subject:"\[Pki\-devel\] \[PATCH\] Ticket\-2618\-feature\-pre\-signed\-CMC\-renewal\-request.patch"

Re: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

2017-05-22 Thread Christina Fu


pushed to master:

commit 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb

thanks,

Christina


On 05/19/2017 06:36 PM, John Magne wrote:

ACK:

Just make sure these changed constraints don't have any negative effect on 
existing profiles that use those constraints..

- Original Message -
From: "Christina Fu" <c...@redhat.com>
To: pki-devel@redhat.com
Sent: Friday, May 19, 2017 5:31:37 PM
Subject: [Pki-devel] [PATCH]    
Ticket-2618-feature-pre-signed-CMC-renewal-request.patch



This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process 
pre-signed CMC renewal cert requests

Ticket#2618 feature: pre-signed CMC renewal request

This patch provides the feature implementation to allow CA to process 
pre-signed CMC renewal requests. In the world of CMC, renewal request are full 
CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the 
enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by 
a revoked certificate. It also saves the origNotAfter of the newest certificate 
sharing the same key in the request to be used by the 
RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated to have both 
UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the 
correct order. By default in the UniqueKeyConstraint the constraint parameter 
allowSameKeyRenewal=true.


Thanks,

Christina

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

2017-05-19 Thread John Magne

ACK:

Just make sure these changed constraints don't have any negative effect on 
existing profiles that use those constraints..

- Original Message -
From: "Christina Fu" <c...@redhat.com>
To: pki-devel@redhat.com
Sent: Friday, May 19, 2017 5:31:37 PM
Subject: [Pki-devel] [PATCH]    
Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process 
pre-signed CMC renewal cert requests 

Ticket#2618 feature: pre-signed CMC renewal request 

This patch provides the feature implementation to allow CA to process 
pre-signed CMC renewal requests. In the world of CMC, renewal request are full 
CMC requests that are signed by previously issued signing certificate. 
The implementation approach is to use the caFullCMCUserSignedCert with the 
enhanced profile constraint: UniqueKeyConstraint. 
UniqueKeyConstraint has been updated to disallow renewal of same key shared by 
a revoked certificate. It also saves the origNotAfter of the newest certificate 
sharing the same key in the request to be used by the 
RenewGracePeriodConstraint. 
The profile caFullCMCUserSignedCert.cfg has been updated to have both 
UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the 
correct order. By default in the UniqueKeyConstraint the constraint parameter 
allowSameKeyRenewal=true. 

Thanks, 

Christina 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

2017-05-19 Thread Christina Fu

This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to 
process pre-signed CMC renewal cert requests


Ticket#2618 feature: pre-signed CMC renewal request

This patch provides the feature implementation to allow CA to 
process pre-signed CMC renewal requests. In the world of CMC, renewal 
request are full CMC requests that are signed by previously issued 
signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert 
with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same 
key shared by a revoked certificate.  It also saves the origNotAfter of 
the newest certificate sharing the same key in the request to be used by 
the RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated to have 
both UniqueKeyConstraint and RenewGracePeriodConstraint.  They must be 
placed in the correct order. By default in the UniqueKeyConstraint the 
constraint parameter allowSameKeyRenewal=true.


Thanks,

Christina

>From 63af93d4b7ba2bdda405bb585ed1e4c096e7ceb2 Mon Sep 17 00:00:00 2001
From: Christina Fu 
Date: Fri, 19 May 2017 11:55:14 -0700
Subject: [PATCH] Ticket#2618 feature: pre-signed CMC renewal request

This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate.  It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint.  They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
---
 .../shared/profiles/ca/caFullCMCUserSignedCert.cfg |  13 ++-
 .../src/com/netscape/cmstools/CMCRequest.java  |  14 +--
 .../constraint/RenewGracePeriodConstraint.java |  23 ++--
 .../profile/constraint/UniqueKeyConstraint.java| 116 -
 4 files changed, 124 insertions(+), 42 deletions(-)

diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
index 229a3cd..63a4bca 100644
--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
@@ -10,12 +10,23 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=cmcUserCertSet
-policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.list=1,9,10,2,3,4,5,6,7,8
 policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl
 policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint
 policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl
 policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default
 policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl
+policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint
+policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true
+policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl
+policyset.cmcUserCertSet.9.default.name=No Default
+policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
+policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint
+policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30
+policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30
+policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl
+policyset.cmcUserCertSet.10.default.name=No Default
 policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
 policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
 policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
index 6e27cb1..9c41403 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
@@ -2014,10 +2014,12 @@ public class CMCRequest {
 certname.append(tokenName);
 certname.append(":");
 }
-certname.append(nickname);
-signerCert = cm.findCertByNickname(certname.toString());
-if (signerCert != null) {
-System.out.println("got signerCert: "+ certname.toString());
+if (!selfSign.equals("true") && nickname != null)

Re: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

Re: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

[Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

3 matches

Site Navigation

Mail list logo

Footer information