Hello Martin, I will test and give some feedback about it soon.
However, thanks to a colleague, we be able to patch OpenCA DBI module
and do some tests that fixed both problems in this thread:
- export/import problems related with CSRs with differents states
- make complete database backup in which are stored all objects in all
posible categories
After doing some tests, I was able to use these OpenCA funtions without
problems
I attach the patch
Bye
Nicolas Macia
_____________
CERTunlp
El 07/03/14 11:02, Martin Hecht escribió:
> Hello Nicolas,
>
> I think you were looking at the right place. The function exportDB in
> export-import.lib
> holds a list of states which shall be exported. TEMPNEW is not among
> the ones to
> be exported, so these requests which are not validated should not even
> leave the
> RA. Nevertheless, it would make sense to handle TEMPNEW in importObjects
> just in case. However, all other states should already be handled
> correctly, at least
> for Openca-base 1.5.1. In the output below I can't see any export of a
> request.
> Could you try to export the data base with requests of different
> states ( TEMPNEW /
> NEW / APPROVED ) and check the tar file how they are written to the
> device?
>
> best regards,
> Martin
>
> PS: I'm suggesting the attached patch to make sure the TEMPNEW state
> is correctly
> handled during import
>
> On 02/28/2014 03:35 PM, Nicolas Macia (CeSPI) wrote:
>> I left to say that this behavior happend on:
>> - Openca-base 1.5.1 / Openca-tools 1.3.0 on Debian 7 (Stable)
>> - Openca-base 1.1.1 / Openca-tools 1.3.0 on Debian 6 (Old Stable)
>>
>> I think that this problem could be related with another bug related with
>> putting all objects (CA CERT / CERTIFICATE / REQUEST) in all different
>> categories regardless their status: CACERT [valid / expired] , REQUEST
>> [new / renew / pending / signed / approved / archived / deleted] ,
>> CERTIFICATE [valid / expired / revoked / suspended]
>>
>> For example, on OpenCA 1.5.1 on my CA that have:
>> - one CA cert
>> - one CRL
>> - two valid certificates
>>
>> if I make on the node interface:
>> Node Ops -> Backup and Recovery -> Database
>>
>> I can see the following:
>>
>> Thursday 27 February 21:48:13 UTC
>> Exporting DB ...
>> Please wait until operation completes
>> Exporting valid CA_CERTIFICATE ...
>>
>> Exporting all necessary objects.
>>
>> cc2821c7d9025aadb34c467ea115980f3e64690b.pem
>>
>> Exporting expired CA_CERTIFICATE ...
>>
>> Exporting all necessary objects.
>>
>> cc2821c7d9025aadb34c467ea115980f3e64690b.pem
>>
>> Exporting new CRR ...
>>
>> No objects are present.
>>
>> Exporting pending CRR ...
>>
>> No objects are present.
>>
>> Exporting signed CRR ...
>>
>> No objects are present.
>>
>> Exporting approved CRR ...
>>
>> No objects are present.
>>
>> Exporting archived CRR ...
>>
>> No objects are present.
>>
>> Exporting deleted CRR ...
>>
>> No objects are present.
>>
>> Exporting valid CRL ...
>>
>> Exporting all necessary objects.
>>
>> 1.pem
>>
>> Exporting new REQUEST ...
>>
>> Exporting all necessary objects.
>>
>> 256.spkac
>>
>> 512.spkac
>>
>> Exporting renew REQUEST ...
>>
>> Exporting all necessary objects.
>>
>> 256.spkac
>>
>> 512.spkac
>>
>> Exporting pending REQUEST ...
>>
>> Exporting all necessary objects.
>>
>> 256.spkac
>>
>> 512.spkac
>>
>> Exporting signed REQUEST ...
>>
>> Exporting all necessary objects.
>>
>> 256.spkac
>>
>> 512.spkac
>>
>> Exporting approved REQUEST ...
>>
>> Exporting all necessary objects.
>>
>> 256.spkac
>>
>> 512.spkac
>>
>> Exporting archived REQUEST ...
>>
>> Exporting all necessary objects.
>>
>> 256.spkac
>>
>> 512.spkac
>>
>> Exporting deleted REQUEST ...
>>
>> Exporting all necessary objects.
>>
>> 256.spkac
>>
>> 512.spkac
>>
>> Exporting valid CERTIFICATE ...
>>
>> Exporting all necessary objects.
>>
>> 998806535358870519861744.pem
>>
>> 419063751874877379914325.pem
>>
>> Exporting expired CERTIFICATE ...
>>
>> Exporting all necessary objects.
>>
>> 998806535358870519861744.pem
>>
>> 419063751874877379914325.pem
>>
>> Exporting revoked CERTIFICATE ...
>>
>> Exporting all necessary objects.
>>
>> 998806535358870519861744.pem
>>
>> 419063751874877379914325.pem
>>
>> Exporting suspended CERTIFICATE ...
>>
>> Exporting all necessary objects.
>>
>> 998806535358870519861744.pem
>>
>> 419063751874877379914325.pem
>>
>> Exporting archive ...
>>
>> Load required variables ...
>>
>> Changing to directory /home/openca/OpenCA/var/openca/tmp/tmp_19420 ...
>>
>> Running the export command(s) ...
>>
>> /bin/tar -cvpf /tmp/openca_local -C
>> /home/openca/OpenCA/var/openca/tmp/tmp_19420 .
>>
>> Archive created successfully.
>>
>> Test the archive ...
>>
>> /bin/tar -tvf /tmp/openca_local
>>
>> Clean up ...Ok.
>>
>>
>>
>>
>> Nicolás Macia
>> _____________
>> CERTunlp
>>
>> El 27/02/14 21:48, Nicolas Macia escribió:
>>> Hello, I have a problem.
>>>
>>> After requesting Digital Cert at public site, an URL is sent to the
>>> requester to confirm his email address
>>>
>>> The problem is what it is seen at RA interface:
>>> - CSR confirmed using previous URL are tagged with state NEW
>>> - CSR not confirmed are tagged with state TEMPNEW
>>> - Approved CSR are tagged with state APPROVED
>>>
>>> When I use the node interface to exchange information to the CA, all CSR of
>>> ANY STATE are exported to CA as approved REQUESTS.
>>>
>>> Seems to me that the problem is that RA only should export approved
>>> requests but it doesn't.
>>>
>>> anyone who knows what is the problem here??
>>>
>>>
>>> Thanks
>>> Nico
>>
>>
>>
>> -----
>> CeSPI
>> Centro Superior para el Procesamiento de la Información
>>
>> Universidad Nacional de La Plata
>> -------------------------------------------------------------------------------
>> Proteja el Medioambiente. No imprima este mail si no es absolutamente
>> necesario
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Flow-based real-time traffic analytics software. Cisco certified tool.
>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
>> Customize your own dashboards, set traffic alerts and generate reports.
>> Network behavioral analysis & security monitoring. All-in-one tool.
>> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
>>
>>
>> _______________________________________________
>> OpenCA-Devel mailing list
>> OpenCA-Devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openca-devel
>
>
-----
CeSPI
Centro Superior para el Procesamiento de la Información
Universidad Nacional de La Plata
-------------------------------------------------------------------------------
Proteja el Medioambiente. No imprima este mail si no es absolutamente necesario
--- modules/openca-dbi/DBI.pm.orig 2014-03-07 19:26:48.804964170 -0300
+++ modules/openca-dbi/DBI.pm 2014-03-07 19:27:16.784963732 -0300
@@ -2371,6 +2371,19 @@
$and = 1;
}
+#
+# This block is to permit filter database object by it's status
+# By Einar Lanfranco - ei...@linti.unlp.edu.ar
+#
+ if (defined $arguments{STATUS} and $arguments{STATUS} ne "-1" ) {
+ if ($and){$query .= " and status =?"; }
+ else{ $query .= " where status =?";}
+ push (@bind_values, $arguments{STATUS});
+ push (@bind_types,
+ $OpenCA::DBI::SQL->{VARIABLE}->{$arguments{STATUS}."_STATUS"}[1]);
+ $and = 1;
+ }
+
$query .= " ORDER BY " .
$OpenCA::DBI::SQL->{VARIABLE}->{$arguments{TABLE}."_ORDERBY"}[0];
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries. Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
