Re: [Pki-devel] [PATCH] TRAC Ticket #667 - provide option for ca-less drm install [20131001]
Initial comments ..
1. ConfigurationUtils.java- I think we can simplify this code a bit.
Instead of:
boolean standalone = false;
if (sysType.equals("KRA")) {
standalone = config.getBoolean("kra.standalone",
false);
} else if (sysType.equals("OCSP")) {
standalone = config.getBoolean("ocsp.standalone",
false);
}
if ((sysType.equals("KRA") && standalone) ||
(sysType.equals("OCSP") && standalone)) {
// Treat Standalone KRA/OCSP the same as "otherca"
config.putString(subsystem + "." + certTag +
".cert",
"...paste certificate here...");
} else {
we could just have:
boolean standalone = config.getBoolean(sysType.lower() +
".standalone", false);
if (standalone) {
// Treat standalone subsystem the same as "otherca"
config.putString(subsystem + "." + certTag +
".cert",
"...paste certificate here...");
} else {
2. In SystemConfigService.java, you use a config entry to determine
whether the system is a standalone parameter or not. That means reading
the CS.cfg in validateData(). I think it makes better sense to add a
field to ConfigurationRequest to indicate that the system being
installed is a standalone system. This also eliminates the need for a
global variable standalone. Instead, you can just reference
data.getStandalone()
3. Its a little weird in the validateData() to be putting the
validation under the check for new_domain. What happens if someone
selects standalone and existing domain?
4. After validateData() has run, its not necessary to check whether we
are an OCSP or KRA when running standalone. That check should have been
done by validateData()
5. At the beginning of the configuration, in step 2, you append
"signing" to the beginning of the cert.list. That will not work for
OCSP - which already contains "signing" as the first parameter in its
list. Maybe you want something unique like "external_signing" ?
6. Did you confirm that all these servlets/mappings are actually needed
to be exposed in web.xml?
To be continued ..
On Tue, 2013-10-01 at 16:52 -0700, Matthew Harmsen wrote:
RESENT to include the DATE of this PATCH in the Subject line.
The attached patch addresses the following TRAC ticket:
* https://fedorahosted.org/pki/ticket/667 TRAC Ticket #667 -
provide option for ca-less drm install
Unlike the previous patch which did not utilize a security domain and
utilized the legacy GUI panel configuration, this patch only pertains
to the non-GUI 'pkispawn' installation/configuration process as
documented at:
* http://pki.fedoraproject.org/wiki/Stand-alone_PKI_Subsystems
Using this code, I have successfully installed a stand-alone DRM
utilizing a separate PKI CA as my external CA for testing purposes.
Should this code be approved, I will add the following:
* update the 'pkispawn' man page
* add similar default values as parameters to OCSP
At this stage, this code has not been tested to see if a DRM can be
successfully cloned from a Stand-Alone DRM.
-- Matt
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel