Re: [Pki-devel] [PATCH] 0100 Fix NSSDB certificate search method
On Wed, Apr 27, 2016 at 12:35:28PM -0500, Endi Sukma Dewata wrote: > On 4/26/2016 10:50 PM, Fraser Tweedale wrote: > >Hi all, > > > >Please review the attached patch, which fixes > >https://fedorahosted.org/pki/ticket/2301. > > > >Cheers, > >Fraser > > ACK. > Thanks Endi; pushed to master: 970fcc3b14f3a3fd5579aaa0259d289d82cff13d Fix NSSDB certificate search method ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support
On Fri, Apr 22, 2016 at 07:50:06PM -0400, John Magne wrote: > I took a look at the stuff alee asked for. > > CFU even took a quick look when I asked her a couple of questions. > She was unsure of something (as was I) and she would like to be able > to take a closer look next week. I will give my quick thoughts. > > 1. I agree that HSM support is not in the patch, seems fine to move that > to a future ticket. > > Here is one thing I was kind of worried about: > This is the code that imports the archive of the desired private key. > > > ublic static PrivateKey importPKIArchiveOptions( > +CryptoToken token, PrivateKey unwrappingKey, > +PublicKey pubkey, byte[] data) > +throws InvalidBERException, Exception { > +ByteArrayInputStream in = new ByteArrayInputStream(data); > +PKIArchiveOptions options = (PKIArchiveOptions) > +(new PKIArchiveOptions.Template()).decode(in); > +EncryptedKey encKey = options.getEncryptedKey(); > +EncryptedValue encVal = encKey.getEncryptedValue(); > +AlgorithmIdentifier algId = encVal.getSymmAlg(); > +BIT_STRING encSymKey = encVal.getEncSymmKey(); > +BIT_STRING encPrivKey = encVal.getEncValue(); > > This the wrapper object that is build off of the caSigningUnit key gotten > in the other patch, the RetrieverThread like this: > > > > PrivateKey unwrappingKey = hostCA.mSigningUnit.getPrivateKey(); > > > > The code below works fine if said key is RSA. I talked over with CFU and she > said there > could be a chance this key is ECC for an ECC CA. > > We both think the rest of the code in this routine is fine, except for > possibly that. > She is also not even sure if JSS can support an ECC private key wrapper. > > She requests you guys give her a day or two to look at it. > > Except for the hsm issue, the code that calls this routine in the thread > seems fine too. > > + > +KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); > +wrapper.initUnwrap(unwrappingKey, null); > > > > > > > +SymmetricKey sk = wrapper.unwrapSymmetric( > +encSymKey.getBits(), SymmetricKey.Type.DES3, 0); > + > +ASN1Value v = algId.getParameters(); > +v = ((ANY) v).decodeWith(new OCTET_STRING.Template()); > +byte iv[] = ((OCTET_STRING) v).toByteArray(); > +IVParameterSpec ivps = new IVParameterSpec(iv); > + > +wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); > +wrapper.initUnwrap(sk, ivps); > +PrivateKey.Type keyType = pubkey.getAlgorithm().equals("EC") > +? PrivateKey.Type.EC > +: PrivateKey.Type.RSA; > +return wrapper.unwrapPrivate(encPrivKey.getBits(), keyType, pubkey); > +} > Pushed to master. Christina, I know you were were/are very busy so thanks for spending some time looking at these patches. If you have any other questions or concerns let me know ASAP. 24992c089b9b5088f4481fda3d01a907565b5121 Lightweight CAs: authority schema changes dc8c21cc9a68968a2b1db87f9b21cf3afbdb966a Add method CryptoUtil.importPKIArchiveOptions e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc Add ca-authority-key-export command 94ee373d053b34e534fbb61826e586693a38c934 Lightweight CAs: add key retrieval framework a2a4117dbc7e489cbb1964d6ce5f95b786a03fde Lightweight CAs: add IPACustodiaKeyRetriever Cheers, Fraser ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 735 Removed default certificate validity delay.
On Mon, May 02, 2016 at 09:30:11AM -0500, Endi Sukma Dewata wrote: > Some certificate profiles have been modified to remove the default > one minute validity delay, allowing the certificate issued with > those profiles to be used immediately. > > https://fedorahosted.org/pki/ticket/2304 > LGTM. Do we know what was the reason for the delay? Cheers, Fraser ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 731-733 Renamed TPS token states.
On 4/29/2016 12:06 PM, Endi Sukma Dewata wrote: To improve clarity and to anticipate future expansion (ticket #2287) some TPS token states have been renamed. ACKed by jmagne (thanks!) with the following changes: * the TokenService was reverted to use switch statement * the AVAILABLE token state was renamed to READY. Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 297, 298 add validity check for external CA
On Fri, 2016-04-22 at 16:37 -0500, Endi Sukma Dewata wrote: > On 4/22/2016 2:37 PM, Ade Lee wrote: > > commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f > > Author: Ade Lee> > Date: Fri Apr 22 15:31:43 2016 -0400 > > > > Add validity check for the signing certificate in pkispawn > > > > When either an existing CA or external CA installation is > > performed, use the pki-server cert validation tool to check > > the signing certiticate and chain. > > > > Ticket #2043 > > > > commit 9104fdda145c4f2bbbedec7256c73922e8bffcef > > Author: Ade Lee > > Date: Wed Apr 20 17:26:23 2016 -0400 > > > > Add CLI to check system certificate status > > > > We add two different calls: > > 1. pki client-cert-validate - which checks a certificate in > > the client > > certdb and calls the System cert verification call > > performed by JSS > >in the system self test. This does some basic extensions > > and trust > >tests, and also validates cert validity and cert trust > > chain. > > > > 2. pki-server subsystem-cert-validate > > This calls pki client-cert-validate using the nssdb for the > > subsystem > > on all of the system certificates by default (or just one > > if the > > nickname is defined). > > > > This is a great thing to call when healthchecking an > > instance, > > and also will be used by pkispawn to verify the signing > > cert in the > > externally signed CA case. > > > > Trac Ticket 2043 > > > > In general it's ACKed. I have some minor comments/questions: > > 1. The SubsystemCertificateVerifier probably should be renamed to > SystemCertificateVerifier since "system certificate" refers to a cert > in > the subsystem/instance's NSS database and "subsystem certificate" > could > be confused with the "subsystemCert cert-pki-tomcat". > done > 2. Instead of storing a shared SubsystemCertificateVerifier object in > the PKIDeployer object it might be better to create a factory method, > so > the verifier can be used like this: > >verifier = deployer.create_system_cert_verifier() >verifier.verify_certificate('signing') > > That way the life-cycle of the verifier object will be short. > done > 3. The .classpath got changed to point to a local path on your > machine. > done > 4. Is the "hardward-" name used consistently in our code? > >passwd = instance.get_password("hardware-%s" % token) > it should be for non-internal.From 537828983b11d1b26c5b1b140e79eaa45a06c63a Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 22 Apr 2016 15:31:43 -0400 Subject: [PATCH 2/2] Add validity check for the signing certificate in pkispawn When either an existing CA or external CA installation is performed, use the pki-server cert validation tool to check the signing certiticate and chain. Ticket #2043 --- .../python/pki/server/deployment/pkihelper.py | 32 ++ .../server/deployment/scriptlets/configuration.py | 51 +++--- 2 files changed, 68 insertions(+), 15 deletions(-) diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index f01f6f69ff66d3687875c8f3d88840daf2115e3f..2898d7fe072883ca37bda0ffdbe5965c680ceb36 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -4592,6 +4592,34 @@ class ConfigClient: return cert +class SystemCertificateVerifier: +""" Verifies system certificates for a subsystem""" + +def __init__(self, instance=None, subsystem=None): +self.instance = instance +self.subsystem = subsystem + +def verify_certificate(self, cert_id=None): +cmd = ['pki-server', 'subsystem-cert-validate', + '-i', self.instance.name, + self.subsystem] +if cert_id is not None: +cmd.append(cert_id) +try: +subprocess.check_output( +cmd, +stderr=subprocess.STDOUT) +except subprocess.CalledProcessError as e: +config.pki_log.error( +"pki subsystem-cert-validate return code: " + str(e.returncode), +extra=config.PKI_INDENTATION_LEVEL_2 +) +config.pki_log.error( +e.output, +extra=config.PKI_INDENTATION_LEVEL_2) +raise + + class PKIDeployer: """Holds the global dictionaries and the utility objects""" @@ -4660,3 +4688,7 @@ class PKIDeployer: os.chmod( new_descriptor, config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + +@staticmethod +def create_system_cert_verifier(instance=None, subsystem=None): +return SystemCertificateVerifier(instance, subsystem) diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py