1:45 p.m.
The Python client library for KRA has been modified to simplify
the usage. The NSSCryptoProvider's setup_database() and __init__()
now take a password file parameter. The import_cert() now can
take either cert binary/encoded data or CertData object. It also
provides a default value for the trust attribute. The KRAClient
now stores the crypto provider object.
The KRA test has been updated to provide options to override
the default test configuration (e.g. hostname, port). It also has
been modified to use a temporary NSS database. The setup document
has been updated to describe the process to run the test as root
and as a regular user.
--
Endi S. Dewata
10:40 a.m.
On Wed, 2014-10-08 at 13:45 -0500, Endi Sukma Dewata wrote:
The Python client library for KRA has been modified to simplify
the usage. The NSSCryptoProvider's setup_database() and __init__()
now take a password file parameter. The import_cert() now can
take either cert binary/encoded data or CertData object. It also
provides a default value for the trust attribute. The KRAClient
now stores the crypto provider object.
The KRA test has been updated to provide options to override
the default test configuration (e.g. hostname, port). It also has
been modified to use a temporary NSS database. The setup document
has been updated to describe the process to run the test as root
and as a regular user.
Looks good. ACK.
Just one issue below:
1. In crypto.py, in lines 117-120, is it possible for an exception to be
thrown, leaving the password file lying around? That is one of the
advantages of the with ... construction. Maybe move lines 116 -120 into
the try: block.
Ade
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
1:58 p.m.
On Thu, 2014-10-09 at 11:40 -0400, Ade Lee wrote:
On Wed, 2014-10-08 at 13:45 -0500, Endi Sukma Dewata wrote:
> The Python client library for KRA has been modified to simplify
> the usage. The NSSCryptoProvider's setup_database() and __init__()
> now take a password file parameter. The import_cert() now can
> take either cert binary/encoded data or CertData object. It also
> provides a default value for the trust attribute. The KRAClient
> now stores the crypto provider object.
>
> The KRA test has been updated to provide options to override
> the default test configuration (e.g. hostname, port). It also has
> been modified to use a temporary NSS database. The setup document
> has been updated to describe the process to run the test as root
> and as a regular user.
>
Looks good. ACK.
Just one issue below:
1. In crypto.py, in lines 117-120, is it possible for an exception to be
thrown, leaving the password file lying around? That is one of the
advantages of the with ... construction. Maybe move lines 116 -120 into
the try: block.
In the drmtest readme file, in the last section it should be -
pki ~/.dogtag/pki-tomcat/ca/alias -c <password> client-cert-show "PKI
Administrator for example.com" --client-cert kraagent.pem
Other than that ACK from me too.
Ade
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
4:29 p.m.
On 10/9/2014 10:40 AM, Ade Lee wrote:
Looks good. ACK.
Just one issue below:
1. In crypto.py, in lines 117-120, is it possible for an exception to be
thrown, leaving the password file lying around? That is one of the
advantages of the with ... construction. Maybe move lines 116 -120 into
the try: block.
The chance for that to happen is probably small because after the
password is written to the file the code only does a variable
assignment, then enter the try-block. I've moved the code into the
try-block regardless. The main reason for the change is mkstemp() is
supposed to be more secure.
On 10/9/2014 1:58 PM, Abhishek Koneru wrote:
In the drmtest readme file, in the last section it should be -
pki ~/.dogtag/pki-tomcat/ca/alias -c <password> client-cert-show "PKI
Administrator for example.com" --client-cert kraagent.pem
Actually the "caadmin" would match the nickname I used in the ca.cfg
example on the Quick Start page, so the command is correct (except for
the missing -d) and would be more appropriate for quick testing by root.
The "PKI Administrator for example.com" is the standard nickname
generated by the interactive mode and it's kind of long.
Thanks for the review. It's pushed to master with the above fixes.
--
Endi S. Dewata
3727
days inactive
3728
days old
3 comments
3 participants
participants (3)
-
Abhishek Koneru -
Ade Lee -
Endi Sukma Dewata