Re: [Pki-devel] OCSP Configuration Problem

Hi: Should you set something like the following so it can find the security domain? pki_security_domain_hostname= - Original Message - > From: "Nadeera Galagedara" > To: pki-devel@redhat.com > Sent: Wednesday, May 13, 2020 10:30:17 PM > Subject: [Pki-devel] OCSP Configuration Problem

Re: [Pki-devel] [PATCH] Ticket-2737-CMC-check-HTTPS-client-authentication-ce.patch

I have seen a demo of this in action and it appears to work. The code looks as expected. ACK - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Wednesday, June 14, 2017 3:04:38 PM Subject: [Pki-devel] [PATCH]

Re: [Pki-devel] [pki-devel][PATCH] 0095-Resolve-1663-Add-SCP03-support.patch

mode for SCP03. - Original Message - From: "Matthew Harmsen" <mharm...@redhat.com> To: "John Magne" <jma...@redhat.com>, "pki-devel" <pki-devel@redhat.com> Sent: Friday, June 2, 2017 4:01:14 PM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0095-Res

Re: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

ACK: Just make sure these changed constraints don't have any negative effect on existing profiles that use those constraints.. - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Friday, May 19, 2017 5:31:37 PM Subject: [Pki-devel] [PATCH]

Re: [Pki-devel] [PATCH] - Correct section headings in user deployment configuration file

Looks simple and valuable to clean up a few possible error cases. Conditional ACK with one minor thing. Maybe just check for "[KEYWORD" to catch a case where someone might leave out the closing bracket. Who knows what havoc that might have on an install. - Original Message - > From:

Re: [Pki-devel] [PATCH] Bug-1447080-CC-CMC-allow-enrollment-key-signed-self-.patch

I have already seen the demo for this. Seems to make sense. I've called out some extraneous calls to System.out.println,that might pollute the logs and the output for a client. Conditional ACK. Also, some of this affects the CRMFPopClient class when we add the switch for self signed. We

Re: [Pki-devel] [PATCH] - CA installation with HSM in FIPS mode fails

This looks nice and simple and solves the problem. I agree that using http is ok here since the servlet in question is public anyway. I have also participated in and seen the results of a successful test of this patch working. ACK. - Original Message - > From: "Matthew Harmsen"

[Pki-devel] [pki-devel][PATCH] Non server keygen issue in SCP03.

[PATCH] Non server keygen issue in SCP03. Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663 We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in

[Pki-devel] [pki-devel][PATCH]

CA in the certificate profiles the startTime parameter is not working as expected. This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than

Re: [Pki-devel] [PATCH] #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation

Cond ACK. Looks good. I just put a few minor suggestions to take care of in the attachment, which is merely the original patch with comments interspersed, identified with - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Thursday, April 13,

Re: [Pki-devel] [PATCH] pki-cfu-0159-Ticket-1741-ECDSA-certs-Alg-IDs-contian-parameter-fi.patch

Looks good. ACK - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Friday, January 20, 2017 5:00:02 PM Subject: [Pki-devel] [PATCH] pki-cfu-0159-Ticket-1741-ECDSA-certs-Alg-IDs-contian-parameter-fi.patch This patch addresses:

Re: [Pki-devel] [PATCH] pki-cfu-0157-Ticket-2534-additional-reset-cert-status-after-succe.patch

Looks good. Looks like we are now updating the proper entry each time when unrevoking. If tested to work, ACK - Original Message - > From: "Christina Fu" > To: pki-devel@redhat.com > Sent: Wednesday, January 4, 2017 11:26:14 AM > Subject: [Pki-devel] [PATCH] >

[Pki-devel] [pki-devel][PATCH] 0086-Ticket-2569-Token-memory-not-wiped-after-key-deletio.patch

Author: Jack Magne Date: Fri Dec 16 16:25:48 2016 -0800 Ticket #2569: Token memory not wiped after key deletion This is the dogtag upstream side of the TPS portion of this ticket. This fix also involves an applet fix, handled in another bug.

Re: [Pki-devel] Fwd: [PATCH] - remove xenroll.dll from pki-core

ACK Participated in demo of the code and was able to enroll for and import a cert using IE. - Original Message - From: "Matthew Harmsen" To: "pki-devel" Sent: Friday, December 9, 2016 3:07:20 PM Subject: [Pki-devel] Fwd: [PATCH] - remove

[Pki-devel] [pki-devel][PATCH] 0086-Resolve-pkispawn-does-not-change-default-ecc-key-siz.patch

Simple patch will provide a fix to this issue.From e7821b4061d22d23013f7d00c066fc6e59d83167 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Thu, 8 Dec 2016 16:35:20 -0800 Subject: [PATCH] Resolve: pkispawn does not change default ecc key size from nistp256

Re: [Pki-devel] [pki-devel][PATCH]

response is the > wrong size, the size is: %x", data.size()); > > 1022 > goto loser; > > 1023 > } > > Why does it not apply in Java? > > Thanks, > Christina > > On 11/15/2016 06:20 PM, John Magne wrote: > > > > Ticket: TPS

Re: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests.

Looked over all these and it looks good. Post checkin ACK :) Just a couple of questions: 1. Code like this: if (!synchronous) { +// Has to be in this state or it won't go anywhere. +request.setRequestStatus(RequestStatus.BEGIN); +

Re: [Pki-devel] [PATCH] 485 Fixed TPS UI system menu.

Have seen demo, and it looks good. ACK - Original Message - > From: "Endi Sukma Dewata" > To: "pki-devel" > Sent: Thursday, October 20, 2016 2:21:43 PM > Subject: [Pki-devel] [PATCH] 485 Fixed TPS UI system menu. > > The TPS UI has been

Re: [Pki-devel] [PATCH] 486 Fixed TPS UI for agent approval.

Have seen demo and looks good. ACK - Original Message - > From: "Endi Sukma Dewata" > To: "pki-devel" > Sent: Thursday, October 20, 2016 2:21:49 PM > Subject: [Pki-devel] [PATCH] 486 Fixed TPS UI for agent approval. > > The TPS UI has been

[Pki-devel] [pki-devel][PATCH] 0084-TPS-token-enrollment-fails-to-setupSecureChannel-whe.patch

TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. Ticket #2513. Simple fix allows the TPS and TKS the ability to obtain the proper internal token, even in FiPS mode. From 00bba5092fa32b956d646b4711411b8c57bd8f75 Mon Sep 17 00:00:00

Re: [Pki-devel] [pki-devel][PATCH] 0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch

day, October 18, 2016 4:24:08 PM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch If tested to work for all cases, ACK. Christina On 10/18/2016 03:22 PM, John Magne wrote: Cert/Key recovery is successful when the cert serial num

[Pki-devel] [pki-devel][PATCH] 0083-PIN_RESET-policy-is-not-giving-expected-results-when.patch

PIN_RESET policy is not giving expected results when set on a token. Simple fix to actually honor the PIN_RESET=or policy for a given token. Minor logging improvements added as well for this error condition. Ticket #2510. From 09dba122f01881b93d32a03a51d0be37c247cb30 Mon Sep

[Pki-devel] [pki-devel][PATCH] 0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch

Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Fixes this bug #1381375. The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using the "by cert" method. Also this bug

Re: [Pki-devel] Fwd: [pli-devel][PATCH] 0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch

now on the token when it's true, so we should plan to revert it when/if NSS changes. conditional ACK if you do that. Christina On 10/07/2016 02:01 PM, John Magne wrote: Actually attach the patch. - Forwarded Message ----- From: "John Magne" <jma...@redhat.com> To: &

Re: [Pki-devel] [PATCH]pki-cfu-0155-Ticket-2498-Token-format-with-external-reg-fails-whe.patch

ACK Looks good and non risky. - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Monday, October 10, 2016 5:20:11 PM Subject: [Pki-devel] [PATCH]pki-cfu-0155-Ticket-2498-Token-format-with-external-reg-fails-whe.patch This patch addresses:

[Pki-devel] Fwd: [pli-devel][PATCH] 0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch

Actually attach the patch. - Forwarded Message - From: "John Magne" <jma...@redhat.com> To: "pki-devel" <pki-devel@redhat.com> Sent: Friday, October 7, 2016 11:45:17 AM Subject: [pli-devel][PATCH] 0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-

[Pki-devel] [pli-devel][PATCH] 0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch

Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664 This bug was previously not completely fixed where we left a loophole to allow a user to end up with 2 active tokens. This fix closes that loophole. Also: Fix for: Unable to read

Re: [Pki-devel] [PATCH] CMCEnroll man page + (proposed) HEADER/FOOTER changes

ACK with a couple of caveats to fix: Comments: SYNOPSIS CMCEnroll -d -n -r -p The -d entry might be a little misleading. I think just saying this is a directory with the NSS db containing the agent cert should clarify. (4) Submit the signed certificate through the CA

[Pki-devel] Jack PTO Starting Monday Aug 22

Returning Day after labor day. Will be easily reachable if needed by mobile the whole time. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Added python-urllib3 dependency

Looks reasonable: ACK with all the customary tested to work disclaimers. This statement has not been evaluated by the FDA - Original Message - From: "Matthew Harmsen" To: "pki-devel" Sent: Friday, August 5, 2016 1:38:24 PM Subject:

Re: [Pki-devel] [PATCH] 327 - small fix for SERVER_KEYGEN slot substitution

Tried this out myself, seems to work just fine. ACK. - Original Message - From: "Ade Lee" To: pki-devel@redhat.com Sent: Friday, July 29, 2016 4:30:28 AM Subject: [Pki-devel] [PATCH] 327 - small fix for SERVER_KEYGEN slot substitution Addresses Ticket 2418 -

Re: [Pki-devel] [pki-devel][PATCH] 0077-Make-starting-CRL-Number-configurable.patch

Verbally acked by edewata thanks! : pushed to master Closing ticket: #2406 - Original Message - > From: "John Magne" <jma...@redhat.com> > To: "pki-devel" <pki-devel@redhat.com> > Sent: Wednesday, July 27, 2016 11:53:34 AM > Subject: [Pki-

Re: [Pki-devel] [pki-devel][PATCH] 0076-MAN-Apply-generateCRMFRequest-removed-from-Firefox-w.patch

- From: "John Magne" <jma...@redhat.com> To: "pki-devel" <pki-devel@redhat.com>, pki-devel@redhat.com Cc: c...@redhat.com Sent: Thursday, July 14, 2016 11:42:36 AM Subject: [pki-devel][PATCH] 0076-MAN-Apply-generateCRMFRequest-removed-from-Firefox-w.patch

Re: [Pki-devel] [PATCH] pki-cfu-0146-Ticket-978-PS-connector-man-page-add-revocation-rout.patch

ACK: One optional minor suggestion. All over the place we now have stuff like this: tps.connector.ca Maybe just somewhere make it clear that represents an integer between 1 and whatever we support. Maybe just say that in the section talking about the ca list : "ca1,ca2" - Original

Re: [Pki-devel] [pki-devel][PATCH] 0073-Separated-TPS-does-not-automatically-receive-shared-.patch

te TKS. Closing ticket # 2349 - Original Message - From: "John Magne" <jma...@redhat.com> To: "pki-devel" <pki-devel@redhat.com> Sent: Thursday, June 23, 2016 3:33:44 PM Subject: [pki-devel][PATCH] 0073-Separated-TPS-does-not-automatically-rece

Re: [Pki-devel] [pki-devel][PATCH] 0075-Generting-Symmetric-key-fails-with-key-generate-when.patch

Ticket #1114 Minor adjustment to the man page for the key management commands to say which usages are appropriate for sym keys and those appropriate for asym keys. - Original Message - From: "Matthew Harmsen" <mharm...@redhat.com> To: "John Magne"

Re: [Pki-devel] [Patch] Add HSM information

Tried it out the man pages, looks good. ACK - Original Message - > From: "Matthew Harmsen" > To: "pki-devel" > Sent: Friday, July 1, 2016 1:52:02 PM > Subject: [Pki-devel] [Patch] Add HSM information > > Please review the attached patch

Re: [Pki-devel] [PATCH] Separate PKI Instances versus Shared PKI Instances

ACK - Original Message - From: "Matthew Harmsen" To: "pki-devel" Sent: Wednesday, June 29, 2016 7:57:34 PM Subject: [Pki-devel] [PATCH] Separate PKI Instances versus Shared PKI Instances Please review the attached patch which addresses the

[Pki-devel] [pki-devel][PATCH] 0075-Generting-Symmetric-key-fails-with-key-generate-when.patch

Generting Symmetric key fails with key-generate when --usages verify is passed Ticket #1114 Minor adjustment to the man page for the key management commands to say which usages are appropriate for sym keys and those appropriate for asym keys. From

[Pki-devel] [pki-devel][PATCH] 0073-Separated-TPS-does-not-automatically-receive-shared-.patch

[PATCH] Separated TPS does not automatically receive shared secret from remote TKS. Support to allow the TPS to do the following: 1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS. 2. Have the TKS securely return the shared secret back to the TPS during

Re: [Pki-devel] [pki-devel][PATCH] 0072-Revocation-failure-causes-AUDIT_PRIVATE_KEY_ARCHIVE_.patch

ACK'd by cfu: Pushed to master, closing ticket #2340 - Original Message - From: "John Magne" <jma...@redhat.com> To: "pki-devel" <pki-devel@redhat.com> Sent: Tuesday, June 14, 2016 4:07:49 PM Subject: [pki-devel][PATCH] 0072-Revocation-failure-causes-

[Pki-devel] Fix to ticket: [RFE] Enableocsp checking on KRA with CA's secure port shows self test failure

https://fedorahosted.org/pki/ticket/1507 Pushed to master: 92cb1fc3271f5928e9ad0db798b67a5761aefdb1 Under the trivial check in rule, which consisted of a modification to a comment. ___ Pki-devel mailing list Pki-devel@redhat.com

Re: [Pki-devel] [pki-devel][PATCH] 0069-Show-KeyOwner-info-when-viewing-recovery-requests.patch

mping the handling > of recovery requests inside where the TMS handling is at. > > thanks, > Christina > > On 06/01/2016 03:13 PM, John Magne wrote: > > > > Show KeyOwner info when viewing recovery requests. > > This simple fix will grab the sub

Re: [Pki-devel] [PATCH] pki-cfu-0129-Ticket-2352-TMS-missing-netkeyKeyRecovery-requests-o.patch

ACK Does the job with little fuss. One thing I would push for is to leave the original labels for standard requests the way they were and NOT call them "Non Token " requests. This we the old behavior remains and the user can explore the new options provided for TMS related requests if they

Re: [Pki-devel] [PATCH] Fix unknown TKS host and port error during TPS removal

ACK - Original Message - From: "Matthew Harmsen" To: "pki-devel" Sent: Wednesday, June 1, 2016 10:19:51 AM Subject: [Pki-devel] [PATCH] Fix unknown TKS host and port error during TPS removal Please review the attached patch which

Re: [Pki-devel] [PATCH] pki-cfu-0123-Ticket-1665-Cert-Revocation-Reasons-not-being-update.patch

Looks good: Just a minor suggestion: The bookean to markAsRevoked, you might want to rename as "isAlreadyRevoked" to tell the reader more clearly what is going on. We know we want to revoke a cert, but this boolean covers the case when the cert to be revoked is already in the unique (on hold)

Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch

e top of method comment convention is usually using /* ...*/ > instead of a whole bunch of //'s > > > thanks! > Christina > > > On 05/17/2016 06:44 PM, John Magne wrote: >> Enclosed revised patches: >> >> Thanks to cfu for careful review. >>

Re: [Pki-devel] [PATCH] pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-connector-co.patch

Looks good. If tested to work conditional ACK. Just one thing, when throwing a TPSException at the end of the patch, please give it the error code, TPSStatus.STATUS_ERROR_CONTACT_ADMIN - Original Message - > From: "Christina Fu" > To: "pki-devel"

Re: [Pki-devel] [PATCH] Added Chrome keygen warning

Took a look at this. Seems pretty good, so ACK, with a concern or two. I think we might want to consider seeing if we can somehow short circuit the display to something that won't let them send to the server, when we know we don't even have the keygen tag available. So if tested to work with

Re: [Pki-devel] [pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch

15/2016 04:24 PM, John Magne wrote: Enhance tkstool for capabilities and security This simple ticket is to fix tkstool to allow it to create the master key with the proper flags to make the key data private such that it can't be easily viewed when using tools to print out sym keys on the to

Re: [Pki-devel] [PATCH] Fixed adminEnroll servlet browser import issue

I tested myself by pointing to mharmsen's system, seems to work fine. Conditional ACK on the patch, just remove some of the entries in we were not sure you needed. We tested with just the bare minimum and it works. - Original Message - From: "Matthew Harmsen" To:

[Pki-devel] [pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch

TPS auth special characters fix. Ticket #1636. Smartcard token enroll/format fails when the ldap user has special characters in userid or password Tested with both esc and tpsclient. The problem was when using a real card because the client uri encodes the

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

I took a look at the stuff alee asked for. CFU even took a quick look when I asked her a couple of questions. She was unsure of something (as was I) and she would like to be able to take a closer look next week. I will give my quick thoughts. 1. I agree that HSM support is not in the patch,

Re: [Pki-devel] [PATCH] pki-cfu-0117-Ticket-1519-token-format-should-delete-certs-from-to.patch

ACK: Just maybe make a method out of that in case we might need it elsewhere. - Original Message - From: "Christina Fu" To: "pki-devel" Sent: Tuesday, 5 April, 2016 4:04:58 PM Subject: [Pki-devel] [PATCH]

Re: [Pki-devel] [PATCH] pki-cfu-0116-Ticket-1006-Audit-logging-for-TPS-REST-operations.patch

Looks fine: What was done: 1. Creating some convenience functions to do the actual auditing. 2. Making sure we have auditing for the calls where things are changed such as configuration /profile changes, or changing a token's state. 3. Making sure there are audit messages for the various error

Re: [Pki-devel] [PATCHES] Updated tomcatjss and pki-core to work with Tomcat 7.0.68 on F22

Looks fine : ACK I presume once all this is in,certain packages have to be available in koji or the build wont work. - Original Message - From: "Matthew Harmsen" To: "pki-devel" Cc: "Jack Magne" , "Matthew Harmsen"

Re: [Pki-devel] [pki-devel][PATCH] 0062-Allow-cert-and-key-indexes-9.patch

of 7), and then continued to run externalReg enrollment again to delete one cert and recover another. ACK, Christina On 02/02/2016 06:46 PM, John Magne wrote: Subject: [PATCH] Allow cert and key indexes > 9. Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index

[Pki-devel] [pki-devel][PATCH] 0062-Allow-cert-and-key-indexes-9.patch

Subject: [PATCH] Allow cert and key indexes > 9. Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index numbers This patch contains the following: 1. Fixes in TPS to allow the server to set and read muscle object ID's that are greater than 9. The id is stored as a single ASCII