[PATCH] REST interface triggered revoke/unrevoke and certificate record status update
by Christina Fu
This patch provides the REST interface triggered revoke/unrevoke and
certificate record status update; Previously when admin changes the
status of a token, the change is not trickled to the certificate records
nor the CA.
The following simple cases are tested (per default policy):
* change a token status from active to lost - certs will be revoked
* change a token status from active to temporarily lost - certs will be
put on hold
* change a token status from temporarily lost back to to active - certs
will be unrevoked
Also to make sure the earlier revoke case doesn't break (per default policy)
* format a token - certs revoked
There is room for improvement, but this patch provides the basic
functionality nevertheless.
thanks,
Christina
10 years, 1 month
[PATCH] 523 Enabled certificate revocation checking by default.
by Endi Sukma Dewata
The CS.cfg templates for all subsystems have been modified to enable
certificate revocation checking during authentication. This will
affect new installations only.
Ticket #1117, #1134
The patch was tested for installation only, not for revocation checking.
--
Endi S. Dewata
10 years, 1 month
[PATCH] Convert various 'DRM' names to associated 'KRA' names
by Matthew Harmsen
*IMPORTANT: Due to the sheer size and scope of this patch, if it is
accepted, I would like to leap frog any other patches to avoid any
potential merge conflicts as it was built and tested on a fresh tip as
of September 2, 2014.*
Please review the attached patch which completely addresses the following:
* PKI TRAC Ticket #1099 - Rename "DRM/Drm/drm/Data Recovery Manager"
==> "KRA/Kra/kra/Key Recovery Authority"
<https://fedorahosted.org/pki/ticket/1099>
It should be noted that this patch successfully purges ALL of the
various DRM naming conventions from the source with the following
purposeful exceptions:
* migrate (since this refers to older systems that contained a DRM, no
changes were made to this portion of the source)
* spec file changelog histories that mention DRM (again, no changes
were made to the history)
* Security Data Recovery Service items (a concerted effort was made to
not touch items associated with this similar sounding item)
This patch was successfully compiled using Eclipse, and then the
following packages were successfully built using the various compose
scripts and installed (unless otherwise noted):
* dogtag-pki (not installed)
* dogtag-pki-theme
* pki-core (all packages were installed except the debug package)
* pki-console
The patch was successfully tested for the following:
* CA
* KRA
* OCSP
* TKS
* TPS
* TPSCLIENT
* CA Console
* KRA Console
* OCSP Console
* TKS Console
10 years, 1 month
[PATCH] Integrate 'tpsclient' back into primary TPS package
by Matthew Harmsen
Please review the attached patch which addresses the portion of
re-introducing 'tpsclient' into the primary TPS package rather than
delivering it as a separate standalone package:
* PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps
<https://fedorahosted.org/pki/ticket/1017>
This patch has been tested to verify that CA, KRA, OCSP, TKS, and TPS
instances can still be installed/configured/executed via running
'pkispawn' and removed via running 'pkidestroy', and that the integrated
'tpsclient' works successfully.
10 years, 1 month
[PATCH] 230 - fix errors with krs-connector-remove
by Ade Lee
Fix kra-connector-remove
The code to remove the connector from the pki CLI was found to be broken
because of invalid message type (partly due to void returns).
On uninstall, we need to remove the kra-connector from all relevant CA's
in the security domain. The best way to do this is to keep kra-connector
info in LDAP, so that only one call is needed. Until that change has
been made, we are adding a hack to remove the connector from all CA's
in the secutrity domain (if it exists).
Due to issues with proxy configurations, we will continue to use sslget
and a url-encoded-form version of the servlet.
In addition, it was found that when removing a KRA from a shared subsystem,
the updateDomainXML servlet was erroneously returning failure when it
was unsuccessful in removing a non-existent user from a group.
Ticket 1113
Tested using ipa-kra-install --uinstall on both masters and replica
KRAs.
Please review,
Ade
10 years, 1 month
[pki-devel][PATCH] 0020-Recovery-and-Renewal-feature.patch
by John Magne
Recovery and Renewal feature:
1. Basic token key recovery functionality is there.
2. Tested with mostly the "damaged" scenerio. The low level
code that writes the recovered certs to the token works and has been
tested with a real token. Some of the other more obscure cases need
some more testing, for instance, the temporary on hold scenario.
3. Renewal has been tested with a real token to work.
4. Much of the complex code to write cert objects and key objects,
as well as importing recovered keys, has been centralized to a method.
This leaves the calling code simpler and easier to trouble shoot.
5. Added a method to check token operation transition states.
6. Fixed an issue with formatting a blank token I introduced.
7. Fixed a few issues with updating certificate records for a token that were discovered.
8. Added tps code to retrieve a certificate for the recovery case.
ToDos.
More testing for the other recover scenarios at a higher level.
When recovering a cert we need to unrevoke it. This is not done
now because the TPS UI does not revoke certs yet when tokens are markes
as lost or what not.
10 years, 1 month