[pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch
by John Magne
Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge
pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the symkey JNI.
Requires:
1. A new JSS that supports more advanced symkey operations such as key derivation, more advanced key
unwrapping , and a way to list and identify a given symmetric key by name. Version of new Jss will be forthcoming.
Still to do:
1. Port over the 2 or 3 SCP02 routines from Symkey to use this code.
2. The original symkey will remain in place until we can port over everything.
3. SCP03 support can be added later.
8 years, 8 months
[pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch
by John Magne
TPS auth special characters fix.
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes
the authentication creds and the server needs to decode them.
8 years, 8 months
[pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch
by John Magne
Enhance tkstool for capabilities and security
This simple ticket is to fix tkstool to allow it
to create the master key with the proper flags to make
the key data private such that it can't be easily viewed when
using tools to print out sym keys on the token.
Fix tested on the "internal" token by trying the various tkstool
cmds to make sure having the key private does not cause issues.
Also tried a simple key changeover operation with tpsclient to make
sure that symkey can still do what it needs to do witht the master key.
Further testing with a full hsm will be required.
The goal was the create the key with the same flags that are used with the
previous "PK11_GenKeyOnToken" (name approx) is used. This version had no
flags and created a default set. This fix uses the version With flags and
does what the old one did, but made sure the key is private and sensitive.
Master key can be tested by using the tool:
/usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L
8 years, 8 months
[PATCH] 0084..0086 Lightweight CA replication support
by Fraser Tweedale
Hi all,
The attached patches implement replication support for lightweight
CAs. These patches do not implement key replication via Custodia
(my next task) but they do implement the persistent search thread
and appropriate** API behaviour when the signing keys are not yet
available.
** In most cases, we respond 503 Service Unavailable; this is open
for discussion. ca-authority-find and ca-authority-show include
a boolean field indicating whether the CA is ready to sign.
There might be (probably are) endpoints I've missed.
Cheers,
Fraser
8 years, 8 months
[PATCH] 297, 298 add validity check for external CA
by Ade Lee
commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f
Author: Ade Lee <alee(a)redhat.com>
Date: Fri Apr 22 15:31:43 2016 -0400
Add validity check for the signing certificate in pkispawn
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
commit 9104fdda145c4f2bbbedec7256c73922e8bffcef
Author: Ade Lee <alee(a)redhat.com>
Date: Wed Apr 20 17:26:23 2016 -0400
Add CLI to check system certificate status
We add two different calls:
1. pki client-cert-validate - which checks a certificate in the client
certdb and calls the System cert verification call performed by JSS
in the system self test. This does some basic extensions and trust
tests, and also validates cert validity and cert trust chain.
2. pki-server subsystem-cert-validate <subsystem>
This calls pki client-cert-validate using the nssdb for the subsystem
on all of the system certificates by default (or just one if the
nickname is defined).
This is a great thing to call when healthchecking an instance,
and also will be used by pkispawn to verify the signing cert in the
externally signed CA case.
Trac Ticket 2043
8 years, 8 months
[PATCH] 730 Fixed duplicate executions of finalization scriptlet.
by Endi Sukma Dewata
Previously the finalization scriptlet was always executed in each
pkispawn execution. In multi-step installations (e.g. external CA,
standalone, or installation/configuration-only mode) some of the
code in the scriptlet such as enabling systemd service, restarting
the service, and purging client database will be redundant.
Now the scriptlet has been modified to execute only in the final
step of the installation. The code that archives the deployment
and manifest files has been moved into pkispawn to ensure that it
is always executed in each pkispawn execution.
For clarity the method that displays the installation summary has
been broken up into separate methods for standalone step 1,
installation-only mode, and configuration-only/full installation.
--
Endi S. Dewata
8 years, 9 months