January 2016 - Pki-devel - Dogtag Pki List Archives

[pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch

by John Magne

Enhance tkstool for capabilities and security This simple ticket is to fix tkstool to allow it to create the master key with the proper flags to make the key data private such that it can't be easily viewed when using tools to print out sym keys on the token. Fix tested on the "internal" token by trying the various tkstool cmds to make sure having the key private does not cause issues. Also tried a simple key changeover operation with tpsclient to make sure that symkey can still do what it needs to do witht the master key. Further testing with a full hsm will be required. The goal was the create the key with the same flags that are used with the previous "PK11_GenKeyOnToken" (name approx) is used. This version had no flags and created a default set. This fix uses the version With flags and does what the old one did, but made sure the key is private and sensitive. Master key can be tested by using the tool: /usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L

8 years, 7 months

2
2
0 / 0

[PATCH] 0051 Lightweight CAs: lookup correct issuer for OCSP responses

by Fraser Tweedale

Hi all, The attached patch makes sure that the right authority is used to create OCSP responses. Note that OCSP requests may ask about certs from more than one issuer - even though this is crazy the heuristic used is to simply use issuer of the first CertID in the request. Note that OCSP response validation of certificates issued by sub-CAs currently fails due to a separate issue[1]. [1] https://fedorahosted.org/pki/ticket/1632

8 years, 9 months

2
5
0 / 0

[PATCH] 0054 Lightweight CAs: add audit events

by Fraser Tweedale

The attached patch adds audit events for lightweight CA administration, fixing https://fedorahosted.org/pki/ticket/1590. Cheers, Fraser

8 years, 9 months

2
3
0 / 0

[PATCH] 0052 Lightweight CAs: enrol cert via profile subsystem

by Fraser Tweedale

The attached patch fixes: - #1624 generate lightweight CAs via profile subsystem - #1632 ensure CA certs bear correct Authority Key Identifier Thanks, Fraser

8 years, 10 months

2
2
0 / 0

[PATCH] 0050 Lightweight CAs: ensure disabled CA cannot create sub-CA

by Fraser Tweedale

The attached patch (which replaces an earlier patch 0050) fixes https://fedorahosted.org/pki/ticket/1628. Cheers, Fraser

8 years, 10 months

2
3
0 / 0

[PATCH] 0067 Remove vestiges of NISAuth plugin

by Fraser Tweedale

Attached patch fixes https://fedorahosted.org/pki/ticket/1674 (NISAuth Authentication plugin , which is not present, still in the CS.cfg). Thanks, Fraser

8 years, 10 months

2
2
0 / 0

[PATCH] 0072 Weaken PKIPrincipal to superclass in several places

by Fraser Tweedale

Hi all, The attached patch (part of the GSS-API effort) weakens several soon-to-be-unsafe casts of the user principal object. It also adds some commentary (in the form of TODOs) to replace hardcoded role names with appropriate checks against authzManagers. Thanks, Fraser

8 years, 10 months

2
2
0 / 0

[PATCH] 0070 Use correct textual encoding for PKCS #7 objects

by Fraser Tweedale

Hi all, Pursuant to RFC 7468 the attached patch replaces instances of 'CERTIFICATE CHAIN' in PEM headers with 'PKCS7'. Fixes ticket https://fedorahosted.org/pki/ticket/1699. I could not reproduce any problems with `keytool' as mentioned in the ticket, nor find cases online of programs supporting 'CERTIFICATE CHAIN' but not 'PKCS7', so I think this is a good change to make. We can address counterexamples if/when we have hard evidence of them :) Cheers, Fraser

8 years, 10 months

2
2
0 / 0

[PATCH] 0069 Import certs as DER-encoded X.509 in Chrome

by Fraser Tweedale

The attached patch fixes certificate import in Chrome. https://fedorahosted.org/pki/ticket/1245#comment:5 Thanks, Fraser

8 years, 10 months

2
2
0 / 0

[PATCH] 0068 Remove execute permissions from systemd unit files

by Fraser Tweedale

Hi all, The attached patch fixes https://fedorahosted.org/pki/ticket/1723. Cheers, Fraser

8 years, 10 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel January 2016