to be certain that this patch caused no disruption,
and the following *BEFORE*and *AFTER*listings were done showing that all
of the *embol**dened* entries have been removed:
*BEFORE application of the patch:*
# pwd
/usr/share/pki
# ls -CFa
./ ca-trust-source/ etc/ kra/ scripts/ *silent/* upgrade/
../ common-ui/ java-tools/ native-tools/ server/ tks/
VERSION
ca/ deployment/ key/ ocsp/ setup/ tps/
# ls silent/
*pki_silent.template*
# ls scripts/
*functions* operations *pki_apache_initscript* pkicommon.pm
# ls setup/
CertServer.directory menu.xml pkidaemon_registry
# ls /usr/bin/pki*
/usr/bin/pki /usr/bin/pkidaemon /usr/bin/pki-setup-proxy
*/usr/bin/pkicontrol* /usr/bin/pkill */usr/bin/pkisilent*
*/usr/bin/pkicreate* */usr/bin/pkiremove*
*AFTER application of the patch:*
# pwd
/usr/share/pki
# ls -CFa
./ ca-trust-source/ etc/ kra/ scripts/ tks/ VERSION
../ common-ui/ java-tools/ native-tools/ server/ tps/
ca/ deployment/ key/ ocsp/ setup/ upgrade/
# ls silent/
ls: cannot access silent: No such file or directory
# ls scripts
operations pkicommon.pm
# ls setup
CertServer.directory menu.xml pkidaemon_registry
# ls /usr/bin/pki*
/usr/bin/pki /usr/bin/pkidaemon /usr/bin/pkill
/usr/bin/pki-setup-proxy
10 years, 5 months