Hi OpenCA developers, I have put together a collection of patches for openca-base-1.5.1 which I have developed over the last months. Some of them depend on each other. However, I have made them all to apply to an unpatched openca-base-1.5.1 source. If you want to apply several (or all of them) together, you might have to edit them slightly, but since I'm posting to the developer's list I assume that everybody has the programming skills for these minor adjustments...
Here the description of the patches included in the attachment: openca-fix_getcert.patch : when trying to download the own certificate by serial# it is not found in the db. This patch fixes the issue by setting the "key" for which the db is searched equal to the serial (which is what one would expect to happen). openca-fake_email_verification.patch : This allows the CA/RA operator to mark email-addresses as "verified" without actually sending a mail to that address. openca-change_auto_defaults.patch : This patch switches off debugging and tries to enable startup of the autoCRL and AutoEmail daemon. Well, the startup does not work like this, but at least the default settings seem to be more reasonable for a production environment openca-list_unverified_csr.patch : If the verification mail does not arrive (e.g. filtered out by a spam filter on the mail server already) - the csr is not accessible and the user has no chance to click on the verification link to make it appear. This patch adds a category of "unverified" signing requests in the CA/RA backend which allows the operator to edit or approve the requests. openca-allow_renew_cert.patch : This allows the user to renew his certificate. We query for the PIN of the original CSR for security reasons and only allow the operation onn valid certificates (expired ones might have been revoked before which is not so easy to distinguish once the certificate has expired). This patch also depends on the allow_reuse_of_key-patch below openca-fix_send_pin_mail.patch : OpenCA supports two sorts of PINS to revoke certificates: Use the requests PIN or use so-called CRINs (Certificate revocation identification numbers), which are sent encrypted to the owner of the request. However, many users have not enough skills to deal with CRINs. And the support for using the original PIN of the CSR instead is buggy. This patch fixes these issues and switches the default config to use REQUEST_PINs. openca-check_subject.patch : We had trouble that users often enter a trailing space character when filling in the request form. This patch warns about such weird certificate subjects openca-process_alternative_mails.patch : For server certificates it is sometimes advantageous not to include an email-address in the certificate. However, there is a field for an additional email-address. This patch adds that one to the headers of the csr and verifies it when no email is included in the certificate itself openca-mod_ssl-auth.patch : x509 authorization in recent firefox versions requires an extra addon. This addon is still needed to sign requests in the RA interface, but this patch implements an authorization based on apache mod_ssl for logging in to the interfaces. If you apply this, be aware that it is your task to set up a proper apache configuration for mod_ssl. openca-update_emails_in_cert_header.patch : together with the fake_email_verification this patch adds the information about verified email addresses to already issued certificates. openca-allow_reuse_of_keys.patch : re-using a private key for a new certificate per se is not a bad thing. Of course the operator has to check if the requestor is authorized to request a certificate for the particular server. If a private key is compromised and the revoked certificate expires, it is possible to request a new certificate for that key. However, the server admin should not do this and the RA operator should carefully check who is requesting a certificate. Denying to reuse keys at all solves these problems, but it makes it impossible to extend certificates. This patch allows to reuse keys and implies the before mentioned duties. openca-getcert_send_pem.patch : For our applications pem-files are preferred over p12 encoded ones. This patch changes the default format in which the certificates are delivered to the users openca-fix_typos.patch : two typos in mail-utils.lib which have been reported on the mailing-list by someone else already - just for completeness openca-include_cert_in_notification.patch : A handy thing would be to attach the certificate to the notification mail sent out to the user. However, we would need MIME-multipart messages like in the CRIN-mails here, which is quite some effort. This patch just includes the pem-formatted certificate in the message body (still more comfortable than only a download link which requires lan access - the mail itself might be in the local cache of the mail client). openca-make_search_more_flexible.patch : This patch fixes some problems with searching for certificates and makes it more flexible. You can search for DN, request serial, serial, in decimal or hex in different formats (the flexibility in the format of the serial and the ability to search for the request serial have been added in this patch) openca-send_verify_message.patch : If the verification mail got lost somehow (e.g. the server's mail configuration not yet finished when requesting a certificate) it is not possible to verify the email-address anymore. This patch allows the RA/CA operator to send out another verification mail if needed. openca-make_manual_mail_verbose.patch : Manually sending out queued mails asks the operator to wait until sending has finished, but it stays quiet all the time. This patch prints out the information what's going on to the web interface so that the operator can see if it is still running. I hope that the attachment is not stripped off when sending this to the list... otherwise I'll retry with uncompressed attachments. best regards, Martin
openca-1.5.1-patches.tgz
Description: application/compressed-tar
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ OpenCA-Devel mailing list OpenCA-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-devel
