[PATCH] Fixed pylint errors (re-sent)
by Matthew Harmsen
The attached patch was altered to change "args" ==> "argv" rather than
"argv" ==> "args" since it was discovered that a number of the routines
utilized "args" as a local variable that would have to be changed since
if the "argv" input parameter were changed to "args". Consequently,
this patch converts "args" ==> "argv".
Please review the attached patch which addresses the following issues:
* dogtagpki Pagure Issue #2713 - Build failure due to Pylint issues
<https://pagure.io/dogtagpki/issue/2713>
These changes were successfully compiled on a Fedora 27 machine with the
following packages:
* python2-2.7.13-10.fc27.x86_64
* python3-3.6.1-7.fc27.x86_64
* pylint-1.7.1-1.fc27.noarch
Additionally, a CA instance was installed and configured, and the
following smoke test was run:
* sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L
* sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 ca-user-add testuser --fullName "Test User"
* sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L
* sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 client-cert-request uid=testuser
* sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 ca-cert-request-review 7 --action approve
* sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 ca-user-cert-add testuser --serial 0x7
* sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
/root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
example.com" -p 8080 client-cert-import testuser --serial 0x7
* sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L
7 years, 4 months
[PATCH] Fixed pylint errors
by Matthew Harmsen
Please review the attached patch which addresses the following issues:
* dogtagpki Pagure Issue #2713 - Build failure due to Pylint issues
<https://pagure.io/dogtagpki/issue/2713>
These changes were successfully compiled on a Fedora 27 machine with the
following packages:
* python2-2.7.13-10.fc27.x86_64
* python3-3.6.1-7.fc27.x86_64
* pylint-1.7.1-1.fc27.noarch
7 years, 4 months
[PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch
by Christina Fu
This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to
process pre-signed CMC renewal cert requests
Ticket#2618 feature: pre-signed CMC renewal request
This patch provides the feature implementation to allow CA to
process pre-signed CMC renewal requests. In the world of CMC, renewal
request are full CMC requests that are signed by previously issued
signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert
with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same
key shared by a revoked certificate. It also saves the origNotAfter of
the newest certificate sharing the same key in the request to be used by
the RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated to have
both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be
placed in the correct order. By default in the UniqueKeyConstraint the
constraint parameter allowSameKeyRenewal=true.
Thanks,
Christina
7 years, 4 months
[PATCH] - Correct section headings in user deployment configuration file
by Matthew Harmsen
Please review the attached patch for:
* Bugzilla Bug #1447144 - CA brought down during separate KRA instance
creation <https://bugzilla.redhat.com/show_bug.cgi?id=1447144>
Note that the Python method itself was tested in a standalone fashion
against various sample configuration files to make certain that the only
thing altered was an invalid section heading.
It was run against the previously modified files noted in the bug and
made the following changes to the user deployment configuration files:
# diff mlh_ca.cfg.orig mlh_ca.cfg
24c24
< [TOMCAT]
---
> [Tomcat]
# diff mlh_kra.cfg.orig mlh_kra.cfg
31c31
< [TOMCAT]
---
> [Tomcat]
Application of this patch allowed the KRA to be installed successfully,
and did not shutdown the CA.
7 years, 4 months
[PATCH] Bug-1447080-CC-CMC-allow-enrollment-key-signed-self-.patch
by Christina Fu
(pague ticket is yet to be cloned)
Bug 1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC
with identity proof
This patch implements handling of the self-signed CMC requests, where
the request is signed by the public key of the underlying request
(PKCS#10 or CRMF). The scenario for when this method is used is when
there was no existing signing cert for the user has been issued before,
and once it is issued, it can be used to sign subsequent cert requests
by the same user.
The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg
The new option introduced to both CRMFPopClient and PKCS10Client is "-y"
which will add the required SubjectKeyIdentifier to the underlying request.
When a CMC request is self-signed, no auditSubjectID is available until
Identification Proof (v2) is verified, however, the cert subject DN is
recorded in log as soon as it was available for additional information.
thanks!
Christina
7 years, 4 months
[PATCH] - Added FIPS class to pkispawn
by Matthew Harmsen
Please review the attached patches for:
* Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
<https://bugzilla.redhat.com/show_bug.cgi?id=1450143>
Thanks,
-- Matt
P. S. - The patches were tested on a FIPS-enabled box, and the output
looks similar to the following:
pkispawn : INFO ... finalizing
'pki.server.deployment.scriptlets.finalization'
pkispawn : INFO ....... executing 'systemctl enable
pki-tomcatd.target'
Created symlink from
/etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to
/usr/lib/systemd/system/pki-tomcatd.target.
pkispawn : INFO ....... executing 'systemctl daemon-reload'
pkispawn : INFO ....... executing 'systemctl restart
pki-tomcatd(a)pki-tomcat.service'
*pkispawn : INFO ........... FIPS mode is enabled on this
operating system.*
pkispawn : DEBUG ........... No connection - server may still
be down
pkispawn : DEBUG ........... No connection - exception thrown:
('Connection aborted.', error(111, 'Connection refused'))
pkispawn : DEBUG ........... No connection - server may still
be down
pkispawn : DEBUG ........... No connection - exception thrown:
('Connection aborted.', error(111, 'Connection refused'))
pkispawn : DEBUG ........... <?xml version="1.0"
encoding="UTF-8"
standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.4.1-4.el7</Version></XMLResponse>
pkispawn : INFO ....... rm -rf /opt/RootCA/ca
pkispawn : INFO END spawning subsystem 'CA' of instance
'pki-tomcat'
pkispawn : INFO ... archiving configuration into
'/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006'
pkispawn : INFO ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
pkispawn : DEBUG ........... chmod 660
/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
pkispawn : DEBUG ........... chown 17:17
/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
pkispawn : INFO ... archiving manifest into
'/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006'
pkispawn : INFO ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
pkispawn : DEBUG ........... chmod 660
/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
pkispawn : DEBUG ........... chown 17:17
/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: caadmin
Administrator's PKCS #12 file:
/opt/RootCA/caadmincert.p12
* This CA subsystem of the 'pki-tomcat' instance**
** has FIPS mode enabled on this operating system.**
****
** REMINDER: Don't forget to update the appropriate FIPS**
** algorithms in server.xml in the
'pki-tomcat' instance.**
***
To check the status of the subsystem:
systemctl status pki-tomcatd(a)pki-tomcat.service
To restart the subsystem:
systemctl restart pki-tomcatd(a)pki-tomcat.service
The URL for the subsystem is:
https://pki.example.com:8443/ca
PKI instances will be enabled upon system boot
==========================================================================
7 years, 4 months