Re: [Pki-devel] [PATCH] 0100 Fix NSSDB certificate search method

[Fraser Tweedale]

On Wed, Apr 27, 2016 at 12:35:28PM -0500, Endi Sukma Dewata wrote:
> On 4/26/2016 10:50 PM, Fraser Tweedale wrote:
> >Hi all,
> >
> >Please review the attached patch, which fixes
> >https://fedorahosted.org/pki/ticket/2301.
> >
> >Cheers,
> >Fraser
> 
> ACK.
> 
Thanks Endi; pushed to master:

970fcc3b14f3a3fd5579aaa0259d289d82cff13d Fix NSSDB certificate search method

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

[Fraser Tweedale]

On Fri, Apr 22, 2016 at 07:50:06PM -0400, John Magne wrote:
> I took a look at the stuff alee asked for.
> 
> CFU even took a quick look when I asked her a couple of questions.
> She was unsure of something (as was I) and she would like to be able
> to take a closer look next week. I will give my quick thoughts.
> 
> 1. I agree that HSM support is not in the patch, seems fine to move that
> to a future ticket.
> 
> Here is one thing I was kind of worried about:
> This is the code that imports the archive of the desired private key.
> 
> 
> ublic static PrivateKey importPKIArchiveOptions(
> +CryptoToken token, PrivateKey unwrappingKey,
> +PublicKey pubkey, byte[] data)
> +throws InvalidBERException, Exception {
> +ByteArrayInputStream in = new ByteArrayInputStream(data);
> +PKIArchiveOptions options = (PKIArchiveOptions)
> +(new PKIArchiveOptions.Template()).decode(in);
> +EncryptedKey encKey = options.getEncryptedKey();
> +EncryptedValue encVal = encKey.getEncryptedValue();
> +AlgorithmIdentifier algId = encVal.getSymmAlg();
> +BIT_STRING encSymKey = encVal.getEncSymmKey();
> +BIT_STRING encPrivKey = encVal.getEncValue();
> 
> This the wrapper object that is build off of the caSigningUnit key gotten
> in the other patch, the RetrieverThread like this:
> 
> 
> 
>  PrivateKey unwrappingKey = hostCA.mSigningUnit.getPrivateKey();
> 
> 
> 
> The code below works fine if said key is RSA. I talked over with CFU and she 
> said there
> could be a chance this key is ECC for an ECC CA.
> 
> We both think the rest of the code in this routine is fine, except for 
> possibly that.
> She is also not even sure if JSS can support an ECC private key wrapper.
> 
> She requests you guys give her a day or two to look at it.
> 
> Except for the hsm issue, the code that calls this routine in the thread 
> seems fine too.
> 
> +
> +KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
> +wrapper.initUnwrap(unwrappingKey, null);
> 
> 
> 
> 
> 
> 
> +SymmetricKey sk = wrapper.unwrapSymmetric(
> +encSymKey.getBits(), SymmetricKey.Type.DES3, 0);
> +
> +ASN1Value v = algId.getParameters();
> +v = ((ANY) v).decodeWith(new OCTET_STRING.Template());
> +byte iv[] = ((OCTET_STRING) v).toByteArray();
> +IVParameterSpec ivps = new IVParameterSpec(iv);
> +
> +wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
> +wrapper.initUnwrap(sk, ivps);
> +PrivateKey.Type keyType = pubkey.getAlgorithm().equals("EC")
> +? PrivateKey.Type.EC
> +: PrivateKey.Type.RSA;
> +return wrapper.unwrapPrivate(encPrivKey.getBits(), keyType, pubkey);
> +}
>
Pushed to master.

Christina, I know you were were/are very busy so thanks for spending
some time looking at these patches.  If you have any other questions
or concerns let me know ASAP.

24992c089b9b5088f4481fda3d01a907565b5121 Lightweight CAs: authority schema 
changes
dc8c21cc9a68968a2b1db87f9b21cf3afbdb966a Add method 
CryptoUtil.importPKIArchiveOptions
e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc Add ca-authority-key-export command
94ee373d053b34e534fbb61826e586693a38c934 Lightweight CAs: add key retrieval 
framework
a2a4117dbc7e489cbb1964d6ce5f95b786a03fde Lightweight CAs: add 
IPACustodiaKeyRetriever

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 735 Removed default certificate validity delay.

[Fraser Tweedale]

On Mon, May 02, 2016 at 09:30:11AM -0500, Endi Sukma Dewata wrote:
> Some certificate profiles have been modified to remove the default
> one minute validity delay, allowing the certificate issued with
> those profiles to be used immediately.
> 
> https://fedorahosted.org/pki/ticket/2304
> 
LGTM.  Do we know what was the reason for the delay?

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 731-733 Renamed TPS token states.

[Endi Sukma Dewata]

On 4/29/2016 12:06 PM, Endi Sukma Dewata wrote:

To improve clarity and to anticipate future expansion (ticket #2287)
some TPS token states have been renamed.


ACKed by jmagne (thanks!) with the following changes:
* the TokenService was reverted to use switch statement
* the AVAILABLE token state was renamed to READY.

Pushed to master.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 297, 298 add validity check for external CA

[Ade Lee]

On Fri, 2016-04-22 at 16:37 -0500, Endi Sukma Dewata wrote:
> On 4/22/2016 2:37 PM, Ade Lee wrote:
> > commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f
> > Author: Ade Lee 
> > Date:   Fri Apr 22 15:31:43 2016 -0400
> > 
> >  Add validity check for the signing certificate in pkispawn
> > 
> >  When either an existing CA or external CA installation is
> >  performed, use the pki-server cert validation tool to check
> >  the signing certiticate and chain.
> > 
> >  Ticket #2043
> > 
> > commit 9104fdda145c4f2bbbedec7256c73922e8bffcef
> > Author: Ade Lee 
> > Date:   Wed Apr 20 17:26:23 2016 -0400
> > 
> >  Add CLI to check system certificate status
> > 
> >  We add two different calls:
> >  1. pki client-cert-validate - which checks a certificate in
> > the client
> > certdb and calls the System cert verification call
> > performed by JSS
> >in the system self test.  This does some basic extensions
> > and trust
> >tests, and also validates cert validity and cert trust
> > chain.
> > 
> >  2. pki-server subsystem-cert-validate  
> > This calls pki client-cert-validate using the nssdb for the
> > subsystem
> > on all of the system certificates by default (or just one
> > if the
> > nickname is defined).
> > 
> > This is a great thing to call when healthchecking an
> > instance,
> > and also will be used by pkispawn to verify the signing
> > cert in the
> > externally signed CA case.
> > 
> >  Trac Ticket 2043
> > 
> 
> In general it's ACKed. I have some minor comments/questions:
> 
> 1. The SubsystemCertificateVerifier probably should be renamed to 
> SystemCertificateVerifier since "system certificate" refers to a cert
> in 
> the subsystem/instance's NSS database and "subsystem certificate"
> could 
> be confused with the "subsystemCert cert-pki-tomcat".
> 
done

> 2. Instead of storing a shared SubsystemCertificateVerifier object in
> the PKIDeployer object it might be better to create a factory method,
> so 
> the verifier can be used like this:
> 
>verifier = deployer.create_system_cert_verifier()
>verifier.verify_certificate('signing')
> 
> That way the life-cycle of the verifier object will be short.
> 
done
> 3. The .classpath got changed to point to a local path on your
> machine.
> 
done
> 4. Is the "hardward-" name used consistently in our code?
> 
>passwd = instance.get_password("hardware-%s" % token)
> 

it should be for non-internal.From 537828983b11d1b26c5b1b140e79eaa45a06c63a Mon Sep 17 00:00:00 2001
From: Ade Lee 
Date: Fri, 22 Apr 2016 15:31:43 -0400
Subject: [PATCH 2/2] Add validity check for the signing certificate in
 pkispawn

When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.

Ticket #2043
---
 .../python/pki/server/deployment/pkihelper.py  | 32 ++
 .../server/deployment/scriptlets/configuration.py  | 51 +++---
 2 files changed, 68 insertions(+), 15 deletions(-)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index f01f6f69ff66d3687875c8f3d88840daf2115e3f..2898d7fe072883ca37bda0ffdbe5965c680ceb36 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4592,6 +4592,34 @@ class ConfigClient:
 return cert
 
 
+class SystemCertificateVerifier:
+""" Verifies system certificates for a subsystem"""
+
+def __init__(self, instance=None, subsystem=None):
+self.instance = instance
+self.subsystem = subsystem
+
+def verify_certificate(self, cert_id=None):
+cmd = ['pki-server', 'subsystem-cert-validate',
+   '-i', self.instance.name,
+   self.subsystem]
+if cert_id is not None:
+cmd.append(cert_id)
+try:
+subprocess.check_output(
+cmd,
+stderr=subprocess.STDOUT)
+except subprocess.CalledProcessError as e:
+config.pki_log.error(
+"pki subsystem-cert-validate return code: " + str(e.returncode),
+extra=config.PKI_INDENTATION_LEVEL_2
+)
+config.pki_log.error(
+e.output,
+extra=config.PKI_INDENTATION_LEVEL_2)
+raise
+
+
 class PKIDeployer:
 """Holds the global dictionaries and the utility objects"""
 
@@ -4660,3 +4688,7 @@ class PKIDeployer:
 os.chmod(
 new_descriptor,
 config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS)
+
+@staticmethod
+def create_system_cert_verifier(instance=None, subsystem=None):
+return SystemCertificateVerifier(instance, subsystem)
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py