Re: [Pki-devel] [PATCH] 0120..0121 Remove pki-ipa-retrieve-key script

2016-06-02 Thread Fraser Tweedale 
On Thu, Jun 02, 2016 at 11:45:43PM -0500, Endi Sukma Dewata wrote:
> On 5/31/2016 11:45 PM, Fraser Tweedale wrote:
> > G'day comrades,
> > 
> > Please review the attached two patches, which...
> > 
> > (Patch 0120)
> > 
> > - provide for passing of configuration (from CS.cfg) to KeyRetriever
> >   implementations
> > 
> > - generalise IPACustodiaKeyRetriever to ExternalProcessKeyRetriever,
> >   which executes a configured executable rather than a hardcoded one
> > 
> > (Patch 0121)
> > 
> > - remove pki-ipa-retrieve-key script; it is being moved to FreeIPA
> >   repo
> > 
> > Cheers,
> > Fraser
> 
> ACK.
> 
> Separate issue. Instead of returning multiple binary attributes delimited
> with 0 byte through standard output, it might be better to use JSON file
> instead. So the command can be defined something like this:
> 
> features.authority.keyRetrieverConfig.exec=/usr/libexec/pki-ipa-retrieve-key
> -o {output}
> 
> The ExternalProcessKeyRetriever will replace the {output} with a temporary
> file, then later parse the result from that file.
> 
Thanks Endi; pushed to master:

419ca3000142c60f176aabc68a2c5c3a1a3c1ea9 Lightweight CAs: remove 
pki-ipa-retrieve-key script
f11e0b372e3a0736050dd9e2858fce3178171ee6 Lightweight CAs: generalise 
subprocess-based key retrieval

I agree with the JSON enhancement, but not with using a temporary
file; we can just send the JSON through stdout.  I filed ticket:
https://fedorahosted.org/pki/ticket/2351

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Certificate Nickname Improvement

2016-06-02 Thread Fraser Tweedale 
On Thu, Jun 02, 2016 at 11:35:12PM -0600, Matthew Harmsen wrote:
> Please review the attached patch which addresses the following ticket:
> 
>  * PKI TRAC Ticket #1432 - Certificate nickname improvement
>
> 
> This was tested by successfully:
> 
>  * creating a shared PKI instance containing a CA, KRA, OCSP, TKS, and TPS,
>  * creating a separated CA,
>  * creating a separated KRA,
>  * creating a separated OCSP,
>  * creating a separated TKS,
>  * creating a separated TPS, and
>  * installing a FreeIPA instance
> 
> Detailed contents of the nicknames as they appear in the NSS security
> databases of both the shared PKI instance as well as each of the separated
> PKI instances is detailed in the above ticket.
> 

Not a NACK, but please HOLD this patch until I can thoroughly review
it and determine its impact on IPA.  A lot of the nicknames are
currently hardcoded in IPA.  Installation may work but I can all but
guarantee this will break replica installation and automatic
renewal.

I (or someone) will need time to work out the impact on IPA and
proactively ensure that IPA will continue to work after this change.
(That probably won't happen in time for 10.3.2 release, sorry!)

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0117..0119 Retry key retrieval on failure

2016-06-02 Thread Fraser Tweedale 
On Thu, Jun 02, 2016 at 11:45:38PM -0500, Endi Sukma Dewata wrote:
> On 5/31/2016 11:31 PM, Fraser Tweedale wrote:
> > Hi team,
> > 
> > The attached patches implement key retrieval retry with backoff
> > (ticket: https://fedorahosted.org/pki/ticket/2293).
> > 
> > Thanks,
> > Fraser
> 
> ACK.
> 
Thanks Endi; pushed to master:

f78af863edb020db763ce7920b3b0a6ea61d8e5e Retry failed key retrieval with backoff
9062e0265e7cadfa05f64a7c5c0a718594283d06 Don't update obsolete 
CertificateAuthority after key retrieval
b1bafc4935c088fe98373a7988f5e0518b950226 Limit key retrieval to a single thread 
per CA

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0115 Include serial of revoked cert in CertRequestInfo

2016-06-02 Thread Fraser Tweedale 
On Thu, Jun 02, 2016 at 10:28:15PM -0500, Endi Sukma Dewata wrote:
> On 5/29/2016 8:31 PM, Fraser Tweedale wrote:
> > Please review the attached patch, which addresses
> > https://fedorahosted.org/pki/ticket/1073
> > 
> > Cheers,
> > Fraser
> 
> ACK.
> 
Thanks; pushed to master (9bcc0bba57003a26ee0488def88a57ca883d9134)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

2016-06-02 Thread Fraser Tweedale 
On Thu, Jun 02, 2016 at 08:02:35PM -0500, Endi Sukma Dewata wrote:
> On 5/17/2016 12:20 AM, Fraser Tweedale wrote:
> > Hi all,
> > attached patch fixes https://fedorahosted.org/pki/ticket/2332
> > 
> > Cheers,
> > Fraser
> 
> Assuming an identical CA cannot be created to replace the old one, HTTP 410
> Gone is fine. If it's possible, it should be HTTP 404 Not Found. ACK.
>
Authority IDs are random UUIDs, so I think we can safely say that
Gone means Gone :)

Thanks for reviewing!
Pushed to master (443ad5e35e106f84b5439ee7d2861ccd5d6245f3)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0110 Lightweight CAs: remove redundant deletePrivateKey invocation

2016-06-02 Thread Fraser Tweedale 
On Thu, Jun 02, 2016 at 07:10:49PM -0500, Endi Sukma Dewata wrote:
> On 5/15/2016 10:26 PM, Fraser Tweedale wrote:
> > Hi team,
> > 
> > The attached patch fixes https://fedorahosted.org/pki/ticket/1640.
> > 
> > Cheers,
> > Fraser
> 
> ACK.
> 
Thanks; pushed to master (c685a4195cdde16e875478b0f4554e688762f927)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0111 Lightweight CAs: remove NSSDB material when processing deletion

2016-06-02 Thread Fraser Tweedale 
On Thu, Jun 02, 2016 at 07:31:55PM -0500, Endi Sukma Dewata wrote:
> On 5/15/2016 11:07 PM, Fraser Tweedale wrote:
> > The attached patch makes clones delete lightweight CA keys/certs
> > from local NSSDB when processing LWCA deletion.
> > 
> > Ticket: https://fedorahosted.org/pki/ticket/2328
> > 
> > Thanks,
> > Fraser
> 
> ACK.
> 
Thanks; pushed to master (64b62b1ce44b9baf40b5bcd913c89a1a513803ae)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Certificate Nickname Improvement

2016-06-02 Thread Matthew Harmsen 

Please review the attached patch which addresses the following ticket:

 * PKI TRAC Ticket #1432 - Certificate nickname improvement
   

This was tested by successfully:

 * creating a shared PKI instance containing a CA, KRA, OCSP, TKS, and TPS,
 * creating a separated CA,
 * creating a separated KRA,
 * creating a separated OCSP,
 * creating a separated TKS,
 * creating a separated TPS, and
 * installing a FreeIPA instance

Detailed contents of the nicknames as they appear in the NSS security 
databases of both the shared PKI instance as well as each of the 
separated PKI instances is detailed in the above ticket.


From 00d3bc11b4146eb23b48d7458ddef5501f40ca72 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen 
Date: Thu, 2 Jun 2016 19:47:40 -0600
Subject: [PATCH] Certificate nickname improvement

- PKI TRAC Ticket #432 - Certificate nickname improvement
---
 base/ca/shared/conf/CS.cfg | 20 ++---
 .../src/com/netscape/cmstools/KRATool.java |  2 +-
 base/kra/shared/conf/CS.cfg| 16 +-
 base/ocsp/shared/conf/CS.cfg   | 10 +++
 .../src/com/netscape/cmscore/security/SSLCert.java |  2 +-
 .../cmscore/security/SSLSelfSignedCert.java|  2 +-
 base/server/etc/default.cfg| 34 +++---
 base/server/man/man5/pki_default.cfg.5 |  2 +-
 base/server/tomcat7/conf/server.xml|  4 +--
 base/server/tomcat8/conf/server.xml|  4 +--
 base/tks/shared/conf/CS.cfg|  8 ++---
 base/tps-client/apache/conf/nss.conf   |  4 +--
 base/tps-client/doc/CS.cfg | 10 +++
 base/tps-client/setup/create.pl|  2 +-
 base/tps-client/src/engine/RA.cpp  |  2 +-
 base/tps/man/man5/pki-tps-connector.5  | 12 
 base/tps/shared/conf/CS.cfg| 10 +++
 .../server/tps/cms/ConnectionManager.java  |  2 +-
 18 files changed, 73 insertions(+), 73 deletions(-)

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 989a322..45c5857 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -14,7 +14,7 @@ pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT]
 pkicreate.user=[PKI_USER]
 pkicreate.arg11.group=[PKI_GROUP]
 pkicreate.systemd.servicename=[PKI_SYSTEMD_SERVICENAME]
-pkiremove.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_NAME]
+pkiremove.cert.subsystem.nickname=Subsystem Certificate for [PKI_INSTANCE_NAME]
 installDate=[INSTALL_TIME]
 preop.wizard.name=CA Setup Wizard
 preop.product.name=CS
@@ -72,7 +72,7 @@ preop.cert.signing.dn=CN=Certificate Authority
 preop.cert.signing.cncomponent.override=true
 preop.cert.signing.keysize.size=2048
 preop.cert.signing.keysize.custom_size=2048
-preop.cert.signing.nickname=caSigningCert cert-[PKI_INSTANCE_NAME]
+preop.cert.signing.nickname=CA Signing Certificate for [PKI_INSTANCE_NAME] CA
 preop.cert.signing.profile=caCert.profile
 preop.cert.signing.signing.required=true
 preop.cert.signing.subsystem=ca
@@ -82,7 +82,7 @@ preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA
 preop.cert.audit_signing.dn=CN=CA Audit Signing Certificate
 preop.cert.audit_signing.keysize.custom_size=2048
 preop.cert.audit_signing.keysize.size=2048
-preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_NAME]
+preop.cert.audit_signing.nickname=Audit Signing Certificate for [PKI_INSTANCE_NAME] CA
 preop.cert.audit_signing.profile=caAuditSigningCert.profile
 preop.cert.audit_signing.signing.required=false
 preop.cert.audit_signing.subsystem=ca
@@ -93,7 +93,7 @@ preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
 preop.cert.ocsp_signing.dn=CN=OCSP Signing Certificate
 preop.cert.ocsp_signing.keysize.custom_size=2048
 preop.cert.ocsp_signing.keysize.size=2048
-preop.cert.ocsp_signing.nickname=ocspSigningCert cert-[PKI_INSTANCE_NAME]
+preop.cert.ocsp_signing.nickname=OCSP Signing Certificate for [PKI_INSTANCE_NAME] CA
 preop.cert.ocsp_signing.profile=caOCSPCert.profile
 preop.cert.ocsp_signing.signing.required=true
 preop.cert.ocsp_signing.subsystem=ca
@@ -115,7 +115,7 @@ preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
 preop.cert.subsystem.dn=CN=CA Subsystem Certificate
 preop.cert.subsystem.keysize.custom_size=2048
 preop.cert.subsystem.keysize.size=2048
-preop.cert.subsystem.nickname=subsystemCert cert-[PKI_INSTANCE_NAME]
+preop.cert.subsystem.nickname=Subsystem Certificate for [PKI_INSTANCE_NAME]
 preop.cert.subsystem.profile=subsystemCert.profile
 preop.cert.subsystem.signing.required=false
 preop.cert.subsystem.subsystem=ca
@@ -143,9 +143,9 @@ preop.name.caDN=CN=Certificate Authority
 preop.name.sslDN=CN=[PKI_HOSTNAME]
 preop.name.ocspDN=CN=OCSP Signing Certificate
 preop.name.subsystemDN=CN=CA Subsystem Certificate
-preop.name.canickname=caSigningCert cert-[PKI_INSTANCE_NAME]
-

Re: [Pki-devel] [PATCH] 0120..0121 Remove pki-ipa-retrieve-key script

2016-06-02 Thread Endi Sukma Dewata 

On 5/31/2016 11:45 PM, Fraser Tweedale wrote:

G'day comrades,

Please review the attached two patches, which...

(Patch 0120)

- provide for passing of configuration (from CS.cfg) to KeyRetriever
  implementations

- generalise IPACustodiaKeyRetriever to ExternalProcessKeyRetriever,
  which executes a configured executable rather than a hardcoded one

(Patch 0121)

- remove pki-ipa-retrieve-key script; it is being moved to FreeIPA
  repo

Cheers,
Fraser


ACK.

Separate issue. Instead of returning multiple binary attributes 
delimited with 0 byte through standard output, it might be better to use 
JSON file instead. So the command can be defined something like this:


features.authority.keyRetrieverConfig.exec=/usr/libexec/pki-ipa-retrieve-key 
-o {output}


The ExternalProcessKeyRetriever will replace the {output} with a 
temporary file, then later parse the result from that file.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0117..0119 Retry key retrieval on failure

2016-06-02 Thread Endi Sukma Dewata 

On 5/31/2016 11:31 PM, Fraser Tweedale wrote:

Hi team,

The attached patches implement key retrieval retry with backoff
(ticket: https://fedorahosted.org/pki/ticket/2293).

Thanks,
Fraser


ACK.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0115 Include serial of revoked cert in CertRequestInfo

2016-06-02 Thread Endi Sukma Dewata 

On 5/29/2016 8:31 PM, Fraser Tweedale wrote:

Please review the attached patch, which addresses
https://fedorahosted.org/pki/ticket/1073

Cheers,
Fraser


ACK.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0113..0114 Lightweight CAs: renewal support

2016-06-02 Thread Endi Sukma Dewata 

On 5/17/2016 12:26 AM, Fraser Tweedale wrote:

Attached patches implement LWCA renewal support
(https://fedorahosted.org/pki/ticket/2327).

It includes REST API

POST /ca/rest/authorities//renew

But not implemented in CLI tool yet.  If we decide to make it a
first-class CLI feature (cf certmonger, IPA, etc managing the
renewal) then I'll file the ticket and implement it at that time.

Cheers,
Fraser


Some comments:

1. This is related to patch #111 too. Suppose an authority is 
added/deleted/renewed in one replica while another replica is down, when 
the second replica is brought back up will it know that it's missing the 
changes and be able to update the NSSDB accordingly?


I'm thinking when the server is started there should be a process to 
synchronize the NSSDB with the authorities in LDAP. Do we have something 
like that already, or is this not an issue?


2. The locale object for the RenewalProcessor should be obtained from 
the client, not from the server. See PKIService.getLocale(). In this 
case you probably need to pass HttpServletRequest to the renewAuthority().


3. The HttpServletRequest can be used to call processRenewal() as well.

I think #1 can be done separately later. The patches are ACKed assuming 
#2 and #3 are addressed.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] pki-cfu-0127-Ticket-2271-Part2-TMS-removing-reducing-debug-log-pr.patch

2016-06-02 Thread Christina Fu 

commit 897fd14bfdfa4cd722f95ba60c8dd7a9eaa37219

thanks!
Christina

On 06/02/2016 05:54 PM, John Magne wrote:

Thanks to some tough work here ACK :

Took a look at the code and then scanned carefully some test logs and
the logs for TPS and TKS are completely streamlined.




- Original Message -

From: "Christina Fu" 
To: "pki-devel" 
Sent: Thursday, 2 June, 2016 4:52:59 PM
Subject: [Pki-devel] [PATCH] 
pki-cfu-0127-Ticket-2271-Part2-TMS-removing-reducing-debug-log-pr.patch

Ticket #2271 Part2:TMS:removing/reducing debug log printout of data
  This patch comments out unneeded data in TMS debug logs (TPS&TKS);
  It reduces the size of the debug logs by a lot.
  Note that for ease of later development debugging, the debug lines
  are commented out instead of being removed

Testing was done in
* formatting
* formatting with key upgrade
* enrollment with server side key generation
* enrollment
* enrollment with key recovery

thanks,
Christina

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

2016-06-02 Thread Endi Sukma Dewata 

On 5/17/2016 12:20 AM, Fraser Tweedale wrote:

Hi all,
attached patch fixes https://fedorahosted.org/pki/ticket/2332

Cheers,
Fraser


Assuming an identical CA cannot be created to replace the old one, HTTP 
410 Gone is fine. If it's possible, it should be HTTP 404 Not Found. ACK.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] pki-cfu-0127-Ticket-2271-Part2-TMS-removing-reducing-debug-log-pr.patch

2016-06-02 Thread John Magne 
Thanks to some tough work here ACK :

Took a look at the code and then scanned carefully some test logs and 
the logs for TPS and TKS are completely streamlined.




- Original Message -
> From: "Christina Fu" 
> To: "pki-devel" 
> Sent: Thursday, 2 June, 2016 4:52:59 PM
> Subject: [Pki-devel] [PATCH] 
> pki-cfu-0127-Ticket-2271-Part2-TMS-removing-reducing-debug-log-pr.patch
> 
> Ticket #2271 Part2:TMS:removing/reducing debug log printout of data
>  This patch comments out unneeded data in TMS debug logs (TPS&TKS);
>  It reduces the size of the debug logs by a lot.
>  Note that for ease of later development debugging, the debug lines
>  are commented out instead of being removed
> 
> Testing was done in
> * formatting
> * formatting with key upgrade
> * enrollment with server side key generation
> * enrollment
> * enrollment with key recovery
> 
> thanks,
> Christina
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0111 Lightweight CAs: remove NSSDB material when processing deletion

2016-06-02 Thread Endi Sukma Dewata 

On 5/15/2016 11:07 PM, Fraser Tweedale wrote:

The attached patch makes clones delete lightweight CA keys/certs
from local NSSDB when processing LWCA deletion.

Ticket: https://fedorahosted.org/pki/ticket/2328

Thanks,
Fraser


ACK.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0110 Lightweight CAs: remove redundant deletePrivateKey invocation

2016-06-02 Thread Endi Sukma Dewata 

On 5/15/2016 10:26 PM, Fraser Tweedale wrote:

Hi team,

The attached patch fixes https://fedorahosted.org/pki/ticket/1640.

Cheers,
Fraser


ACK.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 757 Added TPS token state transition validation.

2016-06-02 Thread Endi Sukma Dewata 

On 5/27/2016 5:52 PM, Endi Sukma Dewata wrote:

On 5/25/2016 10:34 PM, Endi Sukma Dewata wrote:

The TPSSubsystem has been modified to load and validate the token
state transition lists during initialization. If any of the lists
is empty or any of the transitions is invalid, the initialization
will fail and the subsystem will not start.

https://fedorahosted.org/pki/ticket/2334


Rebased.


ACKed by jmagne (thanks!) with small revision. Pushed to master.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] pki-cfu-0127-Ticket-2271-Part2-TMS-removing-reducing-debug-log-pr.patch

2016-06-02 Thread Christina Fu 

Ticket #2271 Part2:TMS:removing/reducing debug log printout of data
This patch comments out unneeded data in TMS debug logs (TPS&TKS);
It reduces the size of the debug logs by a lot.
Note that for ease of later development debugging, the debug lines
are commented out instead of being removed

Testing was done in
* formatting
* formatting with key upgrade
* enrollment with server side key generation
* enrollment
* enrollment with key recovery

thanks,
Christina
>From 9cc6e1214b50f5da1d5fcc39f8f7e47853c00585 Mon Sep 17 00:00:00 2001
From: Christina Fu 
Date: Thu, 2 Jun 2016 16:47:24 -0700
Subject: [PATCH] Ticket #2271 Part2:TMS:removing/reducing debug log printout
 of data This patch comments out unneeded data in TMS debug logs (TPS&TKS); It
 reduces the size of the debug logs by a lot. Note that for ease of later
 development debugging, the debug lines are commented out instead of being
 removed

---
 .../src/org/dogtagpki/tps/TPSConnection.java   |  17 +++-
 base/common/src/org/dogtagpki/tps/main/Util.java   |   2 +-
 .../src/org/dogtagpki/tps/msg/TPSMessage.java  |  17 +++-
 .../com/netscape/kra/TokenKeyRecoveryService.java  |   6 +-
 .../com/netscape/cms/servlet/base/CMSServlet.java  |   6 +-
 .../cms/src/com/netscape/cms/servlet/tks/KDF.java  |   2 +-
 .../cms/servlet/tks/SecureChannelProtocol.java |  32 ---
 .../com/netscape/cms/servlet/tks/TokenServlet.java |  16 ++--
 .../netscape/cmscore/connector/HttpConnection.java |   2 +-
 .../cmscore/logging/SignedAuditEventFactory.java   |   3 +-
 .../src/org/dogtagpki/server/tps/TPSSession.java   |   5 +-
 .../server/tps/channel/SecureChannel.java  |  26 --
 .../server/tps/cms/CARemoteRequestHandler.java |  37 
 .../server/tps/cms/KRARemoteRequestHandler.java|   8 +-
 .../server/tps/cms/RemoteRequestHandler.java   |   5 +-
 .../server/tps/cms/TKSRemoteRequestHandler.java|  42 +
 .../org/dogtagpki/server/tps/main/PKCS11Obj.java   |   8 +-
 .../server/tps/processor/EnrolledCertsInfo.java|   3 +-
 .../server/tps/processor/TPSEnrollProcessor.java   | 101 -
 .../server/tps/processor/TPSProcessor.java |  28 --
 20 files changed, 232 insertions(+), 134 deletions(-)

diff --git a/base/common/src/org/dogtagpki/tps/TPSConnection.java b/base/common/src/org/dogtagpki/tps/TPSConnection.java
index d93827775655eb880ad94d0e6d928915c6395cc4..c5a971edd5b4bf8073de1cb23de8eefd72f9e0b8 100644
--- a/base/common/src/org/dogtagpki/tps/TPSConnection.java
+++ b/base/common/src/org/dogtagpki/tps/TPSConnection.java
@@ -46,7 +46,7 @@ public class TPSConnection {
 }
 
 public TPSMessage read() throws IOException {
-CMS.debug("TPSMessage read()");
+CMS.debug("TPSConnection read()");
 
 StringBuilder sb = new StringBuilder();
 int b;
@@ -80,7 +80,10 @@ public class TPSConnection {
 sb.append(c);
 }
 
-CMS.debug("TPSMessage.read: Reading:  " + sb.toString());
+if (size <= 38) // for pdu_data size is 2 and only contains status
+CMS.debug("TPSConnection.read: Reading:  " + sb.toString());
+else
+CMS.debug("TPSConnection.read: Reading...");
 
 // parse the entire message
 return TPSMessage.createMessage(sb.toString());
@@ -89,7 +92,15 @@ public class TPSConnection {
 public void write(TPSMessage message) throws IOException {
 String s = message.encode();
 
-CMS.debug("TPSMessage.write: Writing: " + s);
+// don't print the pdu_data
+int idx = s.lastIndexOf("pdu_data=");
+String toDebug = null; 
+if (idx == -1)
+CMS.debug("TPSConnection.write: Writing: " + s);
+else {
+toDebug = s.substring(0, idx-1);
+CMS.debug("TPSConnection.write: Writing: " + toDebug + "pdu_data=");
+}
 // send message
 out.print(s);
 
diff --git a/base/common/src/org/dogtagpki/tps/main/Util.java b/base/common/src/org/dogtagpki/tps/main/Util.java
index 2973bb8ec254232eaae8ca4a7b824521ab406dbe..b212478d7592bc6e1706dee429a1a650024fcbeb 100644
--- a/base/common/src/org/dogtagpki/tps/main/Util.java
+++ b/base/common/src/org/dogtagpki/tps/main/Util.java
@@ -432,7 +432,7 @@ public class Util {
 throw new EBaseException("Util.encryptData: called with no sym key or no data!");
 }
 
-CMS.debug("Util.encryptData: dataToEnc: " + dataToEnc.toHexString());
+//CMS.debug("Util.encryptData: dataToEnc: " + dataToEnc.toHexString());
 
 CryptoToken token = null;
 try {
diff --git a/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java b/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java
index f622b9b4dffd6fd1bd72ad8b56df49b095f258fa..c7ad7f7c35e0fc3391d368bc6f86d92cdd295ab3 100644
--- a/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java
+++ b/base/common/src/org/dogtagpki/tps/msg/TPSMessage.java
@@ -510,7 +510,22 @@ public class TPSM

Re: [Pki-devel] [PATCH] Fix unknown TKS host and port error during TPS removal

2016-06-02 Thread John Magne 
ACK

- Original Message -
From: "Matthew Harmsen" 
To: "pki-devel" 
Sent: Wednesday, June 1, 2016 10:19:51 AM
Subject: [Pki-devel] [PATCH] Fix unknown TKS host and port error during TPS 
removal

Please review the attached patch which addresses the following ticket: 


* PKI TRAC #1677 - Pkidestroy of a TPS instance installed in a shared 
tomcat throws error. 


Without the patch: 


# pkidestroy 
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: TPS 
Instance [pki-tomcat]: 

Begin uninstallation (Yes/No/Quit)? Yes 

Log file: /var/log/pki/pki-tps-destroy.20160601102651.log 
Loading deployment configuration from 
/var/lib/pki/pki-tomcat/tps/registry/tps/deployment.cfg. 
Uninstalling TPS from /var/lib/pki/pki-tomcat. 
pkidestroy : WARNING ... Failed to update TPS connector on TKS 
pkidestroy : ERROR ... TKS Host or Port is undefined 

Uninstallation complete. 
With the patch: 


# pkidestroy 
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: TPS 
Instance [pki-tomcat]: 

Begin uninstallation (Yes/No/Quit)? Yes 

Log file: /var/log/pki/pki-tps-destroy.20160601110057.log 
Loading deployment configuration from 
/var/lib/pki/pki-tomcat/tps/registry/tps/deployment.cfg. 
Uninstalling TPS from /var/lib/pki/pki-tomcat. 

Uninstallation complete. 


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 315-319 KRA realm related patches

2016-06-02 Thread Endi Sukma Dewata 

On 6/2/2016 8:51 AM, Ade Lee wrote:

And now with the patches ..

On Thu, 2016-06-02 at 09:50 -0400, Ade Lee wrote:

Patch descriptions (in reverse order).

The final patch will need some discussion.  Please review,

Ade


Some comments:

1. In SrchKey and SrchKeyForRecovery the check probably should have been 
like this (no closing paren):


  if (filter.contains("(realm=")) {

2. If a realm is specified, I suppose it won't match any of the VLV 
indexes. Do the queries still work correctly without a matching VLV?


3. Could you document how to run the upgrade command in this page?
http://pki.fedoraproject.org/wiki/Database_Upgrade_for_PKI_10.3.x

Note that there are still some manual upgrade procedures that also need 
to be executed as documented in that page.


4. In PKISubsystem.open_database() can we use bind_dn and bind_password 
parameter names instead of user and password (it's a DN not a user ID)? 
Also in DBUpgrade should we use -D, -w, and -Z for consistency with DS 
tools?


5. The gnu_getopt() is called with "server_id=". I think it should be 
"server-id=". But since it actually contains the DS instance name maybe 
we should use "ds-instance=" instead?


6. In the DBUpgrade.modify_kra_vlv() the os.unlink(ldif_file) probably 
should be moved into the finally clause above it to ensure the temporary 
file is deleted in all cases. Alternatively the code could be written 
like this:


  with NamedTemporaryFile() as ldif_file:
  # do everything with the ldif_file here

7. In DBUpgrade.modify_schema() why not use subsystem.open_database() 
instead of ldapmodify? That will ensure it uses the same mechanism to 
connect to the LDAP server.


8. Also the DBUpgrade.modify_schema() is ignoring all schema update 
failures. I think we can only ignore the case where the new schema is 
already added. In other cases the upgrade should fail since the 
subsequent upgrades may depend on it.


9. I think DBUpgrade.create_realm_index() should only execute if there's 
a KRA subsystem in the instance. The code right now creates the index in 
the first subsystem's database which may not be a KRA.


  subsystem = instance.subsystems[0]

10. The DBUpgrade uses db2index.pl to rebuild the indexes which means 
the LDAP server must run locally. To support remote LDAP server I think 
we need to use reindex task. We have indextasks.ldif and vlvtasks.ldif 
that can be used for this. See also: 
http://pki.fedoraproject.org/wiki/DS_Database_Indexes


11. The DBUpgrade should not ignore reindex failures since subsequent 
upgrades may depend on it.


12. There's a typo in the last patch's commit description.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 760 Fixed invalid TPS VLV indexes.

2016-06-02 Thread Endi Sukma Dewata 

On 6/2/2016 9:17 AM, Ade Lee wrote:

ACK


Thanks! Also ACKed by jmagne. Pushed to master.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 754-755 Fixed problem submitting renewal request.

2016-06-02 Thread Endi Sukma Dewata 

On 5/24/2016 11:55 AM, Endi Sukma Dewata wrote:

Attached are patches to fix a problem with submitting renewal request.

https://fedorahosted.org/pki/ticket/999


This was conditionally ACKed by jmagne (thanks!). It's been tested to 
work with the UI and CLI with a minor revision. Pushed to master.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 760 Fixed invalid TPS VLV indexes.

2016-06-02 Thread Ade Lee 
ACK

On Fri, 2016-05-27 at 17:53 -0500, Endi Sukma Dewata wrote:
> The TPS VLV indexes have been fixed to use the correct vlvScope
> (i.e. one level). The unsupported minus sign in vlvSort and the
> redundant vlvEnabled have been removed.
> 
> https://fedorahosted.org/pki/ticket/2342
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 315-319 KRA realm related patches

2016-06-02 Thread Ade Lee 
Patch descriptions (in reverse order).

The final patch will need some discussion.  Please review,

Ade

***
commit 4a1fb1e678d0024d9ee51fcda0d83f74f1715f4b
Author: Ade Lee 
Date:   Thu Jun 2 09:41:35 2016 -0400

Modify pki-server db-upgrade to do realm related upgrades

Tickets 2320, 2319

commit ed3e2da4c598bf4cec89bec8e20a23ab6d82013c
Author: Ade Lee 
Date:   Fri May 27 14:01:59 2016 -0400

New VLV indexes for KRA including realm

commit 1a2947fed2f7cd2cc32fa810ab77d64bf3acb821
Author: Ade Lee 
Date:   Thu May 26 00:48:39 2016 -0400

Fix legacy servlets to check realm when requesting recovery

commit 483f9b2066110c3b8d4598e3afe1a9508bddbbb7
Author: Ade Lee 
Date:   Wed May 25 18:53:22 2016 -0400

Change legacy requests servlet to check realm

The legacy KRA servlet has been modified to check the realm
if present in the request, or only return non-realm requests
if not present.

No attempt is made to fix the error reporting of the servlet.
As such, an authz failure due to the realm check is handled
in the same way that other authz failures are handled.

commit 6c52845955315ca8842290d41c826c26aa037eb3
Author: Ade Lee 
Date:   Wed May 25 18:10:59 2016 -0400

Fix old KRA servlets to check realm

The old KRA servlets to list and display keys do not go through
the same code paths as the REST API.  Therefore, they do not
check the authz realm.

This patch adds the relevant code.  No attempt is made to fix the
error handling of the old servlets.  the long term solution for this
is to deprecate the old servlets and make the UI use the REST API
instead.  Therefore, authz failures due to realm checks are handled
in the same way as other authz changes.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 315-319 KRA realm related patches

2016-06-02 Thread Ade Lee 
And now with the patches ..

On Thu, 2016-06-02 at 09:50 -0400, Ade Lee wrote:
> Patch descriptions (in reverse order).
> 
> The final patch will need some discussion.  Please review,
> 
> Ade
> 
> ***
> commit 4a1fb1e678d0024d9ee51fcda0d83f74f1715f4b
> Author: Ade Lee 
> Date:   Thu Jun 2 09:41:35 2016 -0400
> 
> Modify pki-server db-upgrade to do realm related upgrades
> 
> Tickets 2320, 2319
> 
> commit ed3e2da4c598bf4cec89bec8e20a23ab6d82013c
> Author: Ade Lee 
> Date:   Fri May 27 14:01:59 2016 -0400
> 
> New VLV indexes for KRA including realm
> 
> commit 1a2947fed2f7cd2cc32fa810ab77d64bf3acb821
> Author: Ade Lee 
> Date:   Thu May 26 00:48:39 2016 -0400
> 
> Fix legacy servlets to check realm when requesting recovery
> 
> commit 483f9b2066110c3b8d4598e3afe1a9508bddbbb7
> Author: Ade Lee 
> Date:   Wed May 25 18:53:22 2016 -0400
> 
> Change legacy requests servlet to check realm
> 
> The legacy KRA servlet has been modified to check the realm
> if present in the request, or only return non-realm requests
> if not present.
> 
> No attempt is made to fix the error reporting of the servlet.
> As such, an authz failure due to the realm check is handled
> in the same way that other authz failures are handled.
> 
> commit 6c52845955315ca8842290d41c826c26aa037eb3
> Author: Ade Lee 
> Date:   Wed May 25 18:10:59 2016 -0400
> 
> Fix old KRA servlets to check realm
> 
> The old KRA servlets to list and display keys do not go through
> the same code paths as the REST API.  Therefore, they do not
> check the authz realm.
> 
> This patch adds the relevant code.  No attempt is made to fix the
> error handling of the old servlets.  the long term solution for
> this
> is to deprecate the old servlets and make the UI use the REST API
> instead.  Therefore, authz failures due to realm checks are
> handled
> in the same way as other authz changes.
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-develFrom 6c52845955315ca8842290d41c826c26aa037eb3 Mon Sep 17 00:00:00 2001
From: Ade Lee 
Date: Wed, 25 May 2016 18:10:59 -0400
Subject: [PATCH 315/319] Fix old KRA servlets to check realm

The old KRA servlets to list and display keys do not go through
the same code paths as the REST API.  Therefore, they do not
check the authz realm.

This patch adds the relevant code.  No attempt is made to fix the
error handling of the old servlets.  the long term solution for this
is to deprecate the old servlets and make the UI use the REST API
instead.  Therefore, authz failures due to realm checks are handled
in the same way as other authz changes.
---
 .../netscape/cms/servlet/key/DisplayBySerial.java  | 16 +++--
 .../servlet/key/DisplayBySerialForRecovery.java| 16 +++--
 .../src/com/netscape/cms/servlet/key/SrchKey.java  | 40 +++---
 .../cms/servlet/key/SrchKeyForRecovery.java| 38 +---
 4 files changed, 96 insertions(+), 14 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java
index 03af65c1f6df3a49408c42c8df6a009337d96f2f..7d3a5e9ff1c1886abde5e3cfe98b6338c9008db2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java
@@ -31,6 +31,7 @@ import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzToken;
 import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.common.ICMSRequest;
@@ -154,7 +155,12 @@ public class DisplayBySerial extends CMSServlet {
 if (req.getParameter(IN_SERIALNO) != null) {
 seqNum = new BigInteger(req.getParameter(IN_SERIALNO));
 }
-process(argSet, header, seqNum, req, resp, locale[0]);
+process(argSet, header, seqNum, req, resp, locale[0], authToken);
+} catch (EAuthzException e) {
+log(ILogger.LL_FAILURE,
+CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+cmsReq.setStatus(ICMSRequest.UNAUTHORIZED);
+return;
 } catch (NumberFormatException e) {
 header.addStringValue(OUT_ERROR,
 CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString()));
@@ -175,19 +181,23 @@ public class DisplayBySerial extends CMSServlet {
 
 /**
  * Display information about a particular key.
+ * @throws EAuthzException
  */
 private void process(CMSTemplateParams