Re: [Pki-devel] [PATCH] fix for existing CA for HSM

[Ade Lee]

Acked by Endi.  Pushed to master.

On Wed, 2016-05-11 at 23:11 -0400, Ade Lee wrote:
> commit 5efd691e71f32b350737d95fe08f470164e60192
> Author: Ade Lee 
> Date:   Thu May 12 00:35:41 2016 +0200
> 
> Fix existing ca setup to work with HSM
> 
> If the existing CA keys are in an HSM, the code fails to
> load the keys becauseit does not take into account the full
> nickname.
> This small fix addresses this bug.
> 
> Please review,
> Thanks,
> Ade
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 743 Fixed install-only message in external CA case.

[Endi Sukma Dewata]

On 5/11/2016 9:04 PM, Matthew Harmsen wrote:

ACK


Thanks! Pushed to master.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 744-745 Fixed missing CSR extensions for external CA case.

[Endi Sukma Dewata]

On 5/11/2016 7:20 PM, Endi Sukma Dewata wrote:

The deployment tool has been modified to generate CSR with basic
constraints and key usage extensions for the externally-signed CA
signing certificate.

The ConfigurationUtils.handleCertRequest() has been modified to
throw an exception on error during CSR generation instead of
silently ignoring it. The method has also been renamed to
generateCertRequest() for clarity.

https://fedorahosted.org/pki/ticket/2312


ACKed by alee (thanks!). Pushed to master.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 746 Added log messages for pre-op mode.

[Endi Sukma Dewata]

To help troubleshooting the code has been modified to log more
detailed information in pre-op mode.

https://fedorahosted.org/pki/ticket/1654

--
Endi S. Dewata
>From 2d76c5194d5a1833b3d43d2fd40effb99cd5bd5f Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Thu, 12 May 2016 20:30:56 +0200
Subject: [PATCH] Added log messages for pre-op mode.

To help troubleshooting the code has been modified to log more
detailed information in pre-op mode.

https://fedorahosted.org/pki/ticket/1654
---
 .../src/com/netscape/ca/CertificateAuthority.java  | 22 -
 base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java | 36 +-
 .../netscape/cms/authorization/DirAclAuthz.java| 23 --
 .../policy/constraints/SubCANameConstraints.java   | 11 ---
 .../extensions/AuthorityKeyIdentifierExt.java  | 17 +-
 .../cms/policy/extensions/BasicConstraintsExt.java | 13 
 .../cmscore/authentication/AuthSubsystem.java  | 10 --
 .../authentication/PasswdUserDBAuthentication.java |  4 ++-
 .../cmscore/authorization/AuthzSubsystem.java  | 10 --
 .../cmscore/cert/CrossCertPairSubsystem.java   | 24 +--
 .../src/com/netscape/cmscore/dbs/DBSubsystem.java  | 31 ++-
 .../cmscore/selftests/SelfTestSubsystem.java   |  2 +-
 .../com/netscape/cmscore/usrgrp/UGSubsystem.java   |  6 +++-
 13 files changed, 126 insertions(+), 83 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 253c4bb323692b8e9fe8bd87e202d71afb810c67..8ef6fd4b6dc97b9108f470a38f45eec864f24015 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -513,11 +513,14 @@ public class CertificateAuthority
 initSigUnit(/* retrieveKeys */ true);
 // init default CA attributes like cert version, validity.
 initDefCaAttrs();
+
 } catch (EBaseException e) {
-if (CMS.isPreOpMode())
-;
-else
+CMS.debug(e);
+if (CMS.isPreOpMode()) {
+CMS.debug("CertificateAuthority.init(): Swallow exception in pre-op mode");
+} else {
 throw e;
+}
 }
 
 mUseNonces = mConfig.getBoolean("enableNonces", true);
@@ -526,8 +529,10 @@ public class CertificateAuthority
 // init request queue and related modules.
 CMS.debug("CertificateAuthority init: initRequestQueue");
 initRequestQueue();
-if (CMS.isPreOpMode())
+if (CMS.isPreOpMode()) {
+CMS.debug("CertificateAuthority.init(): Abort in pre-op mode");
 return;
+}
 
 /* The host CA owns these resources so skip these
  * steps for lightweight CAs.
@@ -587,10 +592,12 @@ public class CertificateAuthority
 CMS.debug("CertificateAuthority: finished init of host authority");
 }
 } catch (EBaseException e) {
-if (CMS.isPreOpMode())
+CMS.debug(e);
+if (CMS.isPreOpMode()) {
+CMS.debug("CertificateAuthority.init(): Swallow exception in pre-op mode");
 return;
-else
-throw e;
+}
+throw e;
 }
 }
 
@@ -758,6 +765,7 @@ public class CertificateAuthority
  */
 public void startup() throws EBaseException {
 if (CMS.isPreOpMode()) {
+CMS.debug("CertificateAuthority.startup(): Do not start CA in pre-op mode");
 return;
 }
 mService.startup();
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
index 4a40e89fb4608639d3dff57341bfc6a3ee9623fe..09b85b4d1fa9fa98626010376f31abbf0a863474 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
@@ -27,14 +27,6 @@ import java.security.cert.CertificateParsingException;
 import java.util.Enumeration;
 import java.util.Hashtable;
 
-import netscape.security.util.DerOutputStream;
-import netscape.security.util.DerValue;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509Key;
-
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.asn1.ASN1Util;
 import org.mozilla.jss.asn1.InvalidBERException;
@@ -65,6 +57,14 @@ import com.netscape.cmsutil.ocsp.OCSPResponse;
 import com.netscape.cmsutil.ocsp.ResponderID;
 import com.netscape.cmsutil.ocsp.ResponseData;
 
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.x509.AlgorithmId;
+import netscape.

Re: [Pki-devel] [pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch

[John Magne]

Ticket #1641 Enhance tkstool for capabilities and security

The key is now generated with the flags needed to keep the data from being 
displayed
with simple tools such as symkeyutil.


As per cfu's instructions,
I was able to test this with the nethsm only.

I also was able to make the key des3 and everything works fine with the master 
key.
This will help all the warnings we get about insecure des2 keys.

If there is a problem with luna, we can file another ticket.
Also there could be a built in tool for luna to generate keys such as is 
present on hsm.

Pushed to master.

- Original Message -
From: "Christina Fu" 
To: pki-devel@redhat.com
Sent: Wednesday, January 27, 2016 10:24:26 AM
Subject: Re: [Pki-devel] 
[pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch

I think I will be more conservative and give conditional ACK to this patch 
pending on tests on servers running on both LunaSA and nethsm. Although the 
code in the patch might very well work for both, those two HSM's are known to 
require different sets of pk11AtrFlags and often one set would work for one but 
not the other. 

thanks, 
Christina 

On 01/15/2016 04:24 PM, John Magne wrote: 



Enhance tkstool for capabilities and security

This simple ticket is to fix tkstool to allow it
to create the master key with the proper flags to make
the key data private such that it can't be easily viewed when
using tools to print out sym keys on the token.

Fix tested on the "internal" token by trying the various tkstool
cmds to make sure having the key private does not cause issues.
Also tried a simple key changeover operation with tpsclient to make
sure that symkey can still do what it needs to do witht the master key.

Further testing with a full hsm will be required.
The goal was the create the key with the same flags that are used with the
previous "PK11_GenKeyOnToken" (name approx) is used. This version had no
flags and created a default set. This fix uses the version With flags and
does what the old one did, but made sure the key is private and sensitive.

Master key can be tested by using the tool:

/usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L 


___
Pki-devel mailing list Pki-devel@redhat.com 
https://www.redhat.com/mailman/listinfo/pki-devel 


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch

[John Magne]

ACKED by cfu,
pushed to master.

- Original Message -
From: "Christina Fu" 
To: pki-devel@redhat.com
Sent: Tuesday, May 3, 2016 11:27:59 AM
Subject: Re: [Pki-devel] [pki-devel][PATCH] 
0066-TPS-auth-special-characters-fix.patch

ACK 

On 04/27/2016 01:59 PM, John Magne wrote: 



TPS auth special characters fix.

Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special 
characters in userid or password

Tested with both esc and tpsclient. The problem was when using a real card 
because the client uri encodes
the authentication creds and the server needs to decode them. 


___
Pki-devel mailing list Pki-devel@redhat.com 
https://www.redhat.com/mailman/listinfo/pki-devel 


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Added Chrome keygen warning

[Matthew Harmsen]

While testing chrome, we discovered that (a) keygen would soon not be 
supported:


 * 
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/pX5NbX0Xack

(b) although keygen is still supported, it has been disabled by default 
with a workaround provided to re-enable it:


 * 
https://support.quovadisglobal.com/kb/a470/deprecation-of-keygen-tag-in-chrome-chromium-browsers.aspx

Please review the attached patch which supplies a warning message and 
instructions on how to re-enable keygen

on Chrome browsers that support this:

 * PKI TRAC #2323 - Firefox Warning appears in EE page launched from
   within Chrome 

Additionally, an attempt was made to identify the case when KeyGen would 
not be available on Firefox and Chrome.


-- Matt

From 6d4d411c517be7a70015da1665906716aa3bdb84 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen 
Date: Thu, 12 May 2016 16:14:17 -0600
Subject: [PATCH] Added Chrome keygen warning

- PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from
  within Chrome
---
 .../shared/webapps/ca/ee/ca/ProfileSelect.template | 110 -
 1 file changed, 107 insertions(+), 3 deletions(-)

diff --git a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
index 01b94ab..268db08 100644
--- a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
+++ b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
@@ -47,6 +47,61 @@ var key = new Object();
 key.type = "EC";
 keyList[1] = key;
 
+// Obtain browser name and version information
+// (credit: 'http://www.javascripter.net/faq/browsern.htm')
+var nAgt = navigator.userAgent;
+var browserName  = navigator.appName;
+var fullVersion  = ''+parseFloat(navigator.appVersion);
+var majorVersion = parseInt(navigator.appVersion, 10);
+var nameOffset,verOffset,ix;
+if ((verOffset = nAgt.indexOf("OPR/")) != -1) {
+   browserName = "Opera";
+   fullVersion = nAgt.substring(verOffset + 4);
+} else if ((verOffset = nAgt.indexOf("Opera")) != -1) {
+   browserName = "Opera";
+   fullVersion = nAgt.substring(verOffset + 6);
+   if ((verOffset = nAgt.indexOf("Version")) != -1) {
+  fullVersion = nAgt.substring(verOffset + 8);
+   }
+} else if ((verOffset = nAgt.indexOf("MSIE")) != -1) {
+   browserName = "Microsoft Internet Explorer";
+   fullVersion = nAgt.substring(verOffset + 5);
+} else if ((verOffset = nAgt.indexOf("Chrome")) != -1) {
+   browserName = "Chrome";
+   fullVersion = nAgt.substring(verOffset + 7);
+} else if ((verOffset = nAgt.indexOf("Safari")) != -1) {
+   browserName = "Safari";
+   fullVersion = nAgt.substring(verOffset + 7);
+   if ((verOffset = nAgt.indexOf("Version")) != -1) {
+  fullVersion = nAgt.substring(verOffset + 8);
+   }
+} else if ((verOffset = nAgt.indexOf("Firefox")) != -1) {
+   browserName = "Firefox";
+   fullVersion = nAgt.substring(verOffset + 8);
+} else if ((nameOffset = nAgt.lastIndexOf(' ') + 1) <
+   (verOffset = nAgt.lastIndexOf('/'))) {
+   browserName = nAgt.substring(nameOffset, verOffset);
+   fullVersion = nAgt.substring(verOffset + 1);
+   if (browserName.toLowerCase() == browserName.toUpperCase()) {
+  browserName = navigator.appName;
+   }
+}
+
+// trim the fullVersion string at semicolon/space if present
+if ((ix = fullVersion.indexOf(";")) != -1) {
+   fullVersion = fullVersion.substring(0, ix);
+}
+if ((ix = fullVersion.indexOf(" ")) != -1) {
+   fullVersion=fullVersion.substring(0, ix);
+}
+
+majorVersion = parseInt(''+fullVersion, 10);
+if (isNaN(majorVersion)) {
+   fullVersion  = ''+parseFloat(navigator.appVersion);
+   majorVersion = parseInt(navigator.appVersion, 10);
+}
+
+
 function isIE() {
if ( "ActiveXObject" in window ) {
  return true;
@@ -62,12 +117,37 @@ function isIE() {
return false;
  }
 
+function isKeyGenSupported() {
+   // var keygen = document.createElement("KEYGEN");
+   var keygen = document.createElement("KEYGEN");
+   if ((typeof(keygen) == "object") &&
+   (typeof(keygen.name) == "undefined")) {
+   // Firefox
+   return true;
+   } else if ((typeof(keygen) == "object") &&
+  (typeof(keygen.name) == "string")) {
+   // Chrome
+   return true;
+   }
+   return false;
+}
+
 function getIE11Warning() {
  document.write('  Warning: Internet Explore Version 11 is not currently supported for certain enrollment operations. Please use an earlier version of the browser.   ');
  document.write('');
 }
 
 
+function getNoKeyGenWarning() {
+ document.write('  Warning: This version of ' + browserName + ' no longer supports the  tag used to facilitate generation of key material and submission of a public key as part of an HTML form from a browser.  As a result, certificate requests must be generated and submitted manually.  ');
+ document.write('');
+}
+
+function getKeyGenDisabledWarning() {
+ document.write('  Warning: Please verify t

Re: [Pki-devel] [PATCH] Added Chrome keygen warning

[John Magne]

Took a look at this.

Seems pretty good, so ACK, with a concern or two.

I think we might want to consider seeing if we can somehow short circuit
the display to something that won't let them send to the server, when we
know we don't even have the keygen tag available.

So if tested to work with Firefox and Chrome, etc, ACK once again.

- Original Message -
From: "Matthew Harmsen" 
To: "pki-devel" 
Cc: "Jack Magne" 
Sent: Thursday, May 12, 2016 3:45:11 PM
Subject: [PATCH] Added Chrome keygen warning

While testing chrome, we discovered that (a) keygen would soon not be 
supported:

  * 
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/pX5NbX0Xack

(b) although keygen is still supported, it has been disabled by default 
with a workaround provided to re-enable it:

  * 
https://support.quovadisglobal.com/kb/a470/deprecation-of-keygen-tag-in-chrome-chromium-browsers.aspx

Please review the attached patch which supplies a warning message and 
instructions on how to re-enable keygen
on Chrome browsers that support this:

  * PKI TRAC #2323 - Firefox Warning appears in EE page launched from
within Chrome 

Additionally, an attempt was made to identify the case when KeyGen would 
not be available on Firefox and Chrome.

-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Added Chrome keygen warning

[Matthew Harmsen]

On 05/12/2016 07:39 PM, John Magne wrote:

Took a look at this.

Seems pretty good, so ACK, with a concern or two.

I think we might want to consider seeing if we can somehow short circuit
the display to something that won't let them send to the server, when we
know we don't even have the keygen tag available.

So if tested to work with Firefox and Chrome, etc, ACK once again.

- Original Message -
From: "Matthew Harmsen" 
To: "pki-devel" 
Cc: "Jack Magne" 
Sent: Thursday, May 12, 2016 3:45:11 PM
Subject: [PATCH] Added Chrome keygen warning

While testing chrome, we discovered that (a) keygen would soon not be
supported:

   * 
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/pX5NbX0Xack

(b) although keygen is still supported, it has been disabled by default
with a workaround provided to re-enable it:

   * 
https://support.quovadisglobal.com/kb/a470/deprecation-of-keygen-tag-in-chrome-chromium-browsers.aspx

Please review the attached patch which supplies a warning message and
instructions on how to re-enable keygen
on Chrome browsers that support this:

   * PKI TRAC #2323 - Firefox Warning appears in EE page launched from
 within Chrome 

Additionally, an attempt was made to identify the case when KeyGen would
not be available on Firefox and Chrome.

-- Matt


Thanks,  comment added to this section of code; checked into master.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 740-742 Added token status UNFORMATTED.

[Christina Fu]

looks straight-forward.  if tested good, ACK.

Christina

On 05/10/2016 12:44 PM, Endi Sukma Dewata wrote:

A new token status UNFORMATTED has been added for new tokens added
via UI/CLI and for TERMINATED tokens that are to be reused.

The token status READY has been renamed to FORMATTED for clarity.



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid

[Fraser Tweedale]

On Mon, May 09, 2016 at 01:19:50PM +1000, Fraser Tweedale wrote:
> The attached patch fixes https://fedorahosted.org/pki/ticket/2317.
> It will result in better error messages and help users to diagnose
> bad profile configurations (especially with IPA).
> 
> Thanks,
> Fraser
>
Acked by alee (thanks!); pushed to master
(54c18d85a778775c86bcddab4eee929719ac4d23)

> From ff7ff61c6cc97f695f3db2058bf3639014278299 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale 
> Date: Mon, 9 May 2016 12:57:32 +1000
> Subject: [PATCH] Reject cert request if resultant subject DN is invalid
> 
> An unparseable subject DN is ignored, causing NPE in subsequent
> processing becaues the subject DN was not set.  Throw
> ERejectException if the subject DN is invalid, to ensure that a
> useful response can be returned to the requestor.
> 
> Fixes: https://fedorahosted.org/pki/ticket/2317
> ---
>  .../com/netscape/certsrv/profile/ERejectException.java   |  8 
>  .../com/netscape/cms/profile/def/SubjectNameDefault.java | 16 
> ++--
>  2 files changed, 14 insertions(+), 10 deletions(-)
> 
> diff --git 
> a/base/common/src/com/netscape/certsrv/profile/ERejectException.java 
> b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
> index 
> cceeb12ab8354b05dec0d0212d7a0f04de9e6184..1ada1c4ebca50ed79a443e2e47b3251a7303ff37
>  100644
> --- a/base/common/src/com/netscape/certsrv/profile/ERejectException.java
> +++ b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
> @@ -43,4 +43,12 @@ public class ERejectException extends EProfileException {
>  public ERejectException(String msg) {
>  super(msg);
>  }
> +
> +public ERejectException(String msg, Throwable cause) {
> +super(msg, cause);
> +}
> +
> +public ERejectException(Throwable cause) {
> +super(cause.getMessage(), cause);
> +}
>  }
> diff --git 
> a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java 
> b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
> index 
> 31aee6dd6d9299438fb62493f61879f9a01dd9ed..629f4bcc10869518ff890a96fa6657565df00abe
>  100644
> --- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
> +++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
> @@ -27,6 +27,7 @@ import netscape.security.x509.X509CertInfo;
>  import com.netscape.certsrv.apps.CMS;
>  import com.netscape.certsrv.base.IConfigStore;
>  import com.netscape.certsrv.profile.EProfileException;
> +import com.netscape.certsrv.profile.ERejectException;
>  import com.netscape.certsrv.profile.IProfile;
>  import com.netscape.certsrv.property.Descriptor;
>  import com.netscape.certsrv.property.EPropertyException;
> @@ -166,19 +167,14 @@ public class SubjectNameDefault extends EnrollDefault {
>  return;
>  try {
>  name = new X500Name(subjectName);
> -} catch (IOException e) {
> -// failed to build x500 name
> -CMS.debug("SubjectNameDefault: populate " + e.toString());
> -}
> -if (name == null) {
> -// failed to build x500 name
> -}
> -try {
>  info.set(X509CertInfo.SUBJECT,
>  new CertificateSubjectName(name));
>  } catch (Exception e) {
> -// failed to insert subject name
> -CMS.debug("SubjectNameDefault: populate " + e.toString());
> +CMS.debug("SubjectNameDefault: failed to populate: " + e);
> +throw new ERejectException(CMS.getUserMessage(
> +getLocale(request),
> +"CMS_PROFILE_INVALID_SUBJECT_NAME",
> +subjectName), e);
>  }
>  }
>  }
> -- 
> 2.5.5
> 

> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0108 Lightweight CAs: add issuer DN and serial to AuthorityData

[Fraser Tweedale]

Hi team,

Attached patch implements https://fedorahosted.org/pki/ticket/1618
(Lightweight CAs: include Issuer DN and Serial in AuthorityData).

If ACKed and we want to kick off builds of 10.3.0, please go ahead
and merge it, otherwise I'll merge it on Monday morning.

Cheers,
Fraser
From 913fced6709f30da2ac05e5367fcfc05e1698a75 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Fri, 13 May 2016 14:22:08 +1000
Subject: [PATCH] Lightweight CAs: add issuer DN and serial to AuthorityData

Add issuer DN and serial number to the AuthorityData object, as
read-only attributes.  Values are displayed in the CLI, when present
in the response data.

Fixes: https://fedorahosted.org/pki/ticket/1618
---
 .../dogtagpki/server/ca/rest/AuthorityService.java | 18 +++---
 .../netscape/certsrv/authority/AuthorityData.java  | 22 ++
 .../netscape/cmstools/authority/AuthorityCLI.java  | 14 +-
 .../cmstools/authority/AuthorityCreateCLI.java |  2 +-
 .../cmstools/authority/AuthorityDisableCLI.java|  2 +-
 .../cmstools/authority/AuthorityEnableCLI.java |  2 +-
 6 files changed, 53 insertions(+), 7 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 
29b7f78434a433360f34e9f821e6166ed19c604c..199ebef1a30c0cb946731ba448320f33611b3605
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -20,6 +20,7 @@ package org.dogtagpki.server.ca.rest;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.math.BigInteger;
 import java.security.cert.CertificateEncodingException;
 import java.util.ArrayList;
 import java.util.LinkedHashMap;
@@ -270,14 +271,14 @@ public class AuthorityService extends PKIService 
implements AuthorityResource {
 public Response enableCA(String aidString) {
 return modifyCA(
 aidString,
-new AuthorityData(null, null, null, null, true, null, null));
+new AuthorityData(null, null, null, null, null, null, true, null, 
null));
 }
 
 @Override
 public Response disableCA(String aidString) {
 return modifyCA(
 aidString,
-new AuthorityData(null, null, null, null, false, null, null));
+new AuthorityData(null, null, null, null, null, null, false, null, 
null));
 }
 
 @Override
@@ -321,7 +322,16 @@ public class AuthorityService extends PKIService 
implements AuthorityResource {
 try {
 dn = ca.getX500Name().toLdapDNString();
 } catch (IOException e) {
-throw new PKIException("Error reading CA data: could not determine 
Issuer DN");
+throw new PKIException("Error reading CA data: could not determine 
subject DN");
+}
+
+String issuerDN;
+BigInteger serial;
+try {
+issuerDN = ca.getCACert().getIssuerDN().toString();
+serial = ca.getCACert().getSerialNumber();
+} catch (EBaseException e) {
+throw new PKIException("Error reading CA data: missing CA cert", 
e);
 }
 
 AuthorityID parentAID = ca.getAuthorityParentID();
@@ -330,6 +340,8 @@ public class AuthorityService extends PKIService implements 
AuthorityResource {
 dn,
 ca.getAuthorityID().toString(),
 parentAID != null ? parentAID.toString() : null,
+issuerDN,
+serial,
 ca.getAuthorityEnabled(),
 ca.getAuthorityDescription(),
 ca.isReady()
diff --git a/base/common/src/com/netscape/certsrv/authority/AuthorityData.java 
b/base/common/src/com/netscape/certsrv/authority/AuthorityData.java
index 
84679567eb527cbf9fedd21705a72ca9c1a34a93..7d74caf97366ab79e14f9afce94041e17cea341a
 100644
--- a/base/common/src/com/netscape/certsrv/authority/AuthorityData.java
+++ b/base/common/src/com/netscape/certsrv/authority/AuthorityData.java
@@ -21,6 +21,8 @@
  */
 package com.netscape.certsrv.authority;
 
+import java.math.BigInteger;
+
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Marshaller;
 import javax.xml.bind.Unmarshaller;
@@ -70,6 +72,23 @@ public class AuthorityData {
 return parentID;
 }
 
+/* Read-only for existing CAs */
+@XmlAttribute
+protected String issuerDN;
+
+public String getIssuerDN() {
+return issuerDN;
+}
+
+
+/* Read-only attribute */
+@XmlAttribute
+protected BigInteger serial;
+
+public BigInteger getSerial() {
+return serial;
+}
+
 
 @XmlAttribute
 protected String dn;
@@ -124,12 +143,15 @@ public class AuthorityData {
 public AuthorityData(
 Boolean isHostAuthority,
 String dn, String id, String parentID,
+String issuerDN, BigInteger serial,
 Boolean enabled, String description,
 Boolean read

Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

[Fraser Tweedale]

On Tue, May 10, 2016 at 02:42:52PM -0400, Ade Lee wrote:
> The patch itself is fine.
> 
> I'm just struggling with where this script should exist.
> 
> pki-server ca-cert-db-upgrade seems like an awfully generic description
> for this operation - which basically provides a very specific db
> migration.  For that matter, why not ca-db-upgrade?
> 
My thinking was that, in the future, whatever DB upgrades are needed
for a subsystem could be added to the command.

So on that, I take your point re "ca-db-upgrade" and will cut a new
patch with that command name.

> What happens the next time someone needs to do a CA DB upgrade?
> I'm almost wondering if a separate pki-db tool is needed.
> 
I think having it as part of pki-server(1) is a satisfactory fit.

> For that matter though, its possible that the database is quite large
> so attempting to do this automatically during upgrade is probably not
> advisable.
> 
We can leave it as a manual step for now (for Dogtag itself).

ipa-server-install may need to run it.  In the future, to avoid
unnecessary work, we can track which "steps" have been run (either
on disk or, preferably, in LDAP itself).  Updates themselves should
be idempotent.

> Opening up for others to chime in ..
> 
> Ade
> 
> On Tue, 2016-05-10 at 08:32 +1000, Fraser Tweedale wrote:
> > On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote:
> > > Isn't all this predicated on a schema change that adds the issuer
> > > as an
> > > optional field for the certRecord?
> > > 
> > The schema already exists but was unused.
> > 
> > > Ade
> > > 
> > > On Mon, 2016-05-09 at 17:15 +1000, Fraser Tweedale wrote:
> > > > Hi all,
> > > > 
> > > > The following patch adds a pki-server subcommand for updating
> > > > certificate records to add the issuerName attribute.
> > > > 
> > > > It is for #1667 (Database upgrade script to add issuerName
> > > > attribute
> > > > to all cert entries).
> > > > 
> > > > Follow-up question: should I (and if so, how should I) also add
> > > > an
> > > > upgrade scriptlet to perform the upgrade for Dogtag CA subsystem
> > > > on
> > > > the host?  Is there a precedent for invoking pki-server (or
> > > > subroutines thereof) from pki-server-upgrade scriptlets?
> > > > 
> > > > Cheers,
> > > > Fraser
> > > > ___
> > > > Pki-devel mailing list
> > > > Pki-devel@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

[Fraser Tweedale]

On Fri, May 13, 2016 at 02:48:41PM +1000, Fraser Tweedale wrote:
> On Tue, May 10, 2016 at 02:42:52PM -0400, Ade Lee wrote:
> > The patch itself is fine.
> > 
> > I'm just struggling with where this script should exist.
> > 
> > pki-server ca-cert-db-upgrade seems like an awfully generic description
> > for this operation - which basically provides a very specific db
> > migration.  For that matter, why not ca-db-upgrade?
> > 
> My thinking was that, in the future, whatever DB upgrades are needed
> for a subsystem could be added to the command.
> 
> So on that, I take your point re "ca-db-upgrade" and will cut a new
> patch with that command name.
> 
New patch attached.

Cheers,
Fraser
From 7dbd0eaf6ca82c872f48995b98fc4b41e6225699 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 9 May 2016 17:00:54 +1000
Subject: [PATCH] Add pki-server ca-db-upgrade command

Add the 'ca-db-upgrade' command to 'pki-server'.   This command
updates certificate records to add the issuerName attribute where
missing.  If other database updates are needed in future, they can
be added to this command.

Part of: https://fedorahosted.org/pki/ticket/1667
---
 base/server/python/pki/server/cli/ca.py | 81 +
 1 file changed, 81 insertions(+)

diff --git a/base/server/python/pki/server/cli/ca.py 
b/base/server/python/pki/server/cli/ca.py
index 
dbf8239f4f548714beb0c68d7bca2c84f6c0fb74..428345db4c1c4e7fccbdd01510bde5a5aeae8db6
 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -22,6 +22,8 @@ from __future__ import absolute_import
 from __future__ import print_function
 import getopt
 import io
+import ldap
+import nss.nss as nss
 import os
 import shutil
 import sys
@@ -38,6 +40,7 @@ class CACLI(pki.cli.CLI):
 
 self.add_module(CACertCLI())
 self.add_module(CACloneCLI())
+self.add_module(CADBUpgrade())
 
 
 class CACertCLI(pki.cli.CLI):
@@ -407,3 +410,81 @@ class CAClonePrepareCLI(pki.cli.CLI):
 
 finally:
 shutil.rmtree(tmpdir)
+
+
+class CADBUpgrade(pki.cli.CLI):
+def __init__(self):
+super(CADBUpgrade, self).__init__(
+'db-upgrade', 'Upgrade certificate records')
+
+def usage(self):
+print('Usage: pki-server ca-db-upgrade [OPTIONS]')
+print()
+print('  -i, --instanceInstance ID (default: 
pki-tomcat).')
+print('  -v, --verbose  Run in verbose mode.')
+print('  --help Show help message.')
+print()
+
+def execute(self, args):
+try:
+opts, _ = getopt.gnu_getopt(
+args, 'i:v', ['instance=', 'verbose', 'help'])
+
+except getopt.GetoptError as e:
+print('ERROR: ' + str(e))
+self.usage()
+sys.exit(1)
+
+instance_name = 'pki-tomcat'
+
+for o, a in opts:
+if o in ('-i', '--instance'):
+instance_name = a
+
+elif o in ('-v', '--verbose'):
+self.set_verbose(True)
+
+elif o == '--help':
+self.print_help()
+sys.exit()
+
+else:
+print('ERROR: unknown option ' + o)
+self.usage()
+sys.exit(1)
+
+nss.nss_init_nodb()
+
+instance = pki.server.PKIInstance(instance_name)
+instance.load()
+
+subsystem = instance.get_subsystem('ca')
+base_dn = subsystem.config['internaldb.basedn']
+conn = subsystem.open_database()
+try:
+entries = conn.ldap.search_s(
+'ou=certificateRepository,ou=ca,%s' % base_dn,
+ldap.SCOPE_ONELEVEL,
+'(&(objectclass=certificateRecord)(!(issuerName=*)))',
+None)
+for entry in entries:
+self.__add_issuer(conn, entry)
+finally:
+conn.close()
+
+@staticmethod
+def __add_issuer(conn, entry):
+dn, attrs = entry
+attr_cert = attrs.get('userCertificate;binary')
+if not attr_cert:
+return  # shouldn't happen, but nothing we can do if it does
+
+cert = nss.Certificate(bytearray(attr_cert[0]))
+issuer_name = str(cert.issuer)
+
+try:
+conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)])
+except ldap.LDAPError as e:
+print(
+'Failed to add issuerName to certificate {}: {}'
+.format(attrs.get('cn', [''])[0], e))
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel