[Pki-devel] [PATCH 0005-0008] Misc. fixes for pki-server commands

[Abhijeet Kasurde]

Hi All,

Please review these patches.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

From c97514152a50e34936a465963d41965a33caa2a7 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Fri, 1 Jul 2016 10:35:21 +0530
Subject: [PATCH 8/8] Updated notification message for TPS subsystem command

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

Signed-off-by: Abhijeet Kasurde 
---
 base/server/python/pki/server/cli/tps.py | 34 
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
index 63da3414ea2ac9caf5101ce3b51f198b42712eeb..1f71b8ece1431426d865d7e98fa87e5417beb36c 100644
--- a/base/server/python/pki/server/cli/tps.py
+++ b/base/server/python/pki/server/cli/tps.py
@@ -127,9 +127,15 @@ class TPSClonePrepareCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
+if not subsystem:
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 tmpdir = tempfile.mkdtemp()
 
@@ -228,12 +234,15 @@ class TPSDBVLVFindCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
-
 if not subsystem:
-raise Exception('Subsystem not found')
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 self.find_vlv(subsystem, bind_dn, bind_password)
 
@@ -340,12 +349,15 @@ class TPSDBVLVAddCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
-
 if not subsystem:
-raise Exception('Subsystem not found')
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 if out_file:
 self.generate_ldif(subsystem, out_file)
@@ -450,12 +462,15 @@ class TPSDBVLVDeleteCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
-
 if not subsystem:
-raise Exception('Subsystem not found')
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 if out_file:
 self.generate_ldif(subsystem, out_file)
@@ -582,12 +597,15 @@ class TPSDBVLVReindexCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
-
 if not subsystem:
-raise Exception('Subsystem not found')
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 if out_file:
 self.generate_ldif(subsystem, out_file)
-- 
2.7.4

From d248b6c3abcac5be9bea9311741d493e20561b85 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Fri, 1 Jul 2016 10:31:32 +0530
Subject: [PATCH 7/8] Updated notification message for TKS subsystem command

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

Signed-off-by: Abhijeet Kasurde 
---
 base/server/python/pki/server/cli/tks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
index 0bcf748c3ca65980a888946d807536d62bfdf894..2c4157a03bc601c36141f67880fe7624aa1febee 100644
--- a/base/server/python/pki/server/cli/tks.py
+++ b/base/server/python/pki/server/cli/tks.py
@@ -118,9 +118,16 @@ class TKSClonePrepareCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
+
 instance.load()
 
 subsystem = 

Re: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands.

[Abhijeet Kasurde]

Hi Fraser, All,

I am working on some of the error messages in pki-* , you can track this 
under this BZ - https://bugzilla.redhat.com/show_bug.cgi?id=1351295



On 07/01/2016 09:43 AM, Fraser Tweedale wrote:

On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote:

The pki-server ca-* commands have been modified to validate
the instance and the CA subsystem before proceeding with the
operation.

The usage() methods and invocations have been renamed into
print_help() for consistency.

https://fedorahosted.org/pki/ticket/2364

--
Endi S. Dewata


ACK; pushed to master (f8310a4ff306d28cf25ec71693a2e89c5323564d).

There are still lots of pki-server commands that fail if invalid
subsystem given, e.g.:

 # pki-server subsystem-cert-find kra
 
 AttributeError: 'NoneType' object has no attribute 'find_system_certs'

But that can be addressed separately in future patch.

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands.

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote:
> The pki-server ca-* commands have been modified to validate
> the instance and the CA subsystem before proceeding with the
> operation.
> 
> The usage() methods and invocations have been renamed into
> print_help() for consistency.
> 
> https://fedorahosted.org/pki/ticket/2364
> 
> -- 
> Endi S. Dewata
>
ACK; pushed to master (f8310a4ff306d28cf25ec71693a2e89c5323564d).

There are still lots of pki-server commands that fail if invalid
subsystem given, e.g.:

# pki-server subsystem-cert-find kra

AttributeError: 'NoneType' object has no attribute 'find_system_certs'

But that can be addressed separately in future patch.

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 780 Fixed pki-server subsystem-cert-update.

[Fraser Tweedale]

On Wed, Jun 29, 2016 at 11:19:46AM -0500, Endi Sukma Dewata wrote:
> The pki-server subsystem-cert-update is supposed to restore the
> system certificate data and requests into CS.cfg. The command was
> broken since the CASubsystem class that contains the code to find
> the certificate requests from database was not loaded correctly.
> To fix the problem the CASubsystem class has been moved into the
> pki/server/__init__.py.
> 
> All pki-server subsystem-* commands have been modified to check
> the validity of the instance.
> 
> An option has been added to the pki-server subsystem-cert-show
> command to display the data and request of a particular system
> certificate.
> 
> The redundant output of the pki-server subsystem-cert-update has
> been removed. The updated certificate data and request can be
> obtained using the pki-server subsystem-cert-show command.
> 
> https://fedorahosted.org/pki/ticket/2385
> 
ACK; pushed to master (67bbdc5edd1404f89e638037599b4231f50490f8).

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 10:10:32AM -0500, Endi Sukma Dewata wrote:
> On 6/22/2016 4:53 AM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2285.
> > See commit message and bz1323400[1] for full history and details.
> > 
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1323400
> > 
> > The fix should be merged to master and DOGTAG_10_2_BRANCH, and a new
> > 10.2.x release cut for f23.
> > 
> > I have an f23 COPR build containing the fix for anyone wishing to
> > test:
> > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/packages/
> > 
> > Huge props to Adam Williamson for doing a lot of legwork in tracking
> > down the cause of this issue.
> > 
> > Thanks,
> > Fraser
> 
> ACK. When we have a proper database upgrade method we should consider
> converting this code into an upgrade script.
> 
Thanks; pushed:

master  2dea243d51765e3a8f01f7680592143c842921ce
DOGTAG_10_2_BRANCH  c34d326712940524419d65c6cb6cc9653221362b
DOGTAG_10_2_6_BRANCHf0d036feb9604cc656b3b8ae46c822bec14e6ac8

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 10:49:12AM -0500, Endi Sukma Dewata wrote:
> On 6/27/2016 9:52 PM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2388.
> > Wanted for 10.3.4.
> > 
> > Thanks,
> > Fraser
> 
> Two things:
> 
> 1. I don't think the patch author is correct :)
> 
Hah, yikes!  I think I accidentally squashed something and didn't
notice the author had changed after I fixed it up :)

> 2. Existing issue, but while you're there could you chain the original
> exception to the ECAException?
> 
Yep, done.  Pushed to master
(c7f9e6c4e0711dfafc81d201dcfadee3e0efa335)

Cheers,
Fraser

> Assuming they're addressed, ACK.
>

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH 0004] Updated notification message for kra-db-vlv-del command

[Endi Sukma Dewata]

On 6/30/2016 6:29 AM, Abhijeet Kasurde wrote:

Hi All,

Please review this patch,

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde


Thanks! Pushed to master with some changes to return error code 1 if the 
KRA is missing.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH 0003] Added condition for checking instance id in kra commands

[Endi Sukma Dewata]

On 6/30/2016 5:09 AM, Abhijeet Kasurde wrote:

Hi All,

Please review this patch.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde


Thanks! Pushed to master with some changes:

1. The original code was supposed to normalize the token name, so if 
it's 'internal' or 'Internal Key Storage Token' it will be normalized to 
None. If token name is None we don't add -h  when calling 
certutil since by default certutil will use internal token.


There's a bug in PKIInstance.get_token_password() though. If the caller 
specifies token parameter to be None explicitly, it won't get the 
default value of 'internal'. The method has been fixed to check for None 
value.


2. The code that catches CalledProcessError has been moved into the main 
program (i.e. pki-server) so similar errors will be handled more 
consistently.


3. Some error messages are changed for consistency.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH 0002] Added fix for checking ldapmodify return code in db-schema-upgrade

[Endi Sukma Dewata]

On 6/29/2016 7:43 AM, Abhijeet Kasurde wrote:

Hi All,

Please review the patch.

--
Thanks,
Abhijeet Kasurde


Thanks! Pushed to master with some changes to handle all LDAP errors 
instead of some specific ones.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Bug 1203407 - tomcatjss: missing ciphers

[Christina Fu]

got verbal ack from Jack.

Pushed to master (the dogtag patch):
commit f0ad71e8a4fbae665a6b4875cce5b82895ad74f0

tomcatjss will be built in the next few days.

Christina


On 06/30/2016 03:04 PM, Christina Fu wrote:

The tomcatjss patch address:
*Bug 1203407*  
-tomcatjss: missing ciphers


2nd patch is the accompanying dogtag change to remove references to 
the unsupported ciphers.  There is no critical dependency of the new 
tomcatjss.


thanks,
Christina


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Bug 1203407 - tomcatjss: missing ciphers

[Christina Fu]

The tomcatjss patch address:
*Bug 1203407*  
-tomcatjss: missing ciphers


2nd patch is the accompanying dogtag change to remove references to the 
unsupported ciphers.  There is no critical dependency of the new tomcatjss.


thanks,
Christina
diff -up src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java.cfu src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java.cfu	2016-06-30 15:52:40.536775347 -0600
+++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java	2016-06-30 15:54:40.636612569 -0600
@@ -96,8 +96,12 @@ public class JSSSocketFactory implements
 SSLSocket.SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA);
 cipherMap.put("SSL3_RSA_WITH_DES_CBC_SHA",
 SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA);
+
 cipherMap.put("SSL3_RSA_WITH_3DES_EDE_CBC_SHA",
 SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA);
+// deprecated SSL3.0 names replaced by IANA-registered TLS names
+cipherMap.put("TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA);
 
 cipherMap.put("SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
 SSLSocket.SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA);
@@ -116,14 +120,23 @@ public class JSSSocketFactory implements
 SSLSocket.SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA);
 cipherMap.put("SSL3_DHE_DSS_WITH_DES_CBC_SHA",
 SSLSocket.SSL3_DHE_DSS_WITH_DES_CBC_SHA);
+
 cipherMap.put("SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
 SSLSocket.SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
+// deprecated SSL3.0 names replaced by IANA-registered TLS names
+cipherMap.put("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+SSLSocket.SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
+
 cipherMap.put("SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
 SSLSocket.SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA);
 cipherMap.put("SSL3_DHE_RSA_WITH_DES_CBC_SHA",
 SSLSocket.SSL3_DHE_RSA_WITH_DES_CBC_SHA);
+
 cipherMap.put("SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
 SSLSocket.SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
+// deprecated SSL3.0 names replaced by IANA-registered TLS names
+cipherMap.put("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+SSLSocket.SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
 
 cipherMap.put("SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5",
 SSLSocket.SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5);
@@ -257,13 +270,21 @@ public class JSSSocketFactory implements
 SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
 cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
 SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
-cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
-SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
 cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
+/* unsupported by nss
+cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
 cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
 SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
+*/
 
+cipherMap.put("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA);
+cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA);
+cipherMap.put("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA);
 }
 
 private static HashMap eccCipherMap = new HashMap();
@@ -308,6 +329,10 @@ public class JSSSocketFactory implements
 "TLS_ECDH_RSA_WITH_NULL_SHA");
 eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA,
 "TLS_ECDH_ECDSA_WITH_NULL_SHA");
+/* unsupported by nss
+eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256");
+*/
 }
 
 private AbstractEndpoint endpoint;
@@ -393,6 +418,7 @@ public class JSSSocketFactory implements
 + ": 0x" + Integer.toHexString(cipherid) + "\n");
 SSLSocket.setCipherPreferenceDefault(cipherid, state);
 } catch (Exception e) {
+System.err.println("SSLSocket.setCipherPreferenceDefault exception:" +e);
 if (eccCipherMap.containsKey(cipherid)) {
 System.err
 .println("Warning: SSL ECC cipher \""

From c0bf4a016709d000f81df2262cb73f2a660a2a42 Mon Sep 17 00:00:00 2001
From: Christina Fu 
Date: Thu, 30 Jun 2016 15:01:42 -0700
Subject: [PATCH] Bugzilla 

Re: [Pki-devel] [PATCH] pki-cfu-0144-Ticket-1306-config-params-Add-granularity-to-token-t.patch

[Christina Fu]

got verbal ack from Jack.
Pushed to master:
commit 63a58cf51ef2982e8a35eff1f98dd42453e5681e

thanks,
Christina

On 06/30/2016 02:11 PM, Christina Fu wrote:
This patch is for https://fedorahosted.org/pki/ticket/1306 [RFE] Add 
granularity to token termination in TPS

It
1. adds the missing parameters
2. adds a table for revocation code

thanks,
Christina



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH] 0075-Generting-Symmetric-key-fails-with-key-generate-when.patch

[Matthew Harmsen]

On 06/24/2016 06:23 PM, John Magne wrote:

Generting Symmetric key fails with key-generate when --usages verify is passed
 
 Ticket #1114
 
 Minor adjustment to the man page for the key management commands to say

 which usages are appropriate for sym keys and those appropriate for asym 
keys.
 



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

ACK
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Separate PKI Instances versus Shared PKI Instances

[John Magne]

ACK

- Original Message -
From: "Matthew Harmsen" 
To: "pki-devel" 
Sent: Wednesday, June 29, 2016 7:57:34 PM
Subject: [Pki-devel] [PATCH] Separate PKI Instances versus Shared PKI   
Instances

Please review the attached patch which addresses the following ticket: 


* PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for 
shared vs non shared tomcat instance installation 


This ticket adds text to the pkispawn.8 man page to more adequately describe 
the differences between 
separated PKI instances and shared PKI instances including increasing the 
verbosity of the two examples 
related to these two deployment alternatives. 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] pki-cfu-0144-Ticket-1306-config-params-Add-granularity-to-token-t.patch

[Christina Fu]

This patch is for https://fedorahosted.org/pki/ticket/1306 [RFE] Add 
granularity to token termination in TPS

It
1. adds the missing parameters
2. adds a table for revocation code

thanks,
Christina

>From 63a58cf51ef2982e8a35eff1f98dd42453e5681e Mon Sep 17 00:00:00 2001
From: Christina Fu 
Date: Thu, 30 Jun 2016 14:03:24 -0700
Subject: [PATCH] Ticket #1306 config params: Add granularity to token
 termination in TPS

This patch adds the missing configuration parameters that go with the
original bug.  The code would take on defaults when these parameters are
missing, but putting them in the CS.cfg would make it easier for the
administrators.
---
 base/tps/shared/conf/CS.cfg | 123 ++--
 1 file changed, 119 insertions(+), 4 deletions(-)

diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 258d5a76c5ec8e392634f6075f32ae9baa68b290..4f2b3919cf73610ad1a8c8e8c1baf977fb117f6c 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -265,7 +265,20 @@ op.enroll._000=#
 op.enroll._001=# TPS Profiles
 op.enroll._002=#  - Operations
 op.enroll._003=#- operation; enroll,pinReset,format
-op.enroll._004=#
+op.enroll._004=#
+op.enroll._005=# Revocation Reasons (revokeCert.reason) according to RFC 5280
+op.enroll._006=# unspecified (0)
+op.enroll._007=# keyCompromise (1)
+op.enroll._008=# CACompromise (2)
+op.enroll._009=# affiliationChanged (3)
+op.enroll._010=# superseded (4)
+op.enroll._011=# cessationOfOperation (5)
+op.enroll._012=# certificateHold (6)
+op.enroll._013=# removeFromCRL (8)
+op.enroll._014=# privilegeWithdrawn (9)
+op.enroll._015=# AACompromise (10)
+op.enroll._016=#
+op.enroll._017=#
 op.enroll.delegateIEtoken._000=#
 op.enroll.delegateIEtoken._001=# Enrollment for externalReg 
 op.enroll.delegateIEtoken._002=# ID, Encryption
@@ -326,12 +339,23 @@ op.enroll.delegateIEtoken.keyGen.authentication.publicKeyNumber=7
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.revokeCert=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason=0
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.scheme=GenerateNewKey
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason=1
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.scheme=GenerateNewKey
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.holdRevocationUntilLastCredential=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.revokeExpiredCerts=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.revokeCert=true
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.revokeCert.reason=1
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.scheme=GenerateNewKey
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.holdRevocationUntilLastCredential=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.revokeExpiredCerts=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.holdRevocationUntilLastCredential=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeExpiredCerts=false
 op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.archive=false
 op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1
 op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.enable=false
@@ -498,12 +522,23 @@ op.enroll.delegateISEtoken.keyGen.authentication.publicKeyNumber=7
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.revokeCert=false
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason=0
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.scheme=GenerateNewKey
+op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential=false
+op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts=false
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert=false
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason=1
 

Re: [Pki-devel] [PATCH] 0125 AuthInfoAccess: use default OCSP URI if configured

[Endi Sukma Dewata]

On 6/27/2016 1:38 AM, Fraser Tweedale wrote:

Attached patch fixes https://fedorahosted.org/pki/ticket/2387
(wanted for 10.3.4).

Thanks,
Fraser


Just one thing, maybe we should add a blank pki_default_ocsp_uri under 
the [CA] section in the default.cfg so people knows about this parameter?


Regardless, it's ACKed.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

[Endi Sukma Dewata]

On 6/22/2016 4:53 AM, Fraser Tweedale wrote:

The attached patch fixes https://fedorahosted.org/pki/ticket/2285.
See commit message and bz1323400[1] for full history and details.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1323400

The fix should be merged to master and DOGTAG_10_2_BRANCH, and a new
10.2.x release cut for f23.

I have an f23 COPR build containing the fix for anyone wishing to
test:
https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/packages/

Huge props to Adam Williamson for doing a lot of legwork in tracking
down the cause of this issue.

Thanks,
Fraser


ACK. When we have a proper database upgrade method we should consider 
converting this code into an upgrade script.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel