Hi:
Should you set something like the following so it can find the security domain?
pki_security_domain_hostname=
- Original Message -
> From: "Nadeera Galagedara"
> To: pki-devel@redhat.com
> Sent: Wednesday, May 13, 2020 10:30:17 PM
> Subject: [Pki-devel] OCSP Configuration Problem
I have seen a demo of this in action and it appears to work.
The code looks as expected.
ACK
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Wednesday, June 14, 2017 3:04:38 PM
Subject: [Pki-devel] [PATCH]
mode for SCP03.
- Original Message -
From: "Matthew Harmsen" <mharm...@redhat.com>
To: "John Magne" <jma...@redhat.com>, "pki-devel" <pki-devel@redhat.com>
Sent: Friday, June 2, 2017 4:01:14 PM
Subject: Re: [Pki-devel] [pki-devel][PATCH]
0095-Res
ACK:
Just make sure these changed constraints don't have any negative effect on
existing profiles that use those constraints..
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Friday, May 19, 2017 5:31:37 PM
Subject: [Pki-devel] [PATCH]
Looks simple and valuable to clean up a few possible error cases.
Conditional ACK with one minor thing.
Maybe just check for "[KEYWORD" to catch a case where someone
might leave out the closing bracket. Who knows what havoc that
might have on an install.
- Original Message -
> From:
I have already seen the demo for this.
Seems to make sense.
I've called out some extraneous calls to System.out.println,that might pollute
the logs and the output for a client.
Conditional ACK.
Also, some of this affects the CRMFPopClient class when we add the switch for
self signed.
We
This looks nice and simple and solves the problem.
I agree that using http is ok here since the servlet in question
is public anyway.
I have also participated in and seen the results of a successful test
of this patch working.
ACK.
- Original Message -
> From: "Matthew Harmsen"
[PATCH] Non server keygen issue in SCP03.
Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
We discovered a minor issue when trying to log values that don't exist when
performing the non server side keygen case. For instance , we don't need to
generate a kek session key in
CA in the certificate profiles the startTime parameter is not working as
expected.
This simple fix addresses an overflow in the "startTime" paramenter in 4
places in the code. I felt that honing in only on the startTime value was the
best way to go. In some of the files other than
Cond ACK.
Looks good.
I just put a few minor suggestions to take care of in the attachment, which is
merely the original patch with comments
interspersed, identified with
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Thursday, April 13,
Looks good. ACK
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Friday, January 20, 2017 5:00:02 PM
Subject: [Pki-devel] [PATCH]
pki-cfu-0159-Ticket-1741-ECDSA-certs-Alg-IDs-contian-parameter-fi.patch
This patch addresses:
Looks good.
Looks like we are now updating the proper entry each time when unrevoking.
If tested to work, ACK
- Original Message -
> From: "Christina Fu"
> To: pki-devel@redhat.com
> Sent: Wednesday, January 4, 2017 11:26:14 AM
> Subject: [Pki-devel] [PATCH]
>
Author: Jack Magne
Date: Fri Dec 16 16:25:48 2016 -0800
Ticket #2569: Token memory not wiped after key deletion
This is the dogtag upstream side of the TPS portion of this ticket.
This fix also involves an applet fix, handled in another bug.
ACK
Participated in demo of the code and was able to enroll for and import a cert
using IE.
- Original Message -
From: "Matthew Harmsen"
To: "pki-devel"
Sent: Friday, December 9, 2016 3:07:20 PM
Subject: [Pki-devel] Fwd: [PATCH] - remove
Simple patch will provide a fix to this issue.From e7821b4061d22d23013f7d00c066fc6e59d83167 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Thu, 8 Dec 2016 16:35:20 -0800
Subject: [PATCH] Resolve: pkispawn does not change default ecc key size from
nistp256
response is the
> wrong size, the size is: %x", data.size());
>
> 1022
> goto loser;
>
> 1023
> }
>
> Why does it not apply in Java?
>
> Thanks,
> Christina
>
> On 11/15/2016 06:20 PM, John Magne wrote:
>
>
>
> Ticket: TPS
Looked over all these and it looks good. Post checkin ACK :)
Just a couple of questions:
1. Code like this:
if (!synchronous) {
+// Has to be in this state or it won't go anywhere.
+request.setRequestStatus(RequestStatus.BEGIN);
+
Have seen demo, and it looks good.
ACK
- Original Message -
> From: "Endi Sukma Dewata"
> To: "pki-devel"
> Sent: Thursday, October 20, 2016 2:21:43 PM
> Subject: [Pki-devel] [PATCH] 485 Fixed TPS UI system menu.
>
> The TPS UI has been
Have seen demo and looks good.
ACK
- Original Message -
> From: "Endi Sukma Dewata"
> To: "pki-devel"
> Sent: Thursday, October 20, 2016 2:21:49 PM
> Subject: [Pki-devel] [PATCH] 486 Fixed TPS UI for agent approval.
>
> The TPS UI has been
TPS token enrollment fails to setupSecureChannel when TPS and TKS security db
is on fips mode.
Ticket #2513.
Simple fix allows the TPS and TKS the ability to obtain the proper internal
token, even in FiPS mode.
From 00bba5092fa32b956d646b4711411b8c57bd8f75 Mon Sep 17 00:00:00
day, October 18, 2016 4:24:08 PM
Subject: Re: [Pki-devel] [pki-devel][PATCH]
0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch
If tested to work for all cases, ACK.
Christina
On 10/18/2016 03:22 PM, John Magne wrote:
Cert/Key recovery is successful when the cert serial num
PIN_RESET policy is not giving expected results when set on a token.
Simple fix to actually honor the PIN_RESET=or policy for a given
token.
Minor logging improvements added as well for this error condition.
Ticket #2510.
From 09dba122f01881b93d32a03a51d0be37c247cb30 Mon Sep
Cert/Key recovery is successful when the cert serial number and key id on the
ldap user mismatches
Fixes this bug #1381375.
The portion this patch fixes involves URL encoding glitch we encountered
when recovering keys using
the "by cert" method.
Also this bug
now on the token when it's true, so we
should plan to revert it when/if NSS changes.
conditional ACK if you do that.
Christina
On 10/07/2016 02:01 PM, John Magne wrote:
Actually attach the patch.
- Forwarded Message -----
From: "John Magne" <jma...@redhat.com> To: &
ACK
Looks good and non risky.
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Monday, October 10, 2016 5:20:11 PM
Subject: [Pki-devel]
[PATCH]pki-cfu-0155-Ticket-2498-Token-format-with-external-reg-fails-whe.patch
This patch addresses:
Actually attach the patch.
- Forwarded Message -
From: "John Magne" <jma...@redhat.com>
To: "pki-devel" <pki-devel@redhat.com>
Sent: Friday, October 7, 2016 11:45:17 AM
Subject: [pli-devel][PATCH]
0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-
Fix for: Add ability to disallow TPS to enroll a single user on multiple
tokens. #1664
This bug was previously not completely fixed where we left a loophole to
allow a user to
end up with 2 active tokens. This fix closes that loophole.
Also:
Fix for: Unable to read
ACK with a couple of caveats to fix:
Comments:
SYNOPSIS
CMCEnroll -d -n
-r
-p
The -d entry might be a little misleading. I think just saying this is a
directory with the NSS db containing the agent cert should clarify.
(4) Submit the signed certificate through the CA
Returning Day after labor day.
Will be easily reachable if needed by mobile the whole time.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Looks reasonable:
ACK with all the customary tested to work disclaimers.
This statement has not been evaluated by the FDA
- Original Message -
From: "Matthew Harmsen"
To: "pki-devel"
Sent: Friday, August 5, 2016 1:38:24 PM
Subject:
Tried this out myself, seems to work just fine.
ACK.
- Original Message -
From: "Ade Lee"
To: pki-devel@redhat.com
Sent: Friday, July 29, 2016 4:30:28 AM
Subject: [Pki-devel] [PATCH] 327 - small fix for SERVER_KEYGEN slot
substitution
Addresses Ticket 2418 -
Verbally acked by edewata thanks! :
pushed to master
Closing ticket: #2406
- Original Message -
> From: "John Magne" <jma...@redhat.com>
> To: "pki-devel" <pki-devel@redhat.com>
> Sent: Wednesday, July 27, 2016 11:53:34 AM
> Subject: [Pki-
-
From: "John Magne" <jma...@redhat.com>
To: "pki-devel" <pki-devel@redhat.com>, pki-devel@redhat.com
Cc: c...@redhat.com
Sent: Thursday, July 14, 2016 11:42:36 AM
Subject: [pki-devel][PATCH]
0076-MAN-Apply-generateCRMFRequest-removed-from-Firefox-w.patch
ACK:
One optional minor suggestion.
All over the place we now have stuff like this:
tps.connector.ca
Maybe just somewhere make it clear that represents an integer between 1 and
whatever we support.
Maybe just say that in the section talking about the ca list : "ca1,ca2"
- Original
te TKS.
Closing ticket # 2349
- Original Message -
From: "John Magne" <jma...@redhat.com>
To: "pki-devel" <pki-devel@redhat.com>
Sent: Thursday, June 23, 2016 3:33:44 PM
Subject: [pki-devel][PATCH]
0073-Separated-TPS-does-not-automatically-rece
Ticket #1114
Minor adjustment to the man page for the key management commands to say
which usages are appropriate for sym keys and those appropriate for asym
keys.
- Original Message -
From: "Matthew Harmsen" <mharm...@redhat.com>
To: "John Magne"
Tried it out the man pages, looks good.
ACK
- Original Message -
> From: "Matthew Harmsen"
> To: "pki-devel"
> Sent: Friday, July 1, 2016 1:52:02 PM
> Subject: [Pki-devel] [Patch] Add HSM information
>
> Please review the attached patch
ACK
- Original Message -
From: "Matthew Harmsen"
To: "pki-devel"
Sent: Wednesday, June 29, 2016 7:57:34 PM
Subject: [Pki-devel] [PATCH] Separate PKI Instances versus Shared PKI
Instances
Please review the attached patch which addresses the
Generting Symmetric key fails with key-generate when --usages verify is passed
Ticket #1114
Minor adjustment to the man page for the key management commands to say
which usages are appropriate for sym keys and those appropriate for asym
keys.
From
[PATCH] Separated TPS does not automatically receive shared secret
from remote TKS.
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to
the TPS.
2. Have the TKS securely return the shared secret back to the TPS during
ACK'd by cfu:
Pushed to master, closing ticket #2340
- Original Message -
From: "John Magne" <jma...@redhat.com>
To: "pki-devel" <pki-devel@redhat.com>
Sent: Tuesday, June 14, 2016 4:07:49 PM
Subject: [pki-devel][PATCH]
0072-Revocation-failure-causes-
https://fedorahosted.org/pki/ticket/1507
Pushed to master: 92cb1fc3271f5928e9ad0db798b67a5761aefdb1
Under the trivial check in rule, which consisted of a modification to a comment.
___
Pki-devel mailing list
Pki-devel@redhat.com
mping the handling
> of recovery requests inside where the TMS handling is at.
>
> thanks,
> Christina
>
> On 06/01/2016 03:13 PM, John Magne wrote:
>
>
>
> Show KeyOwner info when viewing recovery requests.
>
> This simple fix will grab the sub
ACK
Does the job with little fuss.
One thing I would push for is to leave the original labels for standard requests
the way they were and NOT call them "Non Token " requests.
This we the old behavior remains and the user can explore the new options
provided
for TMS related requests if they
ACK
- Original Message -
From: "Matthew Harmsen"
To: "pki-devel"
Sent: Wednesday, June 1, 2016 10:19:51 AM
Subject: [Pki-devel] [PATCH] Fix unknown TKS host and port error during TPS
removal
Please review the attached patch which
Looks good:
Just a minor suggestion:
The bookean to markAsRevoked, you might want to rename as
"isAlreadyRevoked" to tell the reader more clearly what is going on.
We know we want to revoke a cert, but this boolean covers the case when the
cert to be revoked is already in the unique (on hold)
e top of method comment convention is usually using /* ...*/
> instead of a whole bunch of //'s
>
>
> thanks!
> Christina
>
>
> On 05/17/2016 06:44 PM, John Magne wrote:
>> Enclosed revised patches:
>>
>> Thanks to cfu for careful review.
>>
Looks good.
If tested to work conditional ACK.
Just one thing, when throwing a TPSException at the end of the patch,
please give it the error code, TPSStatus.STATUS_ERROR_CONTACT_ADMIN
- Original Message -
> From: "Christina Fu"
> To: "pki-devel"
Took a look at this.
Seems pretty good, so ACK, with a concern or two.
I think we might want to consider seeing if we can somehow short circuit
the display to something that won't let them send to the server, when we
know we don't even have the keygen tag available.
So if tested to work with
15/2016 04:24 PM, John Magne wrote:
Enhance tkstool for capabilities and security
This simple ticket is to fix tkstool to allow it
to create the master key with the proper flags to make
the key data private such that it can't be easily viewed when
using tools to print out sym keys on the to
I tested myself by pointing to mharmsen's system, seems to work fine.
Conditional ACK on the patch, just remove some of the entries in we were not
sure
you needed. We tested with just the bare minimum and it works.
- Original Message -
From: "Matthew Harmsen"
To:
TPS auth special characters fix.
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special
characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card
because the client uri encodes
the
I took a look at the stuff alee asked for.
CFU even took a quick look when I asked her a couple of questions.
She was unsure of something (as was I) and she would like to be able
to take a closer look next week. I will give my quick thoughts.
1. I agree that HSM support is not in the patch,
ACK:
Just maybe make a method out of that in case we might need it elsewhere.
- Original Message -
From: "Christina Fu"
To: "pki-devel"
Sent: Tuesday, 5 April, 2016 4:04:58 PM
Subject: [Pki-devel] [PATCH]
Looks fine:
What was done:
1. Creating some convenience functions to do the actual auditing.
2. Making sure we have auditing for the calls where things are changed
such as configuration /profile changes, or changing a token's state.
3. Making sure there are audit messages for the various error
Looks fine :
ACK
I presume once all this is in,certain packages have to be available in koji or
the build wont work.
- Original Message -
From: "Matthew Harmsen"
To: "pki-devel"
Cc: "Jack Magne" , "Matthew Harmsen"
of 7), and then continued
to run externalReg enrollment again to delete one cert and recover another.
ACK,
Christina
On 02/02/2016 06:46 PM, John Magne wrote:
Subject: [PATCH] Allow cert and key indexes > 9.
Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index
Subject: [PATCH] Allow cert and key indexes > 9.
Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index numbers
This patch contains the following:
1. Fixes in TPS to allow the server to set and read muscle object ID's that are
greater than 9.
The id is stored as a single ASCII
58 matches
Mail list logo