[PATCH] 0105 Add pki-server ca-cert-db-upgrade command
by Fraser Tweedale
Hi all,
The following patch adds a pki-server subcommand for updating
certificate records to add the issuerName attribute.
It is for #1667 (Database upgrade script to add issuerName attribute
to all cert entries).
Follow-up question: should I (and if so, how should I) also add an
upgrade scriptlet to perform the upgrade for Dogtag CA subsystem on
the host? Is there a precedent for invoking pki-server (or
subroutines thereof) from pki-server-upgrade scriptlets?
Cheers,
Fraser
8 years, 6 months
[PATCH] 747 Fixed pki-server subsystem-cert-validate command.
by Endi Sukma Dewata
The system certificate validation command has been modified to
check for both 'internal' and 'Internal Key Storage Token' since
both are valid names for the internal token.
Additional checks have been added to validate the certificate
parameters in CS.cfg.
The output of the command has been modified to be more consistent
with other pki-server commands.
The pki client-cert-validate invocation has been fixed to use -C
option to specify the NSS database password file.
https://fedorahosted.org/pki/ticket/2043
--
Endi S. Dewata
8 years, 6 months
0119-Ticket-2303-Key-recovery-fails-with-KRA-on-lunaSA.patch
by Christina Fu
One patch for JSS
one patch for KRA
These patches should address the KRA unwrap issues when the keys are on
lunaSA.
the KRA patch will required the JSS patch to function.
It is also required for the lunaSA to be of the following model: CKE –
Key Export Models
Christina
8 years, 6 months
[PATCH] 740-742 Added token status UNFORMATTED.
by Endi Sukma Dewata
A new token status UNFORMATTED has been added for new tokens added
via UI/CLI and for TERMINATED tokens that are to be reused.
The token status READY has been renamed to FORMATTED for clarity.
--
Endi S. Dewata
8 years, 6 months
[pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch
by John Magne
TPS auth special characters fix.
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes
the authentication creds and the server needs to decode them.
8 years, 6 months
[pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch
by John Magne
Enhance tkstool for capabilities and security
This simple ticket is to fix tkstool to allow it
to create the master key with the proper flags to make
the key data private such that it can't be easily viewed when
using tools to print out sym keys on the token.
Fix tested on the "internal" token by trying the various tkstool
cmds to make sure having the key private does not cause issues.
Also tried a simple key changeover operation with tpsclient to make
sure that symkey can still do what it needs to do witht the master key.
Further testing with a full hsm will be required.
The goal was the create the key with the same flags that are used with the
previous "PK11_GenKeyOnToken" (name approx) is used. This version had no
flags and created a default set. This fix uses the version With flags and
does what the old one did, but made sure the key is private and sensitive.
Master key can be tested by using the tool:
/usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L
8 years, 6 months