Enhance tkstool for capabilities and security
This simple ticket is to fix tkstool to allow it
to create the master key with the proper flags to make
the key data private such that it can't be easily viewed when
using tools to print out sym keys on the token.
Fix tested on the "internal" token by trying the various tkstool
cmds to make sure having the key private does not cause issues.
Also tried a simple key changeover operation with tpsclient to make
sure that symkey can still do what it needs to do witht the master key.
Further testing with a full hsm will be required.
The goal was the create the key with the same flags that are used with the
previous "PK11_GenKeyOnToken" (name approx) is used. This version had no
flags and created a default set. This fix uses the version With flags and
does what the old one did, but made sure the key is private and sensitive.
Master key can be tested by using the tool:
/usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L
The TPS UI has been modified such that it will use an HTML-based
dialog instead of the browser's built-in dialog such that the
option to "prevent this page from creating additional dialogs"
will no longer appear.
Endi S. Dewata
The attached patch makes sure that the right authority is used to
create OCSP responses. Note that OCSP requests may ask about certs
from more than one issuer - even though this is crazy the heuristic
used is to simply use issuer of the first CertID in the request.
Note that OCSP response validation of certificates issued by sub-CAs
currently fails due to a separate issue.
This is to resolve ticket 1742.
For this ticket, we need a mechanism to import third party certs to
clones. This patch provides a general mechanism to do this.
A follow-on patch with documentation on how this all works is
I've attached four patches that address various problems on Fedora 24.
Patch 0052 enables proper error handling in sphinx-build. Right now
sphinx-build only warns about errors but doesn't signal errors in its
exit code. The -W turns warnings (such as a failed import) into a
non-zero exit code.
Patch 0053 addresses new packages such as Python 3.5 and pylint 1.5.
Patch 0054 fixes a linter error in pki.cli.pkcs12.
The last patch sets the sphinx theme to the old classic theme.
Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.
The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.
This patch depends on patch #690 and #691.
This patch completes the fix of this ticket as described in the
following page except for the third-party certificate handling (see
To test this patch, install a CA with externally signed CA:
Then clone the CA:
Verify that the certificates on the master and replica are identical
including their nicknames.
To handle proxy certificate for IPA, we can either implement the
cs.thirdparty.cert properties as described in the above page, but IPA
would have to add the properties during the installation. Also IPA would
have to add the properties to all existing installations. Then IPA needs
to call pki-server ca-clone-prepare to export the certificates for
cloning. If the properties exist, the command will need to export the
third-party certificates into the PKCS #12 file along with other CA
certs. Then IPA will need to add the same properties into the clone.
Or, IPA can manage the proxy certificate themselves. Since IPA has
already added the proxy cert into master, IPA can also add the proxy
cert into the PKCS #12 file generated by pki-server ca-clone-prepare
using this command:
pki -d /var/lib/pki/pki-tomcat/alias -C nssdb-password.txt \
pkcs12-cert-add "subsystemCert cert-pki-tomcat" \
--pkcs12 pki-server.p12 \
With the second option there's no further changes required in PKI.
Endi S. Dewata