[pki-devel][PATCH] 0072-Revocation-failure-causes-AUDIT_PRIVATE_KEY_ARCHIVE_.patch
by John Magne
Revocation failure causes AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST
The fix here is to make sure no archive related audits get issued for doing
things other than key archivals.
Other operations such as revoking and unrevoking cert in the code path laready
have audit logs issued separately for success or failure.
Ticket #2340.
7 years, 9 months
[PATCH] pki-cfu-0133-Ticket-2298-exclude-some-ldap-record-attributes-with.patch
by Christina Fu
This is part 2 of:
https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key
archival/recovery, not to record certain data in ldap and logs
This patch allows one to exclude certain ldap attributes from the
enrollment records for crmf requests
(both CRMF, and CMC CRMF). The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
- By default, if ca.excludedLDAPattrs.enabled is true, then this
profile will not work, as the crmf requests
are not written to ldap record for agents to act on
* ca.excludedLDAPattrs.attrs can be used to configure the attribute list
to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is
provided
* By default, the following fields are no longer written to the ldap
record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the
reason that the exact literal strings need to be spelled out
in ca.excludedLDAPattrs.attrs if the admin chooses to override the default)
"req_x509info",
"publickey",
"req_extensions",
"cert_request",
"req_archive_options",
"req_key"
* a sleepOneMinute() method is added for debugging purpose. It is not
called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even
though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be
added for differentiation
The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA interla ldap are exampled for correct data exclusion
Note: CRMF could potentially not include key archival option, however, I
am not going to differentiate them at the moment. An earlier prototype
I had built attempted to do that and the signing cert's record isn't
excluded for attrs write while it's CRMF request is the same as that of
its encryption cert counterpart within the same request. Due to this
factor (multiple cert reqs with the same request blob), I am treating
them the same for exclusion.
thanks,
Christina
7 years, 9 months
[pki-devel][PATCH] 0071-UdnPwdDirAuth-authentication-plugin-instance-is-not-.patch
by John Magne
UdnPwdDirAuth authentication plugin instance is not working.
Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working.
Since this class no longer works, we felt it best to just remove it from the server.
This patch removes the references and files associated with this auth method,including the plugin
itself, so intrepid individuals will not be tempted to manually configure this auth method.
QE has nicely decided to independently remove the tests associated with this plugin already.
7 years, 9 months