Re: [Pki-devel] [PATCH] add pkiuser to nfast group
Ran the included test drivers and the changes appear to work fine.
If the main features with the HSM test to work :
ACK
Caveat:
I noticed that one of the changes involved creating a class called "HSM".
This simple class seems to focus only on the ncipher hardware specifically.
As part of a future effort, might be nice to make use of some inheritance to
have a base HSM class for common functionality and separate sub classes for nethsm and
lunasa.
For instance one method in there is called "restart_nciper". An OO breakdown
would allow us to
simply call "restart" instead.
A discussion with mharmsen indicated this might be a candidate for a more general ticket
to work on the classes in the file pkihelper.py to bring a little more OO flavor to the
table.
----- Original Message -----
From: "Matthew Harmsen" <mharmsen(a)redhat.com>
To: "pki-devel" <pki-devel(a)redhat.com>
Sent: Monday, June 15, 2015 3:36:43 PM
Subject: [Pki-devel] [PATCH] add pkiuser to nfast group
Please review the attached patch that resolves the following issue:
* PKI TRAC Ticket #1415 - nCipher HSM: Add 'pkiuser' to 'nfast'
group
The patch was applied and successfully tested on a VM containing an nCipher
nethsm:
# cat /etc/group | grep nfast
nfast:x:995:
# pkispawn -s CA -f /root/mlh/pki-master-mlh.inf -vvv
# cat /etc/group | grep nfast
nfast:x:995:pkiuser
# cd /var/lib/pki/pki-master-mlh/alias
# modutil -dbdir . -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. nfast
library name: /opt/nfast/toolkits/pkcs11/libcknfast.so
slots: 2 slots attached
status: loaded
slot: 061C-37A2-3CB3 Rt1
token: accelerator
slot: 061C-37A2-3CB3 Rt1 slot 0
token: NHSM6000
-----------------------------------------------------------
# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
casigningcert-MLH CT,C,C
caauditsigningcert-MLH ,,P
# certutil -d . -h NHSM6000 -f /root/mlh/hsm_password -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
NHSM6000:casigningcert-MLH CTu,Cu,Cu
NHSM6000:caocspsigningcert-MLH u,u,u
NHSM6000:Server-Cert cert-pki-RootCA-MLH u,u,u
NHSM6000:casubsystemcert-MLH u,u,u
NHSM6000:caauditsigningcert-MLH u,u,Pu
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel