[PATCH] 517 Fixed missing TPS token attributes.
by Endi Sukma Dewata
The missing token policy attribute has been added to token database. The
REST
services, CLI, and UI have been fixed accordingly. Other missing
attributes in
tokenRecord object class are unused.
Ticket #1085
--
Endi S. Dewata
10 years, 1 month
Alternative CLI password methods (revised 20140813)
by Matthew Harmsen
Please review the attached patch (revised) which implements alternative
CLI password methods to address the following PKI TRAC ticket:
* PKI TRAC Ticket #555 - Other ways to specify CLI password
<https://fedorahosted.org/pki/ticket/555>
After numerous discussions, it was determined that we would implement
the option which does not trim leading/trailing whitespace from passwords.
The code changes as well as the attached man page Caveats have been
revised to comply with this decision.
Please provide ACKS so that I can check these two files in.
Thanks,
-- Matt
10 years, 1 month
Re: [Pki-devel] [PATCH] 102 Add an interface for kraconnector-show (#479)
by Ade Lee
Please change the message in the ConnectorNotFoundException() from
"KRAConnector does not exist" to "No KRAConnector has been configured".
Otherwise, ACK. No need for re-review with this change.
Ade
On Tue, 2014-08-12 at 09:42 -0400, Abhishek Koneru wrote:
> Please review the patch with the comments addressed.
>
> -- Abhishek
> On Thu, 2014-08-07 at 22:35 -0400, Ade Lee wrote:
> > 1. You add the method GET /admin/kraconnector/connectorInfo. The last
> > bit is unnecessary -- Just use GET /admin/kraconnector.
> >
> > 2. There are a number of places with formatting issues concerning
> > parenthesis. As an example in KRAConnectorShowCLI.java,
> >
> > if(host.indexOf(' ') == -1){
> > host += ":"+info.getPort();
> > }else{
> > ...
> >
> > Change to :
> >
> > if (host.indexOf(' ') == -1) {
> > host += ":"+info.getPort();
> > } else {
> > ...
> > Check for other similar cases.
> >
> > 3. In KRAConnectorProcessor getConnectorInfo() , you throw an EBaseException
> > if the connector does not exist. This will translate into a 500 error.
> >
> > You should instead throw some kind of Resource Not Found exception, so that we
> > return a 404.
> >
> > Ade
> >
> > On Tue, 2014-08-05 at 14:24 -0400, Abhishek Koneru wrote:
> > > Please review the patch that adds a new CLI command pki
> > > ca-kra-connector-show.
> > > It prints the details of the kra connector registered with the CA.
> > >
> > > -- Abhishek
> > > _______________________________________________
> > > Pki-devel mailing list
> > > Pki-devel(a)redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-devel
> >
> >
>
10 years, 1 month
ProfileSubsystem configuration with LDAPConnection
by Fraser Tweedale
With the introduction of LDAP-based profiles, the ProfileSubsystem
needs access to the profile configuration. When spawning a new
instance, the CMS tries to start its subsystems, but the
ProfileSubsystem cannot start because it requires the LDAP
connection details, which are not yet configured (this action is
performed by SystemConfigService.configureDatabase).
OK, so what to do? I see two options:
1) Remove the profile subsystem from the initial CS.cfg, so that it
doesn't start up. Add it back into CS.cfg as a configuration step;
on the next startup, it will run and be happy, because the database
configuration is there.
2) Handle the absense of database configuration in ProfileSubsystem
itself. That is, keep track of whether initialisation has been
successfully performed, and try again "just-in-time" when it is
needed. This probably violates semantics of the IProfileSubsystem
API.
Feedback or other ideas are appreciated. I'm going to push ahead
with option (1). Both options feel like hacks but (2) seems like a
worse hack ^_^
Cheers,
Fraser
10 years, 1 month
[pki-devel][PATCH] 0018-Implement-enrollment-with-server-side-keygen.patch
by John Magne
[PATCH] Implement enrollment with server side keygen.
This patch implements server side keygen when so configured in the CS.cfg.
1. In this case, the encryption cert's private key is generated on the KRA and archived by the KRA.
2. The private key is then injected onto the token.
3. This will allow us to later implement certificate and key recovery.
4. Fixed some minor issues discovered with the code that interfaces with the TKS and DRM.
5. Final certificate tested to work with Relyea's "SmartCard" utility to perform legal crypto operations.
10 years, 1 month
[Patch] Alternative CLI password methods (revised 20140807)
by Matthew Harmsen
Please review the attached patch (revised) which implements alternative
CLI password methods to address the following PKI TRAC ticket:
* PKI TRAC Ticket #555 - Other ways to specify CLI password
<https://fedorahosted.org/pki/ticket/555>
This revised patch attempts to address most of the comments to the
previous patch including:
* made numerous man page changes
* camelCased method names
* changed the password routine to utilize the '=' delimiter rather
than the ':' delimiter (more appropriate for Java)
* consolidated the two password file routines into a single routine
which supports 'token=password' format (as well as documenting and
providing man page examples for how to utilize this style of file
with a simple password)
* removed all warning messages from the password routine
* utilized suggestions to improve the password routine including
replacing the use of the StringUtils.split() method with the
String.split() method using a regex
* rewrote password routine to handle passwords that contained the
delimiter as a part of the password
* ditched 'DRM'
* removed consolidated error messages and exited immediately
* removed the '-y' option
* moved password prompting under the control of the pki CLI program
for both basic and client authentication
* removed previous changes to URI/URL
* removed previous changes to subsystem type
* added mutual exclusive test for "-n" (client authentication) vs.
"-u" (basic authentication) options
* added mutual dependency tests as needed
10 years, 1 month
[PATCH] 227/ 228 Fix pkidestroy issue with proxy ports
by Ade Lee
Fix pkidestroy for proxy ports
Current pkidestroy fails to remove a system that has been configured to
use proxy ports because the wrong ports are passed into the
updateDomainXML servlet. This small patch fixes this problem.
Please review,
Ade
10 years, 1 month
Ideas on ticket 1084 - pki key-generate CLI command does not provide option for processing a template.
by Abhishek Koneru
Currently there are three templates for three kinds of key related
requests i.e. for archival, retrieval and generation.
The template for key generation [as of now] is for generation of
symmetric keys in the DRM.
This template can be marshaled directly into a SymKeyGenerationRequest
object in the code, which will be a problem in case of generation of
asymmetric key requests as both of them are currently done using the
same key-generate command.
Possible solutions:
1. Add a template for asymmetric key generation request which can be
marshaled directly into an AsymKeyGenerationRequest object.
We can also further divide key-generate CLI command into symkey-generate
and asymkey-generate commands.
2. Replace SymKeyGenerationRequest and AsymKeyGenerationRequest classes
with a single KeyGenerationRequest. Both of them have similar attributes
(the AsymKeyGenerationRequest will have an extra attribute keyCurve when
using the EC algorithm).
An extra attribute keyType can be added to the KeyGenerationRequest
class to differentiate between the two types of generations. (Which is
also not required since we can differentiate easily based on the
algorithm used.)
We will only have one template now for key generation.
Patch 101 which i submitted has a class KeyGenerationRequest with all
the common code, but i still used two subclasses for symmetric key and
asymmetric key requests. It can be used to implement the 2nd option.
(Which is my preferred solution.)
Please let me know of your views. If we decide on the 2nd option, i will
check-in patch 101 and take up this ticket.
-- Abhishek
10 years, 1 month