Re: [Pki-devel] [PATCH] pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-connector-co.patch

2016-05-17 Thread John Magne 


Looks good.

If tested to work conditional ACK.

Just one thing, when throwing a TPSException at the end of the patch,
please give it the error code, TPSStatus.STATUS_ERROR_CONTACT_ADMIN

- Original Message -
> From: "Christina Fu" 
> To: "pki-devel" 
> Sent: Tuesday, May 17, 2016 6:13:01 PM
> Subject: [Pki-devel] [PATCH] 
> pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-connector-co.patch
> 
> Ticket #1527 (reopened) retrieved wrong ca connector config parameter
>  This ticket was reopened due to retrieving wrong ca connector
> config param under the situation when format is performed during enrollment.
>  The following is attempted:
>  op.enroll.userKey.ca.conn
>  while the following is intended:
>  op.format.userKey.ca.conn
>  In addition, this patch also fixes the following issues;
>  a. reason param name is not conforming: "reason" instead of
> "revokeReason"
>  b. adding default reason to format TPS profiles
>  c. by default mappingResolver.formatProfileMappingResolver resolves
> to tokenKey, while enroll resolves to userKey.
> -> now changed the userKey
>  d. if revocation fails during format, it was forgiving.
> -> now changed so that error is logged in activity log and exception
>thrown and bail out
> 
> Tested to work.
> 
> thanks,
> Christina
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-connector-co.patch

2016-05-17 Thread Christina Fu 

Ticket #1527 (reopened) retrieved wrong ca connector config parameter
This ticket was reopened due to retrieving wrong ca connector 
config param under the situation when format is performed during enrollment.

The following is attempted:
op.enroll.userKey.ca.conn
while the following is intended:
op.format.userKey.ca.conn
In addition, this patch also fixes the following issues;
a. reason param name is not conforming: "reason" instead of 
"revokeReason"

b. adding default reason to format TPS profiles
c. by default mappingResolver.formatProfileMappingResolver resolves
   to tokenKey, while enroll resolves to userKey.
   -> now changed the userKey
d. if revocation fails during format, it was forgiving.
   -> now changed so that error is logged in activity log and exception
  thrown and bail out

Tested to work.

thanks,
Christina
>From 81a475e7a8fe0ff086047bf3295abea253a7e394 Mon Sep 17 00:00:00 2001
From: Christina Fu 
Date: Tue, 17 May 2016 17:57:11 -0700
Subject: [PATCH] Ticket #1527 (reopened) retrieved wrong ca connector config
 parameter This ticket was reopened due to retrieving wrong ca connector
 config param. The following is attempted: op.enroll.userKey.ca.conn while the
 following is intended: op.format.userKey.ca.conn In addition, this patch also
 fixes the following issues; a. reason param name is not conforming: "reason"
 instead of "revokeReason" b. adding default reason to format TPS profiles c.
 by default mappingResolver.formatProfileMappingResolver resolvesto
 tokenKey, while enroll resolves to userKey.-> now changed the userKey d.
 if revocation fails during format, it was forgiving.-> now changed so
 that error is logged in activity log and exception   thrown and bail out

---
 base/tps/shared/conf/CS.cfg| 12 +++-
 .../org/dogtagpki/server/tps/processor/TPSProcessor.java   | 14 --
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 638787d225ca819f051ad999ca92c75c9d51cb88..90d1747dd4617b097e11207f8c10e0bbd8c5ccee 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -428,6 +428,7 @@ op.format.delegateIEtoken.issuerinfo.enable=true
 op.format.delegateIEtoken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.delegateIEtoken.loginRequest.enable=true
 op.format.delegateIEtoken.revokeCert=false
+op.format.delegateIEtoken.revokeCert.reason=0
 op.format.delegateIEtoken.tks.conn=tks1
 op.format.delegateIEtoken.update.applet.directory=/usr/share/pki/tps/applets
 op.format.delegateIEtoken.update.applet.emptyToken.enable=true
@@ -686,6 +687,7 @@ op.format.delegateISEtoken.issuerinfo.enable=true
 op.format.delegateISEtoken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.delegateISEtoken.loginRequest.enable=true
 op.format.delegateISEtoken.revokeCert=false
+op.format.delegateISEtoken.revokeCert.reason=0
 op.format.delegateISEtoken.tks.conn=tks1
 op.format.delegateISEtoken.update.applet.directory=/usr/share/pki/tps/applets
 op.format.delegateISEtoken.update.applet.emptyToken.enable=true
@@ -770,6 +772,7 @@ op.format.externalRegAddToToken.update.applet.requiredVersion=1.4.54de790f
 op.format.externalRegAddToToken.update.symmetricKeys.enable=false
 op.format.externalRegAddToToken.update.symmetricKeys.requiredVersion=1
 op.format.externalRegAddToToken.revokeCert=false
+op.format.externalRegAddToToken.revokeCert.reason=0
 op.enroll.allowUnknownToken=true
 op.enroll.mappingResolver=enrollProfileMappingResolver
 op.enroll.soKey.cuidMustMatchKDD=false
@@ -1392,6 +1395,7 @@ op.format.cleanToken.issuerinfo.enable=true
 op.format.cleanToken.issuerinfo.value=
 op.format.cleanToken.loginRequest.enable=true
 op.format.cleanToken.revokeCert=true
+op.format.cleanToken.revokeCert.reason=0
 op.format.cleanToken.tks.conn=tks1
 op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets
 op.format.cleanToken.update.applet.emptyToken.enable=true
@@ -1413,6 +1417,7 @@ op.format.soCleanSOToken.issuerinfo.enable=true
 op.format.soCleanSOToken.issuerinfo.value=
 op.format.soCleanSOToken.loginRequest.enable=false
 op.format.soCleanSOToken.revokeCert=true
+op.format.soCleanSOToken.revokeCert.reason=0
 op.format.soCleanSOToken.tks.conn=tks1
 op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets
 op.format.soCleanSOToken.update.applet.emptyToken.enable=true
@@ -1434,6 +1439,7 @@ op.format.soCleanUserToken.issuerinfo.enable=true
 op.format.soCleanUserToken.issuerinfo.value=
 op.format.soCleanUserToken.loginRequest.enable=false
 op.format.soCleanUserToken.revokeCert=true
+op.format.soCleanUserToken.revokeCert.reason=0
 op.format.soCleanUserToken.tks.conn=tks1
 op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets
 op.format.soCleanUserToken.update.applet.emptyToken.enable=true
@@

[Pki-devel] Updated External EPEL CentOS 7 COPR builds are now available . . .

2016-05-17 Thread Matthew Harmsen 

An updated external EPEL CentOS 7 COPR repo is available now available which 
contains Dogtag 10.3.1 builds:

 *

   
https://copr.fedorainfracloud.org/coprs/g/pki/10.3.1/repo/epel-7/group_pki-10.3.1-epel-7.repo

   [group_pki-10.3.1]
   name=Copr repo for 10.3.1 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.1/epel-7-$basearch/
   skip_if_unavailable=True
   gpgcheck=1
   gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.1/pubkey.gpg
   enabled=1
   enabled_metadata=1

-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Request for Dogtag 10.3.1 on Fedora 24

2016-05-17 Thread Matthew Harmsen 
The following candidate builds of Dogtag 10.3.1 for Fedora 24 (final) 
consist of the following:


 * dogtag-pki-theme-10.3.1-1.fc24
   
 * dogtag-pki-10.3.1-1.fc24
   
 * pki-core-10.3.1-1.fc24
   
 * pki-console-10.3.1-1.fc24
   

Please provide Karma for these builds in Bodhi located at:

 * dogtag-pki-theme-10.3.1-1.fc24
   
 * dogtag-pki-10.3.1-1.fc24
   
 * pki-core-10.3.1-1.fc24
   
 * pki-console-10.3.1-1.fc24
   

Additionally, the following builds have been provided for Fedora 25 
(rawhide):


 * dogtag-pki-theme-10.3.1-1.fc25
   
 * dogtag-pki-10.3.1-1.fc25
   
 * pki-core-10.3.1-1.fc25
   
 * pki-console-10.3.1-1.fc25
   

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

2016-05-17 Thread Fraser Tweedale 
Hi all,
attached patch fixes https://fedorahosted.org/pki/ticket/2332

Cheers,
Fraser
From baf904216848a5d775948853764d2657ea6405e9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 17 May 2016 14:47:11 +1000
Subject: [PATCH] Return 410 Gone if target CA of request has been deleted

When processing a request whose target CA has been deleted in
between request submission and request approval, the server does not
handle the CANotFoundException, resulting in response status 500.

Catch the CANotFoundException and respond with status 410 Gone.

Fixes: https://fedorahosted.org/pki/ticket/2332
---
 base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
index 
80aaf6f7899d92675c15c6f944b7a3a491784145..d154e8eec31c3c74883e606d95eaa2094f36ff2f
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
@@ -41,6 +41,7 @@ import com.netscape.certsrv.base.BadRequestDataException;
 import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.HTTPGoneException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.base.ServiceUnavailableException;
@@ -49,6 +50,7 @@ import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
 import com.netscape.certsrv.ca.CAMissingCertException;
 import com.netscape.certsrv.ca.CAMissingKeyException;
+import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
 import com.netscape.certsrv.cert.CertRequestInfo;
@@ -252,6 +254,11 @@ public class CertRequestService extends PKIService 
implements CertRequestResourc
 } catch (BadRequestDataException e) {
 CMS.debug("changeRequestState: bad request data: " + e);
 throw new BadRequestException(e.toString());
+} catch (CANotFoundException e) {
+// The target CA does not exist (deleted between
+// request submission and approval).
+CMS.debug("changeRequestState: CA not found: " + e);
+throw new HTTPGoneException(e.toString());
 } catch (CADisabledException e) {
 CMS.debug("changeRequestState: CA disabled: " + e);
 throw new ConflictingOperationException(e.toString());
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel