Re: [Pki-devel] SSO

atever follows the '@'. So if REMOTE_USER is an email address and everyone has the same domain, this could work with the current code. Otherwise, we'll need to make changes. All that said, providing an alternative way of specifying the realm is a small RFE with a big payoff. HTH, Fraser > Th

Re: [Pki-devel] SSO

On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote: > There's a proposal for GSS-API auth: > > https://www.dogtagpki.org/wiki/GSS-API_authentication > https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication > > However, it isn't implemented yet. This would probably suffice for >

Re: [Pki-devel] Certificate Transparency SCT signature verification?

On Wed, Jun 17, 2020 at 12:59:57AM +1000, Fraser Tweedale wrote: > Thanks for the testing notes, Christina. > > Today I set up a local test CT log server using a container image. > I plan to document more thoroughly but rough notes at [1]. > > Now to the issue I found -

Re: [Pki-devel] Certificate Transparency SCT signature verification?

enabled, but the failure is ignored. > However, you could look in the debug log for "verifySCT" to see relevant > debug messages. > > I'll ask Dinesh to add his more comprehensive testing procedure to the page. > thanks!! > Christina > > On Thu, Jun 11, 2020 at 5:5

Re: [Pki-devel] Certificate Transparency SCT signature verification?

t; > > Also thanks for the input on how to handle failed CT log communication > > v.s. response verification failure. I will address them separately as > > suggested. > > Finally, nice catch with the missing data length!! I'll add that and go > > from there. > > >

Re: [Pki-devel] Questions regarding addition of our own Cockpit module

On Wed, Jun 03, 2020 at 08:17:39PM -0400, Dinesh Prasanth Moluguwan Krishnamoorthy wrote: > Hello team, > > I’m part of Dogtag PKI open-source project [1]. Our team strives to provide > enterprise-class open-source Public Key Infrastructure (PKI) [2]. > > Dogtag PKI server is a Java web

Re: [Pki-devel] Certificate Transparency SCT signature verification?

Hi Christina, Adding pki-devel@ for wider audience. Comments below. On Mon, Jun 01, 2020 at 06:28:42PM -0700, Christina Fu wrote: > Hi Fraser, > Do you know how the signature returned in the SCT response could be > verified by the CA? > My thought is that the CA should somehow verify the CT

Re: [Pki-devel] ACME certificate IDs

On Fri, Mar 20, 2020 at 03:41:05PM -0400, Endi Sukma Dewata wrote: > - Original Message - > > > Let me backtrack a little bit. Is there a plan to modify Dogtag to > > > eventually support different serial number domains? If not, this is > > > not an issue for Dogtag. > > > > There is no

Re: [Pki-devel] ACME certificate IDs

Hi Endi, Responses inline. On Fri, Mar 20, 2020 at 12:55:46AM -0400, Endi Sukma Dewata wrote: > - Original Message - > > > > Currently on ACMEBackend interface we have > > > > > > > > public BigInteger issueCertificate(String csr); > > > > > > > > I think this is a bit of a problem.

Re: [Pki-devel] ACME certificate IDs

On Tue, Mar 17, 2020 at 05:04:59PM -0400, Endi Sukma Dewata wrote: > - Original Message - > > Hi Endi, > > > > Just want to quickly discuss certificate IDs. > > > > Currently on ACMEBackend interface we have > > > > public BigInteger issueCertificate(String csr); > > > > I think this

[Pki-devel] ACME certificate IDs

Hi Endi, Just want to quickly discuss certificate IDs. Currently on ACMEBackend interface we have public BigInteger issueCertificate(String csr); I think this is a bit of a problem. e.g. Dogtag currently supports multiple issuers (LWCAs). It is incidental that serial numbers do not

Re: [Pki-devel] Dogtag Build

On Tue, Jan 28, 2020 at 07:02:36PM +0530, Sharath wrote: > Hello Team, > > I have taken the source code git repository, currently pointing > origin/DOGTAG_10_6_BRANCH. Can you please text the steps to build Dogtag PKI > source ? > > ./build.sh is failed due to dependencies... > > is there any

Re: [Pki-devel] [acme] getOrderByAuthorization() / orders and authorisations

On Thu, Dec 05, 2019 at 11:18:15AM +1000, Fraser Tweedale wrote: > On Wed, Dec 04, 2019 at 06:36:24PM -0500, Endi Sukma Dewata wrote: > > - Original Message - > > > Just want to flag something related to ACME orders and > > > authorisations. > > &g

[Pki-devel] [acme] getOrderByAuthorization() / orders and authorisations

Just want to flag something related to ACME orders and authorisations. In ACME authorizations can be shared by multiple orders. In fact you can also "preauthorize" your account for an identifier, so there can also be a authorizations with no orders attached. Does the way we have implemented the

Re: [Pki-devel] How to generate the certificate in pkcs #12 format using Dogtag PKI

On Fri, Nov 01, 2019 at 05:29:40PM +0530, Sharath wrote: > HI Team, > > 1. Can you please help, how to generate the certificate using pkcs #12 > format?? > Hi Sharath, PKCS #12 is a key and certificate archival format. The main use of PKCS #12 in Dogtag is retrieving archived keys from the KRA

Re: [Pki-devel] Dogtag+FreeIPA: adapting to the Fedora mass orphaning

On Mon, Mar 11, 2019 at 03:58:17PM +0100, François Cami wrote: > Hi, > > The Java maintainers have orphaned most, if not all, of the Java stack > in Fedora, in favor of modules: >

Re: [Pki-devel] New update: PKI 10.6.7 and its deps

Dear Dinesh, The 10.6.7-1 update[1] was given negative karma due to FreeIPA installation failure[2] on openqa. I have spent considerable time trying to reproduce the failure using the same package from updates-testing, without success. [1]

[Pki-devel] New RFCs 8398 and 8399 update RFC 5280 (X.509)

Just a quick heads up that a couple of new RFCs[1][2] update RFC 5280 w.r.t. i18n support. [1] https://tools.ietf.org/html/rfc8398 [2] https://tools.ietf.org/html/rfc8399 The most notable change is a new otherName type to represent internationalised email addresses (i.e. when the local part is

Re: [Pki-devel] PKI 10.6.0 and TomcatJSS 7.3.0

On Tue, May 01, 2018 at 09:34:23PM -0400, Endi Sukma Dewata wrote: > Hi, > > PKI 10.6.0 and TomcatJSS 7.3.0 has officially been released > upstream and in Fedora 28: > > https://github.com/dogtagpki/pki/releases/tag/v10.6.0 > https://github.com/dogtagpki/tomcatjss/releases/tag/v7.3.0 > > Please

Re: [Pki-devel] Dogtag PKI Website URL

On Tue, Mar 27, 2018 at 09:52:22PM -0400, Endi Sukma Dewata wrote: > - Original Message - > > On Tue, Mar 27, 2018 at 11:16:01AM -0400, Endi Sukma Dewata wrote: > > > Hi, > > > > > > The Dogtag PKI Website URL has changed as follows: > > > > > > * Old URL: http://pki.fedoraproject.org >

Re: [Pki-devel] Dogtag PKI Website URL

On Tue, Mar 27, 2018 at 11:16:01AM -0400, Endi Sukma Dewata wrote: > Hi, > > The Dogtag PKI Website URL has changed as follows: > > * Old URL: http://pki.fedoraproject.org > * New URL: http://www.dogtagpki.org > > Please use the new URL whenever possible. The old URL should > automatically be

Re: [Pki-devel] CMS.debug(Throwable e); stack trace suppressed?

On Fri, Mar 09, 2018 at 07:02:23PM +1000, Fraser Tweedale wrote: > Hi, > > It seems that with the change in logging backend, calls to > CMS.debug(Throwable e) no longer print the stack trace. The name of > the exception is printed by the error message has been suppressed. >

[Pki-devel] IPAddress General Name patches

Hi Christina et al, Could someone with a familiarity/interest in IPAddress altnames / name constraints please review this patchset and the three related patchsets, when you have time? https://review.gerrithub.io/#/c/398356/ The related BZ is

Re: [Pki-devel] Gerrit submit type

ramifications of this change and why it is > > needed?   > > > > I notice that most of the Openstack projects use the default "Merge > > If > > Necessary", and want to understand (or at least document) why we want > > to do things differently. > > > &

[Pki-devel] Gerrit submit type

To whoever has management permission on gerrithub, Could you please change the `Submit Type' config to `Rebase if Necessary'? This will avoid explicit merge commits without the developer having to explicitly rebase the change before submitting.

Re: [Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

On Wed, Apr 26, 2017 at 06:40:59PM +1000, Fraser Tweedale wrote: > On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote: > > The attached patch fixes a regression (I think?) where recovered > > keys accumulate in the key storage token. > > > > Thanks, &g

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

d above. Thanks, Fraser > > On 04/10/2017 11:30 PM, Fraser Tweedale wrote: > > On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote: > > > Hi Fraser, > > > > > > Could you please do the following first? > > > > > > 1. file a Mozilla

Re: [Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote: > The attached patch fixes a regression (I think?) where recovered > keys accumulate in the key storage token. > > Thanks, > Fraser Gerrit review: https://review.gerrithu

Re: [Pki-devel] [PATCH] 0159..0161 Fix config param removal in profile modification

I have created a gerrit review for this patchset: https://review.gerrithub.io/#/c/357607/ Thanks, Fraser On Tue, Feb 07, 2017 at 09:39:52PM +1000, Fraser Tweedale wrote: > Please review the attached patches which fix > https://fedorahosted.org/pki/ticket/2588, a bug in profile > mod

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

is not active when I go to Edit Bug. Also not sure how to "mark reviewers". I added you and Elio to Cc though. Thanks, Fraser > > On 04/04/2017 02:56 AM, Fraser Tweedale wrote: > > Hi team, > > > > Please review attached patches for JSS and Dogtag that:

[Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

The attached patch fixes a regression (I think?) where recovered keys accumulate in the key storage token. Thanks, Fraser From ab470a00827673f327d5f171ff3fdf1baea4ae5e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 6 Apr 2017 16:07:07 +1000 Subject: [PATC

[Pki-devel] KRA questions

Hi all, I have some questions about KRA operation. These questions came up as part of my PKCS #12 AES key bag encryption effort. 1) the kra.allowEncDecrypt.recovery setting controls whether unwrapping the archived key takes place on a crypto token (the default) or within Dogtag. It seems to be

[Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

de2d7f049eb4462c7442795a77a8a915ae70d216 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 3 Apr 2017 11:07:24 +1000 Subject: [PATCH 0/2] Add SEC_OID mappings for AES ECB/CBC algorithms --- org/mozilla/jss/crypto/Algorithm.c | 8 +++- org/mozilla/jss/crypto/Algor

Re: [Pki-devel] [PATCH] 0167..0175 external authentication support

On Tue, Mar 07, 2017 at 11:16:37AM +1000, Fraser Tweedale wrote: > Hi team, > > Please review the attached patches, which add support for external > authentication (e.g. GSS-API/SPNEGO). > > These patches depend on some other outstanding patches: > 0157, 0158, 0165, 0166

Re: [Pki-devel] [PATCH] 0163..0165 Include revocation reason in REST cert data

On Mon, Mar 13, 2017 at 03:59:24PM -0400, Ade Lee wrote: > ACK > Thanks; 0165 pushed to master (6fa6b692882d00c8228aed7f5780b13f1b09c98c) > On Wed, 2017-02-22 at 12:12 +1000, Fraser Tweedale wrote: > > The following patches add the revocation reason to the REST cert > > da

[Pki-devel] [PATCH] 0176..0177 small manpage fixes

Please review attached patches that fix a couple of problems in pkispawn.8 and pki_default.cfg.5. Thanks, Fraser From e6c683eec351be54fb65f22629e78865839bf263 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 9 Mar 2017 14:30:29 +1000 Subject: [PATCH 1

[Pki-devel] [PATCH] 0166 CMS.getLogMessage: escape format elements in arguments

:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 2 Mar 2017 16:32:21 +1000 Subject: [PATCH] CMS.getLogMessage: escape format elements in arguments CMS.getLogMessage performs message formatting via MessageFormat, then the message gets logged via a Logger. The Logger also pe

[Pki-devel] [PATCH] 0163..0165 Include revocation reason in REST cert data

The following patches add the revocation reason to the REST cert data (i.e. GET /ca/rest/certs/{id}). Patches 0163 and 0164 were pushed under trivial rule. Please review 0165. Thanks, Fraser From f50507eac86edba2fba01ff25d6937f7d991770e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ft

[Pki-devel] [PATCH] 0162 Fix NPE in server shutdown when startup failed

The attached patch fixes an NPE that can occur if startup fails (e.g. due to database unavailable). Pushed under trivial rule. Thanks, Fraser From aa9bca02d0469e16a93812564bf44369c30002da Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 20 Feb 2017 11:08:50

Re: [Pki-devel] [PATCH] 0150 Allow DirAclAuthz to be configured to read alternative entry

On Tue, Jan 24, 2017 at 02:45:48PM +1000, Fraser Tweedale wrote: > The attached patch (part of the GSS-API effort) allows DirAclAuthz > configuration to specify to read the ACLs from a different entry (it > is currently hard-coded). > > Thanks, > Fraser > ACKed by a

Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

On Wed, Feb 01, 2017 at 05:25:58PM +1000, Fraser Tweedale wrote: > Hi all, > > The attached patches implement the long-desired feature to copy CN > to SubjectAltName (https://fedorahosted.org/pki/ticket/1710). > > I've also pushed the branch to my GitHub repo; feel free to re

[Pki-devel] [PATCH] 0159..0161 Fix config param removal in profile modification

Please review the attached patches which fix https://fedorahosted.org/pki/ticket/2588, a bug in profile modification where config params can only be added or changed, but not removed. Thanks, Fraser From 0a86f63cfe2d5391befe401541e9dcc0dae6ce29 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale

[Pki-devel] [PATCH] 0157..0158 authToken-related refactors

Please review attached patches; a couple of small refactors to ease upcoming GSS-API work. Thanks, Fraser From 71a94aba941b395a07a849eacb125b9657f70f59 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 7 Feb 2017 11:38:03 +1000 Subject: [PATCH 157/158]

[Pki-devel] [PATCH] 0156 Remove unused dependency from tomcat classes build

Pushed under one-liner/trivial rule. Thanks, Fraser From 463be6afd824f39c9e02881d7b9b168cd92093a1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 7 Feb 2017 10:31:32 +1000 Subject: [PATCH 156/158] Remove unused dependency from tomcat classes build --- base/

Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

a KBase article about using the new component. Let me know what you think. Cheers, Fraser On Thu, Feb 02, 2017 at 12:46:30PM -0700, Matthew Harmsen wrote: > On 02/01/2017 12:25 AM, Fraser Tweedale wrote: > > Hi all, > > > > The attached patches implement the long-desir

[Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

Thanks, Fraser From 3f913b1857712dd0a962d42f56f29d7faebf244e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 1 Feb 2017 16:15:39 +1000 Subject: [PATCH 151/155] DNSName: add method to get value To implement a profile default that copies CN to SAN dNSName, w

[Pki-devel] [PATCH] 0149 Use BigInteger for entryUSN

The attached patch fixes https://fedorahosted.org/pki/ticket/2579. Thanks, Fraser From 4201b2c02546e4d404816a4932ba2d0d688f2c55 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 23 Jan 2017 17:11:26 +1000 Subject: [PATCH] Use BigInteger for entryUSN Currently

[Pki-devel] [PATCH] 0148 Remove principal type assumption from AuthorityService

Reviewed by alee: https://github.com/frasertweedale/pki/commit/967727ea3104accbf1bd1e05fc676bfef0d9ba6d Pushed to master (1d706a075f32d7c30a6259be675b8f34ef2a9c99). Thanks, Fraser From 1d706a075f32d7c30a6259be675b8f34ef2a9c99 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.

Re: [Pki-devel] [PATCH] 0144..0146 Move IRequest extdata-related constants

; IRequest extdata key prefix in one place Thanks, Fraser On Wed, Dec 07, 2016 at 02:39:22PM +1000, Fraser Tweedale wrote: > The attached patches relocate / redefine some constants that are > used as keys when setting or getting IRequest extdata attributes. > > In some cases this remo

Re: [Pki-devel] [PATCH] 0141 Add getAuthzManagerNameByRealm to IAuthzSubsystem

Acked by alee: https://github.com/frasertweedale/pki/commit/4a43f08a96f80a44ad0d8fffcb49f70b5d274277 Pushed to master (e2e4b70bab9c81b9007057cafd25447190d6cde4). Thanks, Fraser On Tue, Nov 29, 2016 at 07:12:28PM +1000, Fraser Tweedale wrote: > This patch renames (a better name) and mo

Re: [Pki-devel] [PATCH] 0140 Allow ':' to appear in ACL expressions

Acked by alee: https://github.com/frasertweedale/pki/commit/037c16e3e78bccfa16e3d50ef840675ad2e0f3ec Pushed to master (7ab1bbb708d539d4db4e494418fedb952e4880bc) Thanks, Fraser On Tue, Nov 29, 2016 at 07:08:48PM +1000, Fraser Tweedale wrote: > With current ACL parsing, if you h

Re: [Pki-devel] [PATCH] 0139 Merge duplicate authz plugin code into superclass

Acked by alee: https://github.com/frasertweedale/pki/commit/2d6e917470fce977d2537eba0b9ef2ee17fd0a41 Pushed to master (bfcf597d569e24fe6ec60062e37908c62bcff76) On Tue, Nov 29, 2016 at 07:04:26PM +1000, Fraser Tweedale wrote: > The attached patch merges some duplicate authz manager c

Re: [Pki-devel] [PATCH] 0138 Move AuthToken key constants to IAuthToken

Acked by alee: https://github.com/frasertweedale/pki/commit/b775ca19b2c1a3d554aca3134308a71fecd7bdd0 Pushed to master (1407b5f3af27d05970bb42ac2fefe51cb6b01abd) Thanks, Fraser On Tue, Nov 29, 2016 at 07:02:12PM +1000, Fraser Tweedale wrote: > The attached patch moves some string constants f

Re: [Pki-devel] [Pki-users] CS Server error

(Sorry, I sent this to the wrong list.) On Thu, Dec 08, 2016 at 01:59:45PM +1000, Fraser Tweedale wrote: > On Wed, Dec 07, 2016 at 05:29:41PM -0800, Rafael Leiva-Ochoa wrote: > > Here you goI hope you can help. I am already starting to use it in > > production testing...I woul

Re: [Pki-devel] [Pki-users] CS Server error

. Thanks, Fraser > On Wed, Dec 7, 2016 at 4:25 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > > > On Wed, Dec 07, 2016 at 02:11:53PM -0800, Rafael Leiva-Ochoa wrote: > > > Hi Team, > > > > > > I have installed Dogtag on one of my Raspberry PI 3 de

[Pki-devel] [PATCH] 0144..0146 Move IRequest extdata-related constants

in IRequest, which is the appropriate place. This is refactoring work undertaken as part of GSSAPI support. Thanks, Fraser From 31d9026f2be5204dd4742ce00542bc80b614d9b9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 7 Dec 2016 12:25:01 +1000 Subject: [PAT

[Pki-devel] [PATCH] 0143 Remove unused string constant

What it says on the tin. Pushed under one-liner rule. Thanks, Fraser From 01956aedf62f20713ca191c254a20f0b50d8e7af Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 7 Dec 2016 14:23:18 +1000 Subject: [PATCH 143/143] Remove unused string constant Part of:

[Pki-devel] [PATCH] 0141 Add getAuthzManagerNameByRealm to IAuthzSubsystem

This patch renames (a better name) and moves to the IAuthzSubsystem interface a method in AuthzSubsystem that may be useful for doing authorisation checks for external principals. Thanks, Fraser From 6a1ddf4cf79e40ff0a0702e063afa6e6237f0fb6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ft

[Pki-devel] [PATCH] 0139 Merge duplicate authz plugin code into superclass

afc5fc3da5f1ea61305fb237e002bbe8b3d26e8c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 25 Nov 2016 14:29:40 +1000 Subject: [PATCH 139/141] Merge duplicate authz plugin code into superclass DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is still a lot of duplicat

[Pki-devel] [PATCH] 0138 Move AuthToken key constants to IAuthToken

From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 29 Nov 2016 16:10:58 +1000 Subject: [PATCH 138/141] Move AuthToken key constants to IAuthToken Part of: https://fedorahosted.org/pki/ticket/1359 --- .../netscape/certsrv/authentication/AuthToken.java | 34 -- .../c

[Pki-devel] [PATCH] 0137 Remove unused member

Just a drive-by removal of an unused class member. Pushed under one-liner rule. Thanks, Fraser From e613f485e9ed08b9b5e6b2ad568a0953b742b0e5 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 28 Nov 2016 14:52:11 +1000 Subject: [PATCH] Remove unused member ---

[Pki-devel] [PATCH] 0135 Do not attempt LWCA key retrieval for host authority

From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 21 Sep 2016 20:18:37 +1000 Subject: [PATCH] Do not attempt LWCA key retrieval for host authority During two-step installation of externally-signed CA, installation can fail because host authority's private key cannot be located (a tem

Re: [Pki-devel] [PATCH] 0134 Block reads during reload of LDAP-based profiles

On Wed, Sep 14, 2016 at 07:16:32PM -0500, Endi Sukma Dewata wrote: > On 9/14/2016 7:14 AM, Fraser Tweedale wrote: > > Hi team, > > > > The attached patch fixes (yet another) race condition in > > LDAPProfileSubsystem. > > > > https://fedorahosted.org/pki/

[Pki-devel] [PATCH] 0134 Block reads during reload of LDAP-based profiles

Hi team, The attached patch fixes (yet another) race condition in LDAPProfileSubsystem. https://fedorahosted.org/pki/ticket/2453 Additional context: https://fedorahosted.org/freeipa/ticket/6274 Thanks, Fraser From 24a5ad6f84387055468e0125df90fea6635da484 Mon Sep 17 00:00:00 2001 From: Fraser

[Pki-devel] [PATCH] 0130 Prevent deletion of host CA cert and key from NSSDB

Hi, Attached patch fixes https://fedorahosted.org/pki/ticket/2443. Thanks, Fraser From e0a546113b65d57e4b00b495f4ef50616ad744c1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 24 Aug 2016 14:40:46 +1000 Subject: [PATCH] Prevent deletion of host CA cert a

Re: [Pki-devel] JSS/NSS

On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote: > Are there any plans on the dogtag roadmap to ever migrate away from using > JSS/NSS? > Hi George, I dont't think there are any such plans. Why do you ask? Cheers, Fraser ___ Pki-devel

[Pki-devel] [PATCH] 0128 Fix CA OCSP responder when LWCA's are not in use

Hi team, The attached patch fixes https://fedorahosted.org/pki/ticket/2420. Thanks, Fraser From 86030eb0c231734a3020b201a9be60e84d023e75 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 26 Jul 2016 14:07:10 +1000 Subject: [PATCH] Fix CA OCSP responder when

Re: [Pki-devel] [PATCH] Added fix for pki-server for db-update

On Thu, Jul 14, 2016 at 03:51:18PM +0530, Geetika Kapoor wrote: > > > On 07/14/2016 03:02 PM, Geetika Kapoor wrote: > > > > On 07/14/2016 01:53 PM, Fraser Tweedale wrote: > >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: > >>> On Thu,

Re: [Pki-devel] [PATCH] Added fix for pki-server for db-update

On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: > Hi, > > Please review this patch.Below is a small summary about this fix and > what we are trying to achieve. > > CLI : pki-server db-upgrade > > what it should be doing is if it sees that issuerName doesn't exist,NULL > it will

Re: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands.

On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote: > The pki-server ca-* commands have been modified to validate > the instance and the CA subsystem before proceeding with the > operation. > > The usage() methods and invocations have been renamed into > print_help() for

Re: [Pki-devel] [PATCH] 780 Fixed pki-server subsystem-cert-update.

On Wed, Jun 29, 2016 at 11:19:46AM -0500, Endi Sukma Dewata wrote: > The pki-server subsystem-cert-update is supposed to restore the > system certificate data and requests into CS.cfg. The command was > broken since the CASubsystem class that contains the code to find > the certificate requests

Re: [Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

On Thu, Jun 30, 2016 at 10:10:32AM -0500, Endi Sukma Dewata wrote: > On 6/22/2016 4:53 AM, Fraser Tweedale wrote: > > The attached patch fixes https://fedorahosted.org/pki/ticket/2285. > > See commit message and bz1323400[1] for full history and details. > > > > [1]

Re: [Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails

On Thu, Jun 30, 2016 at 10:49:12AM -0500, Endi Sukma Dewata wrote: > On 6/27/2016 9:52 PM, Fraser Tweedale wrote: > > The attached patch fixes https://fedorahosted.org/pki/ticket/2388. > > Wanted for 10.3.4. > > > > Thanks, > > Fraser > > Two things:

[Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails

The attached patch fixes https://fedorahosted.org/pki/ticket/2388. Wanted for 10.3.4. Thanks, Fraser From 3ad777d8009f025f1aac1159910dd0a4d327bd13 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 25 Jun 2016 00:14:11 +0200 Subject: [PATCH] Respond 400 if lightweight

[Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 22 Jun 2016 13:34:01 +1000 Subject: [PATCH] Add profiles container to LDAP if missing CMS startup was changed a while back to wait for LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem initialisation waits f

Re: [Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

On Tue, Jun 21, 2016 at 07:29:22AM +0200, Jan Cholasta wrote: > On 18.6.2016 02:38, Fraser Tweedale wrote: > > On Fri, Jun 17, 2016 at 03:21:07PM +0200, Jan Cholasta wrote: > > > On 17.6.2016 09:34, Fraser Tweedale wrote: > > > > On Mon, May 09, 2016 at 09:35:

Re: [Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote: > Hi, > > On 6.5.2016 08:01, Fraser Tweedale wrote: > > Hullo all, > > > > FreeIPA Lightweight CAs implementation is progressing well. The > > remaining big unknown in the design is how to do

Re: [Pki-devel] [PATCH] 772 Updated instructions to customize TPS token lifecycle.

On Wed, Jun 15, 2016 at 11:36:28AM -0500, Endi Sukma Dewata wrote: > The TPS's CS.cfg and token-states.properties have been updated > to include instructions to customize token state transitions and > labels. > > https://fedorahosted.org/pki/ticket/2300 > ACK

Re: [Pki-devel] [PATCH] 768 Added pki pkcs12-cert-mod command.

On Mon, Jun 13, 2016 at 07:24:01PM -0500, Endi Sukma Dewata wrote: > A new CLI has been added to update the certificate trust flags in > PKCS #12 file which will be useful to import OpenSSL certificates. > Tested; does what it says on the tin. ACK. Cheers, Fraser

Re: [Pki-devel] [PATCH] 767 Fixed VLV usage in TPS token and activity services.

On Fri, Jun 10, 2016 at 10:29:51AM -0500, Endi Sukma Dewata wrote: > The TPS token and activity services have been modified to use VLV > only when the search filter matches the VLV, which is the default > filter when there is no search keyword/attributes specified by > the client. In other cases

Re: [Pki-devel] [PATCH] 0123 Do not attempt cert update unless signing key is present

On Tue, Jun 14, 2016 at 07:40:12PM -0500, Endi Sukma Dewata wrote: > On 6/13/2016 9:38 PM, Fraser Tweedale wrote: > > Hi all, > > > > The attached patch fixes https://fedorahosted.org/pki/ticket/2359. > > Please review for inclusion in 10.3.3. > > > >

[Pki-devel] [PATCH] 0122 Modify ExternalProcessKeyRetriever to read JSON

dependency, but should I also add it spec file as explicit dependency? Cheers, Fraser From 7183cece34b766b5e1db6837291151b4d58aa9c9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Sat, 4 Jun 2016 20:49:38 +1000 Subject: [PATCH] Modify ExternalProcessKeyRetriever to rea

Re: [Pki-devel] [PATCH] 0120..0121 Remove pki-ipa-retrieve-key script

On Thu, Jun 02, 2016 at 11:45:43PM -0500, Endi Sukma Dewata wrote: > On 5/31/2016 11:45 PM, Fraser Tweedale wrote: > > G'day comrades, > > > > Please review the attached two patches, which... > > > > (Patch 0120) > > > > - provide for passing o

Re: [Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

On Thu, Jun 02, 2016 at 08:02:35PM -0500, Endi Sukma Dewata wrote: > On 5/17/2016 12:20 AM, Fraser Tweedale wrote: > > Hi all, > > attached patch fixes https://fedorahosted.org/pki/ticket/2332 > > > > Cheers, > > Fraser > > Assuming an identical CA cannot

Re: [Pki-devel] [PATCH] 0116 Fix LDAP schema violation when instance name contains '_'

On Tue, May 31, 2016 at 11:07:51AM -0500, Endi Sukma Dewata wrote: > On 5/29/2016 10:25 PM, Fraser Tweedale wrote: > > The attached patch fixes https://fedorahosted.org/pki/ticket/2343 > > > > Cheers, > > Fraser > > ACK. > Thanks Endi! Pushed to master (a401

[Pki-devel] [PATCH] 0116 Fix LDAP schema violation when instance name contains '_'

The attached patch fixes https://fedorahosted.org/pki/ticket/2343 Cheers, Fraser From a40139d5f21139d31b62d3c35002b454131245f1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 30 May 2016 12:17:12 +1000 Subject: [PATCH] Fix LDAP schema violation when instanc

[Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

Hi all, attached patch fixes https://fedorahosted.org/pki/ticket/2332 Cheers, Fraser From baf904216848a5d775948853764d2657ea6405e9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 17 May 2016 14:47:11 +1000 Subject: [PATCH] Return 410 Gone if target CA of r

[Pki-devel] [PATCH] 0111 Lightweight CAs: remove NSSDB material when processing deletion

The attached patch makes clones delete lightweight CA keys/certs from local NSSDB when processing LWCA deletion. Ticket: https://fedorahosted.org/pki/ticket/2328 Thanks, Fraser From 96079be3caea27ab1ecd5e6486a31c5c3629 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com>

Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

erably, in LDAP itself). Updates themselves should be idempotent. > Opening up for others to chime in .. > > Ade > > On Tue, 2016-05-10 at 08:32 +1000, Fraser Tweedale wrote: > > On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote: > > > Isn't all this predica

[Pki-devel] [PATCH] 0108 Lightweight CAs: add issuer DN and serial to AuthorityData

913fced6709f30da2ac05e5367fcfc05e1698a75 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 13 May 2016 14:22:08 +1000 Subject: [PATCH] Lightweight CAs: add issuer DN and serial to AuthorityData Add issuer DN and serial number to the AuthorityData object, as read-only attr

Re: [Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid

On Mon, May 09, 2016 at 01:19:50PM +1000, Fraser Tweedale wrote: > The attached patch fixes https://fedorahosted.org/pki/ticket/2317. > It will result in better error messages and help users to diagnose > bad profile configurations (especially with IPA). > > Thanks, > Fras

Re: [Pki-devel] [PATCH] 0106..0107 Add issuer DN to cert search params/result

On Tue, May 10, 2016 at 01:29:17PM -0400, Ade Lee wrote: > ACK. > Thanks Ade; pushed to master: 502db07ee8ef3e9f6b4bc2b030b29e8db639bc69 Include issuer DN in CertDataInfo 70d751e837cbf375ebd068169e591cd4a971f472 Support certificate search by issuer DN. > Is the new search parameter added to

Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote: > Isn't all this predicated on a schema change that adds the issuer as an > optional field for the certRecord? > The schema already exists but was unused. > Ade > > On Mon, 2016-05-09 at 17:15 +1000, Fraser Tweedale

[Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

scriptlet to perform the upgrade for Dogtag CA subsystem on the host? Is there a precedent for invoking pki-server (or subroutines thereof) from pki-server-upgrade scriptlets? Cheers, Fraser From 9d994fe2c4e31c3d4212673f1dd3a0c8e84c40a3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.

[Pki-devel] [PATCH] 0104 Lightweight CAs: fix bad import in key retriever script

Attached patch fixes a typo in the LWCA key retrieval Python helper script. Pushed to master (e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f) under one-liner rule. Cheers, Fraser From e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com>

[Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid

The attached patch fixes https://fedorahosted.org/pki/ticket/2317. It will result in better error messages and help users to diagnose bad profile configurations (especially with IPA). Thanks, Fraser From ff7ff61c6cc97f695f3db2058bf3639014278299 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale

Re: [Pki-devel] [PATCH] 0101 Lightweight CAs: accept "host-authority" as valid parent

On Fri, May 06, 2016 at 09:31:07PM -0500, Endi Sukma Dewata wrote: > On 5/5/2016 1:54 AM, Fraser Tweedale wrote: > >The attached patch allows "host-authority" to be used as valid > >reference to the host authority when creating a LWCA. It makes life > >eas

[Pki-devel] [PATCH] 0102 Lightweight CAs: allow specifying authority via ProfileSubmitServlet

Attached patch does what it says on the tin ;) Cheers, and have a good weekend y'all. Fraser From cabae0a050fb752b290ece28d5dac927f01b3c01 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 6 May 2016 16:03:57 +1000 Subject: [PATCH] Lightweight CAs: allow spec

[Pki-devel] [DESIGN] Lightweight CA renewal

Hullo all, FreeIPA Lightweight CAs implementation is progressing well. The remaining big unknown in the design is how to do renewal. I have put my ideas into the design page[1] and would appreciate any and all feedback! [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal Some brief commentary

[Pki-devel] [PATCH] 0101 Lightweight CAs: accept "host-authority" as valid parent

The attached patch allows "host-authority" to be used as valid reference to the host authority when creating a LWCA. It makes life easier for me one the FreeIPA side :) Cheers, Fraser From f1860c2315f13d458a33521f78327b8c3a84a246 Mon Sep 17 00:00:00 2001 From: Fraser Tweed

  1   2   >