[PATCH] Separated TPS does not automatically receive shared secret
from remote TKS.
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
4. Given a name that is mapped to the TPS's id string.
1. The TKS was modified to actually be able to use multiple shared secrets registered by
multiple TPS instances.
At this point if the same remote TPS instance is created over and over again, the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
at this time.
Tested with a remote TPS talking to a shared TMS system consisting of a TPS, TKS, and KRA .
The shared secret was imported successfully after manually deleting the user representing the TPS from previous installs.
This way I was assured one cert stored for the user, since it had to be created fresh.
Also tested that the TKS can work successfully with the new TPS AND the prior shared TPS on the original instance.
The TKS can now host more than one shared secret in it's db and address the correct one when a given TPS makes a request of it.
Please forgive some spurious changes that happened when formatting a couple of the files in question. Every legit change is related to the shared secret and can be found easily.
Generting Symmetric key fails with key-generate when --usages verify is passed
Minor adjustment to the man page for the key management commands to say
which usages are appropriate for sym keys and those appropriate for asym keys.
The pki-server subsystem-cert-update is supposed to restore the
system certificate data and requests into CS.cfg. The command was
broken since the CASubsystem class that contains the code to find
the certificate requests from database was not loaded correctly.
To fix the problem the CASubsystem class has been moved into the
All pki-server subsystem-* commands have been modified to check
the validity of the instance.
An option has been added to the pki-server subsystem-cert-show
command to display the data and request of a particular system
The redundant output of the pki-server subsystem-cert-update has
been removed. The updated certificate data and request can be
obtained using the pki-server subsystem-cert-show command.
Endi S. Dewata
The attached patch fixes build on Fedora 25 (JAX-RS API JAR had
moved). It also removes a bunch of redundant find_file directives.
This can probably be done for many other JARs but I've kept it to
just the one for now.
No urgency to get this in.