[Pki-devel] Karma request for Dogtag 10.2.6 on Fedora 23

2016-04-08 Thread Matthew Harmsen 

The following five tickets have been addressed in Fedora 23:

 * PKI TRAC Ticket #2022 - pkispawn ignores 3rd party CA certs in
   pki_clone_pkcs12_path 
 * PKI TRAC Ticket #2253 - Some password/pin fields have no '%' escape
   
 * PKI TRAC Ticket #2252 - ipa-kra-install fails when using pki-kra
   10.2.x 
 * PKI TRAC Ticket #2257 - PKCS #12 backup does not contain trust
   attributes. 
 * PKI TRAC Ticket #2216 - Python 3: unorderable types: PKISubsystem()
   

by the following build:

 * pki-core-10.2.6-18.fc23
   

Please provide Karma for this build in Bodhi located at:

 * pki-core-10.2.6-18.fc23
   

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] Trouble enrolling with SSCEP

2016-04-08 Thread Christina Fu 

Hi Hayg,

I am running Fedora 22 so I'm not sure if there is any difference at all.

I would like to understand your issue(s) better.
When you said that your request failed because it was "getting 
deferred", does that mean you have it in the enrollment profile for 
manual approval?  In other words, it was your intention to have the 
request manually approved by the CA agents?
You realize that if you require manual agent approval, there is no 
option for sscep to "fetch" the already issued cert right?


Or, did you not intend to have the request deferred and failed?  In 
which case, you want to know why it failed?  If so, do you have relevant 
debug log to give us some clue?


Did I misunderstand your issue?

Christina

On 04/05/2016 02:57 AM, haygastour...@gmail.com wrote:

Hello everyone,

I've been trying to enroll with dogtag via SSCEP for the last few days 
to no avail and I've reached the end of my rope, so I'm reaching out 
for your help (which I very much would appreciate).


I am running Ubuntu and my dogtag versions are:
hayg@hayg:~$ dpkg -l | grep dogtag

ii  dogtag-pki   10.2.6-1
 all  Dogtag Public Key Infrastructure (PKI) Suite
ii  dogtag-pki-console-theme 10.2.6-1
 all  Certificate System - PKI Console User Interface
ii  dogtag-pki-server-theme  10.2.6-1
 all  Certificate System - PKI Server User Interface


My SSCEP:
[~/sscep]$ cat VERSION

0.6.1


My flatfile.txt:
hayg@hayg:~$ sudo cat /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt

#UID:172.16.24.238
#PWD:1212
UID:10.129.25.186
PWD:secret

(I restarted my pki-tomcatd service just in case, to make sure it took 
effect)


On the SSCEP side I'm doing: ./sscep enroll -l cert.pem -r local.csr 
-k local.key -c astourian.crt -u 
'http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe' 



This fails because the request is getting deferred and I have fail on 
defer set to true, per the docs.


The request actually shows up in 'List Certificates' when I go to the 
web UI, but when I try to approve it, I get:


The Certificate System has encountered an unrecoverable error.
Error Message:
/java.lang.NullPointerException
/Please contact your local administrator for assistance.

When I try to resume the enrollment by adding the -R flag to sscep it 
fails with the following error in the logs:


CRSEnrollment: No certificate has been found


My CSR:
[~/sscep]$ openssl req -in local.csr -noout -text

Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=10.129.25.186
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31:
83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a:
f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb:
6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef:
1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1:
75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93:
5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49:
4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6:
19:93:02:84:40:09:40:44:b1
Exponent: 65537 (0x10001)
Attributes:
challengePassword:secret
Requested Extensions:
X509v3 Subject Alternative Name: critical
IP Address:10.129.25.186
Signature Algorithm: sha1WithRSAEncryption
 7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62:
 8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df:
 4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90:
 05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9:
 16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9:
 af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50:
 f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58:
 ea:ae 



As you can see, the password is "secret" and the CN is the UID from 
flatfile.txt.


I welcome you all to try enrolling with my server. I can then try 
approving and see if it works.


Again, I very much appreciate all of your help. Please excuse my wall 
of text x_x


Thanks,
Hayg


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 707 Fixed pki pkcs12-import backward compatibility.

2016-04-08 Thread Endi Sukma Dewata 

For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.

The configuration servlet has been modified to provide better
debugging information when updating the security domain.

https://fedorahosted.org/pki/ticket/2255

--
Endi S. Dewata
>From 4887051859167e968a18c2dd68d4120c59915334 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 6 Apr 2016 19:22:48 +0200
Subject: [PATCH] Fixed pki pkcs12-import backward compatibility.

For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.

The configuration servlet has been modified to provide better
debugging information when updating the security domain.

https://fedorahosted.org/pki/ticket/2255
---
 base/common/python/pki/cli/pkcs12.py   |  7 +-
 .../cms/servlet/csadmin/ConfigurationUtils.java| 29 --
 .../dogtagpki/server/rest/SystemConfigService.java |  2 +-
 .../src/netscape/security/pkcs/PKCS12Util.java | 17 ++---
 4 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
index dc999a1200e1c42bca7a779bc42b20a03b031fb6..a7c32cc2b1218021bc15b5ea030df24c8b7143b9 100644
--- a/base/common/python/pki/cli/pkcs12.py
+++ b/base/common/python/pki/cli/pkcs12.py
@@ -220,7 +220,12 @@ class PKCS12ImportCLI(pki.cli.CLI):
 
 cert_id = cert_info['id']
 nickname = cert_info['nickname']
-trust_flags = cert_info['trust_flags']
+
+if 'trust_flags' in cert_info:
+trust_flags = cert_info['trust_flags']
+else:
+# default trust flags for CA certificates
+trust_flags = 'CT,c,c'
 
 if main_cli.verbose:
 print('Exporting %s (%s) from PKCS #12 file' % (nickname, cert_id))
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 25838f1f3208f39c7ccf79ad9eb3edb9e5f9b3dc..7aeee7e9fc3e3cdf811250ce1f480f3ee9e6a9c8 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -113,6 +113,7 @@ import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
 
 import com.netscape.certsrv.account.AccountClient;
 import com.netscape.certsrv.apps.CMS;
@@ -3801,14 +3802,15 @@ public class ConfigurationUtils {
 content.putSingle("httpport", CMS.getEENonSSLPort());
 
 try {
+CMS.debug("Update security domain using admin interface");
 String session_id = CMS.getConfigSDSessionId();
 content.putSingle("sessionID", session_id);
 updateDomainXML(sd_host, sd_admin_port, true, url, content, false);
 
 } catch (Exception e) {
-CMS.debug("updateSecurityDomain: failed to update security domain using admin port "
-  + sd_admin_port + ": " + e);
-CMS.debug("updateSecurityDomain: now trying agent port with client auth");
+CMS.debug("Unable to access admin interface: " + e);
+
+CMS.debug("Update security domain using agent interface");
 url =  "/ca/agent/ca/updateDomainXML";
 updateDomainXML(sd_host, sd_agent_port, true, url, content, true);
 }
@@ -3873,7 +3875,12 @@ public class ConfigurationUtils {
 c = post(hostname, port, https, servlet, content, null, null);
 }
 
-if (c != null && !c.equals("")) {
+if (c == null || c.equals("")) {
+CMS.debug("Unable to update security domain: empty response");
+throw new IOException("Unable to update security domain: empty response");
+}
+
+try {
 ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
 XMLObject obj = new XMLObject(bis);
 String status = obj.getValue("Status");
@@ -3881,13 +3888,21 @@ public class ConfigurationUtils {
 
 if (status.equals(SUCCESS)) {
 return;
+
+} else if (status.equals(AUTH_FAILURE)) {
+CMS.debug("Unable to update security domain: authentication failure");
+throw