Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
extension support and a DNP3 profile that makes use of it. This is
to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
Authentication v5 (SAv5) standard.
In brief, the SN and all the IECUserRoles params will be given in
profile inputs, and the key is taken from a CertReqInput.
There's still a bit of work to go - notably, some of the
IECUserRoles fields are unimplemented, and some of those that *are*
implemented are not yet read out of the profile input but rather are
hardcoded. The extension *does* appear on the certificate, so I
should get that all completed tomorrow.
Attached please find the patch that addresses the last issue reported in:
https://fedorahosted.org/pki/ticket/867#comment:11 Need to support TPS
as a separate tomcat instance
symkey.jar symlink is missing from the instance layout when TPS is on a
separate tomcat instance.
After the fix, I was able to do a simple format and enrollment.
I also tested creating a TPS instance that is on a shared Tomcat
instance to make sure it doesn't break that.
The RAEnrollProfile class is not used or referenced anywhere in the
codebase. I presume it was related to the RA, but even immediately
before removal of the RA it did not seem to be used, so it seems
safe to remove it.
Please review and test the attached patch out on platforms other than
'x86_64' which addresses this issue:
* PKI TRAC Ticket #1392 - Remove i686/x86_64 architecture limitations
(e. g. - ppc64/ppc64le) <https://fedorahosted.org/pki/ticket/1392>
I did apply the attached patch and build it on an x86_64 machine, and
successfully tested out the following:
* built, installed, and tested out a CA
* built, installed, and tested out a CA console
* built, installed, and tested out a TKS and TPS
* built, installed, and tested out tpsclient
* AtoB and BtoA
The deployment tool has been modified to avoid overwriting the
property default value by moving the assignment after all the
properties are added.
Endi S. Dewata
A new script has been added to restore a missing or corrupted
subsystem user such that it has the correct certificate, the
correct certificate mapping, and the correct membership to the
A new Python library have been added to provide the script with
the functionality to access the PKI configuration and database.
A new CLI has also been added for troubleshooting.
Endi S. Dewata
pkidaemon checks the systemd symlinks on startup.
Right now, it is looking for the wrong symlinks when nuxwdog is
enabled, and preventing the server from coming up.
This patch fixes this.
The script to generate Python docs has been cleaned up and
simplified. The python-sphinx configuration files have been
moved into base/common/python. The build artifacts are now
created in the build/base/common/python.
Endi S. Dewata
Please review the attached patch which addresses the following ticket:
* PKI TRAC Ticket #1388 - pylint unidiomatic-typecheck warnings cause
koji builds to fail <https://fedorahosted.org/pki/ticket/1388>