February 2016 - Pki-devel - Dogtag Pki List Archives

[pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch

by John Magne

Enhance tkstool for capabilities and security This simple ticket is to fix tkstool to allow it to create the master key with the proper flags to make the key data private such that it can't be easily viewed when using tools to print out sym keys on the token. Fix tested on the "internal" token by trying the various tkstool cmds to make sure having the key private does not cause issues. Also tried a simple key changeover operation with tpsclient to make sure that symkey can still do what it needs to do witht the master key. Further testing with a full hsm will be required. The goal was the create the key with the same flags that are used with the previous "PK11_GenKeyOnToken" (name approx) is used. This version had no flags and created a default set. This fix uses the version With flags and does what the old one did, but made sure the key is private and sensitive. Master key can be tested by using the tool: /usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L

8 years, 7 months

2
2
0 / 0

[PATCH] 693 Replaced confirmation dialog with HTML dialog.

by Endi Sukma Dewata

The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahosted.org/pki/ticket/1685 -- Endi S. Dewata

8 years, 9 months

1
1
0 / 0

[PATCH] 0051 Lightweight CAs: lookup correct issuer for OCSP responses

by Fraser Tweedale

Hi all, The attached patch makes sure that the right authority is used to create OCSP responses. Note that OCSP requests may ask about certs from more than one issuer - even though this is crazy the heuristic used is to simply use issuer of the first CertID in the request. Note that OCSP response validation of certificates issued by sub-CAs currently fails due to a separate issue[1]. [1] https://fedorahosted.org/pki/ticket/1632

8 years, 9 months

2
5
0 / 0

[PATCH] 278 - handle external certs

by Ade Lee

This is to resolve ticket 1742. For this ticket, we need a mechanism to import third party certs to clones. This patch provides a general mechanism to do this. A follow-on patch with documentation on how this all works is forthcoming. Ade

8 years, 9 months

2
5
0 / 0

[PATCH] 279 - docs for pre-check mode

by Ade Lee

Please review. Thanks, Ade

8 years, 9 months

1
1
0 / 0

[PATCH] 0054 Lightweight CAs: add audit events

by Fraser Tweedale

The attached patch adds audit events for lightweight CA administration, fixing https://fedorahosted.org/pki/ticket/1590. Cheers, Fraser

8 years, 9 months

2
3
0 / 0

More Fedora 24 fixes

by Christian Heimes

Hi, I've attached four patches that address various problems on Fedora 24. Patch 0052 enables proper error handling in sphinx-build. Right now sphinx-build only warns about errors but doesn't signal errors in its exit code. The -W turns warnings (such as a failed import) into a non-zero exit code. Patch 0053 addresses new packages such as Python 3.5 and pylint 1.5. Patch 0054 fixes a linter error in pki.cli.pkcs12. The last patch sets the sphinx theme to the old classic theme. Christian

8 years, 9 months

2
3
0 / 0

[PATCH] 0051 total ordering for PKISubSystem and PKIInstance

by Christian Heimes

This patch fixes a Python 3 issue in our upgrade system, https://fedorahosted.org/pki/attachment/ticket/2216

8 years, 10 months

2
2
0 / 0

[PATCH] 690 Added mechanism to import system certs via PKCS #12 file.

by Endi Sukma Dewata

The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742 Documentations: * http://pki.fedoraproject.org/wiki/Installing_CA_Clone * http://pki.fedoraproject.org/wiki/Installing_Remote_KRA * http://pki.fedoraproject.org/wiki/Exporting_System_Certificates * http://pki.fedoraproject.org/wiki/PKI_PKCS12_CLI -- Endi S. Dewata

8 years, 10 months

2
1
0 / 0

[PATCH] 692 Added workaround for JSS limitation in pki pkcs12-import.

by Endi Sukma Dewata

Currently JSS is unable to import CA certificates while preserving their nicknames. As a workaround, the pki pkcs12-import has been modified such that it exports individual CA certificates from PKCS The remaining user certificates will continue to be imported using JSS. A new pki pkcs12-cert-export command has been added to export individual certificates from PKCS #12 file into PEM files. The pki pkcs12-import has been modified to take a list of nicknames of the certificates to be imported into NSS database. https://fedorahosted.org/pki/ticket/1742 Note: This patch depends on patch #690 and #691. This patch completes the fix of this ticket as described in the following page except for the third-party certificate handling (see discussion below): http://pki.fedoraproject.org/wiki/Exporting_System_Certificates To test this patch, install a CA with externally signed CA: http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_... Then clone the CA: http://pki.fedoraproject.org/wiki/Installing_CA_Clone Verify that the certificates on the master and replica are identical including their nicknames. To handle proxy certificate for IPA, we can either implement the cs.thirdparty.cert properties as described in the above page, but IPA would have to add the properties during the installation. Also IPA would have to add the properties to all existing installations. Then IPA needs to call pki-server ca-clone-prepare to export the certificates for cloning. If the properties exist, the command will need to export the third-party certificates into the PKCS #12 file along with other CA certs. Then IPA will need to add the same properties into the clone. Or, IPA can manage the proxy certificate themselves. Since IPA has already added the proxy cert into master, IPA can also add the proxy cert into the PKCS #12 file generated by pki-server ca-clone-prepare using this command: pki -d /var/lib/pki/pki-tomcat/alias -C nssdb-password.txt \ pkcs12-cert-add "subsystemCert cert-pki-tomcat" \ --pkcs12 pki-server.p12 \ --pkcs12-password-file password.txt With the second option there's no further changes required in PKI. -- Endi S. Dewata

8 years, 10 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel February 2016