[PATCH] add pkiuser to nfast group
by Matthew Harmsen
Please review the attached patch that resolves the following issue:
* PKI TRAC Ticket #1415 - nCipher HSM: Add 'pkiuser' to 'nfast' group
<https://fedorahosted.org/pki/ticket/1415>
The patch was applied and successfully tested on a VM containing an
nCipher nethsm:
# cat /etc/group | grep nfast
nfast:x:995:
# pkispawn -s CA -f /root/mlh/pki-master-mlh.inf -vvv
# cat /etc/group | grep nfast
nfast:x:995:pkiuser
# cd /var/lib/pki/pki-master-mlh/alias
# modutil -dbdir . -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. nfast
library name: /opt/nfast/toolkits/pkcs11/libcknfast.so
slots: 2 slots attached
status: loaded
slot: 061C-37A2-3CB3 Rt1
token: accelerator
slot: 061C-37A2-3CB3 Rt1 slot 0
token: NHSM6000
-----------------------------------------------------------
# certutil -d . -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
casigningcert-MLH CT,C,C
caauditsigningcert-MLH ,,P
# certutil -d . -h NHSM6000 -f /root/mlh/hsm_password -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
NHSM6000:casigningcert-MLH CTu,Cu,Cu
NHSM6000:caocspsigningcert-MLH u,u,u
NHSM6000:Server-Cert cert-pki-RootCA-MLH u,u,u
NHSM6000:casubsystemcert-MLH u,u,u
NHSM6000:caauditsigningcert-MLH u,u,Pu
8 years, 10 months
[PATCH] 609 CRMFPopClient improvements.
by Endi Sukma Dewata
The CRMFPopClient has been modified to use the HttpClient library
to connect to the server, to show the HTTP status code if an error
occurs, and to show the NSS database directory in verbose mode.
--
Endi S. Dewata
8 years, 10 months
[pki-devel][PATCH] Mozilla crypto object warning
by John Magne
commit bd780990a15d10c3df9a8da81486878012e00884
Author: Jack Magne <jmagne(a)localhost.localdomain>
Date: Tue Jun 16 10:09:01 2015 -0700
Mozilla crypto object warning:
Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user.
Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.
Very simple change verbally acked by Endi:
Pushed to master.
8 years, 10 months
[PATCH] 0038..0041 fix upgrade issues
by Fraser Tweedale
The attached patches fix a number of issues upgrading from 10.2.3-2
to 10.2.4-2, the most severe of which is that pki-tomcatd cannot
start after upgrade due to reference to removed class
NuxwdogPasswordStoreInitializer. These issues are blocking FreeIPA
4.2 alpha. (There might be more issues to discover, but these fixes
are all I have in me tonight.)
Depending on when we were planning to cut 10.2.5, it might be
worthwhile doing a 10.2.4-3 - but I leave it to more experienced
folk to make that call.
Thanks,
Fraser
8 years, 10 months
remove RAEnrollProfile.java?
by Fraser Tweedale
The RAEnrollProfile class is not used or referenced anywhere in the
codebase. I presume it was related to the RA, but even immediately
before removal of the RA it did not seem to be used, so it seems
safe to remove it.
Comments?
Fraser
8 years, 10 months
