September 2014 - Pki-devel - Dogtag Pki List Archives

[PATCH] REST interface triggered revoke/unrevoke and certificate record status update

by Christina Fu

This patch provides the REST interface triggered revoke/unrevoke and certificate record status update; Previously when admin changes the status of a token, the change is not trickled to the certificate records nor the CA. The following simple cases are tested (per default policy): * change a token status from active to lost - certs will be revoked * change a token status from active to temporarily lost - certs will be put on hold * change a token status from temporarily lost back to to active - certs will be unrevoked Also to make sure the earlier revoke case doesn't break (per default policy) * format a token - certs revoked There is room for improvement, but this patch provides the basic functionality nevertheless. thanks, Christina

9 years, 7 months

1
2
0 / 0

[PATCH] 523 Enabled certificate revocation checking by default.

by Endi Sukma Dewata

The CS.cfg templates for all subsystems have been modified to enable certificate revocation checking during authentication. This will affect new installations only. Ticket #1117, #1134 The patch was tested for installation only, not for revocation checking. -- Endi S. Dewata

9 years, 7 months

1
1
0 / 0

[PATCH] Convert various 'DRM' names to associated 'KRA' names

by Matthew Harmsen

*IMPORTANT: Due to the sheer size and scope of this patch, if it is accepted, I would like to leap frog any other patches to avoid any potential merge conflicts as it was built and tested on a fresh tip as of September 2, 2014.* Please review the attached patch which completely addresses the following: * PKI TRAC Ticket #1099 - Rename "DRM/Drm/drm/Data Recovery Manager" ==> "KRA/Kra/kra/Key Recovery Authority" <https://fedorahosted.org/pki/ticket/1099> It should be noted that this patch successfully purges ALL of the various DRM naming conventions from the source with the following purposeful exceptions: * migrate (since this refers to older systems that contained a DRM, no changes were made to this portion of the source) * spec file changelog histories that mention DRM (again, no changes were made to the history) * Security Data Recovery Service items (a concerted effort was made to not touch items associated with this similar sounding item) This patch was successfully compiled using Eclipse, and then the following packages were successfully built using the various compose scripts and installed (unless otherwise noted): * dogtag-pki (not installed) * dogtag-pki-theme * pki-core (all packages were installed except the debug package) * pki-console The patch was successfully tested for the following: * CA * KRA * OCSP * TKS * TPS * TPSCLIENT * CA Console * KRA Console * OCSP Console * TKS Console

9 years, 7 months

1
0
0 / 0

[PATCH] Integrate 'tpsclient' back into primary TPS package

by Matthew Harmsen

Please review the attached patch which addresses the portion of re-introducing 'tpsclient' into the primary TPS package rather than delivering it as a separate standalone package: * PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps <https://fedorahosted.org/pki/ticket/1017> This patch has been tested to verify that CA, KRA, OCSP, TKS, and TPS instances can still be installed/configured/executed via running 'pkispawn' and removed via running 'pkidestroy', and that the integrated 'tpsclient' works successfully.

9 years, 7 months

2
1
0 / 0

[PATCH] Remove Apache info from pkispawn and pkidestroy

by Matthew Harmsen

Please review the attached patch which addresses the entirety of: * PKI TRAC Ticket #1077 - Consider removing [Apache] section from 'default.cfg' . . . <https://fedorahosted.org/pki/ticket/1077> This patch has been tested to verify that CA, KRA, OCSP, TKS, and TPS instances can still be installed/configured/executed via running 'pkispawn' and removed via running 'pkidestroy'.

9 years, 7 months

2
1
0 / 0

[PATCH] Ticket 882 - Unique certID for certificate records

by Christina Fu

This patch takes care of one "TODO" item that was put off before -- generating proper unique certID for certificate records to be stored in the tokendb. Christina

9 years, 7 months

1
2
0 / 0

[PATCH] 230 - fix errors with krs-connector-remove

by Ade Lee

Fix kra-connector-remove The code to remove the connector from the pki CLI was found to be broken because of invalid message type (partly due to void returns). On uninstall, we need to remove the kra-connector from all relevant CA's in the security domain. The best way to do this is to keep kra-connector info in LDAP, so that only one call is needed. Until that change has been made, we are adding a hack to remove the connector from all CA's in the secutrity domain (if it exists). Due to issues with proxy configurations, we will continue to use sslget and a url-encoded-form version of the servlet. In addition, it was found that when removing a KRA from a shared subsystem, the updateDomainXML servlet was erroneously returning failure when it was unsuccessful in removing a non-existent user from a group. Ticket 1113 Tested using ipa-kra-install --uinstall on both masters and replica KRAs. Please review, Ade

9 years, 7 months

1
1
0 / 0

[pki-devel][PATCH] 0020-Recovery-and-Renewal-feature.patch

by John Magne

Recovery and Renewal feature: 1. Basic token key recovery functionality is there. 2. Tested with mostly the "damaged" scenerio. The low level code that writes the recovered certs to the token works and has been tested with a real token. Some of the other more obscure cases need some more testing, for instance, the temporary on hold scenario. 3. Renewal has been tested with a real token to work. 4. Much of the complex code to write cert objects and key objects, as well as importing recovered keys, has been centralized to a method. This leaves the calling code simpler and easier to trouble shoot. 5. Added a method to check token operation transition states. 6. Fixed an issue with formatting a blank token I introduced. 7. Fixed a few issues with updating certificate records for a token that were discovered. 8. Added tps code to retrieve a certificate for the recovery case. ToDos. More testing for the other recover scenarios at a higher level. When recovering a cert we need to unrevoke it. This is not done now because the TPS UI does not revoke certs yet when tokens are markes as lost or what not.

9 years, 7 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel September 2014