date:20160921

Re: [Pki-devel] [PATCH] 0135 Do not attempt LWCA key retrieval for host authority

2016-09-21 Thread Ade Lee


ACK

On Thu, 2016-09-22 at 12:13 +1000, Fraser Tweedale wrote:
> Hi team,
> 
> Please review the attached patch which fixes a regression in
> two-step externally-signed CA installation.  It is destined for 10.3
> branch as well as master.
> 
> https://fedorahosted.org/pki/ticket/2466
> 
> Cheers,
> Fraser
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0135 Do not attempt LWCA key retrieval for host authority

2016-09-21 Thread Fraser Tweedale

Hi team,

Please review the attached patch which fixes a regression in
two-step externally-signed CA installation.  It is destined for 10.3
branch as well as master.

https://fedorahosted.org/pki/ticket/2466

Cheers,
Fraser
From fca5fd053434d112998c814bc6d9424b6a5bac98 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 21 Sep 2016 20:18:37 +1000
Subject: [PATCH] Do not attempt LWCA key retrieval for host authority

During two-step installation of externally-signed CA, installation
can fail because host authority's private key cannot be located (a
temporary condition), causing LWCA key replication to fire, which
throws NullPointerException because the host authority's AuthorityID
has not been set yet.

Do not start key retrieval if the CA's AuthorityID is null (a
condition which implies that the CA is the host authority).

Fixes: https://fedorahosted.org/pki/ticket/2466
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
1f77fd81fc850af9996329dbec7d6a973ba62942..a4f102435ae7a1f2ab1e27814a52b5689639d0f7
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -1569,7 +1569,12 @@ public class CertificateAuthority
 CMS.debug("CA signing key and cert not (yet) present in 
NSSDB");
 signingUnitException = e;
 if (retrieveKeys == true) {
-if (!keyRetrieverThreads.containsKey(authorityID)) {
+if (authorityID == null) {
+// Only the host authority should ever see a
+// null authorityID, e.g. during two-step
+// installation of externally-signed CA.
+CMS.debug("null authorityID -> host authority; not 
starting KeyRetriever");
+} else if (!keyRetrieverThreads.containsKey(authorityID)) {
 CMS.debug("Starting KeyRetrieverRunner thread");
 Thread t = new Thread(
 new KeyRetrieverRunner(authorityID, mNickname, 
authorityKeyHosts),
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 833 Additional improvements for SigningUnit.

2016-09-21 Thread Endi Sukma Dewata


To help troubleshooting the SigningUnit for CA have been modified
to show additional log messages.

https://fedorahosted.org/pki/ticket/2463

Pushed to master (10.4) under one-liner/trivial rule.

--
Endi S. Dewata
>From d45c675948bb1ec13610626c57b6905dfc03fd43 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 21 Sep 2016 06:52:02 +0200
Subject: [PATCH] Additional improvements for SigningUnit.

To help troubleshooting the SigningUnit for CA have been modified
to show additional log messages.

https://fedorahosted.org/pki/ticket/2463
---
 base/ca/src/com/netscape/ca/SigningUnit.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java
index ac73a472efa531d47115708de7b4d65405b8e612..405f20c064f749a08190af7e7b2daf62ec4e7cd1 100644
--- a/base/ca/src/com/netscape/ca/SigningUnit.java
+++ b/base/ca/src/com/netscape/ca/SigningUnit.java
@@ -171,6 +171,7 @@ public final class SigningUnit implements ISigningUnit {
 mCert = mManager.findCertByNickname(mNickname);
 CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
 } catch (ObjectNotFoundException e) {
+CMS.debug("Unable to find certificate " + mNickname);
 throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e);
 }
 
@@ -181,6 +182,7 @@ public final class SigningUnit implements ISigningUnit {
 mPrivk = mManager.findPrivKeyByCert(mCert);
 CMS.debug("Got private key from cert");
 } catch (ObjectNotFoundException e) {
+CMS.debug("Unable to find private key for " + mNickname);
 throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e);
 }
 
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0135 Do not attempt LWCA key retrieval for host authority

[Pki-devel] [PATCH] 0135 Do not attempt LWCA key retrieval for host authority

[Pki-devel] [PATCH] 833 Additional improvements for SigningUnit.

3 matches

Site Navigation

Mail list logo

Footer information