Re: [Pki-devel] [PATCH] 315-319 KRA realm related patches

On 6/2/2016 8:51 AM, Ade Lee wrote: And now with the patches .. On Thu, 2016-06-02 at 09:50 -0400, Ade Lee wrote: Patch descriptions (in reverse order). The final patch will need some discussion. Please review, Ade Some comments: 1. In SrchKey and SrchKeyForRecovery the check probably

Re: [Pki-devel] [PATCH] 757 Added TPS token state transition validation.

On 5/27/2016 5:52 PM, Endi Sukma Dewata wrote: On 5/25/2016 10:34 PM, Endi Sukma Dewata wrote: The TPSSubsystem has been modified to load and validate the token state transition lists during initialization. If any of the lists is empty or any of the transitions is invalid, the initialization

Re: [Pki-devel] [PATCH] 0110 Lightweight CAs: remove redundant deletePrivateKey invocation

On 5/15/2016 10:26 PM, Fraser Tweedale wrote: Hi team, The attached patch fixes https://fedorahosted.org/pki/ticket/1640. Cheers, Fraser ACK. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com

[Pki-devel] [PATCH] 761 Fixed truncated token activity message in TPS UI.

The TPS UI has been modified to display the token activity message in a textarea to avoid truncation. The UI framework class has been modified to handle textarea. The CSS has been modified to align the field label with the top of textarea. https://fedorahosted.org/pki/ticket/2299 Pushed to

[Pki-devel] [PATCH] 762 Removed selftest interface from TPS UI.

The selftest interface has been removed from TPS UI to avoid confusion due to its limited usefulness. https://fedorahosted.org/pki/ticket/2344 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata >From af1d50bae945e14e1edc198d78d774b6ca491a5d Mon Sep 17 00:00:00 2001 From: "Endi S.

Re: [Pki-devel] [PATCH] 750 Fixed cert enrollment problem with empty rangeUnit in profile.

On 5/19/2016 10:27 AM, Endi Sukma Dewata wrote: Previously cert enrollment might fail after editing the profile using the console. This is because the console added an empty rangeUnit parameter, but the server rejected the empty value. The convertRangeUnit() methods in several classes have been

Re: [Pki-devel] [PATCH] 749 Fixed support for generic CSR extensions.

On 5/18/2016 10:44 AM, Endi Sukma Dewata wrote: The deployment tool has been modified to support adding Subordinate CA extension into the CSR for Microsoft CA, and also adding generic extensions to any system certificate. https://fedorahosted.org/pki/ticket/2312 ACKed by alee (thanks

[Pki-devel] [PATCH] 757 Added TPS token state transition validation.

The TPSSubsystem has been modified to load and validate the token state transition lists during initialization. If any of the lists is empty or any of the transitions is invalid, the initialization will fail and the subsystem will not start. https://fedorahosted.org/pki/ticket/2334 -- Endi S.

[Pki-devel] [PATCH] 758 Fixed error handling in ProxyRealm.

The ProxyRealms for Tomcat 7 and 8 have been modified to return an error if the subsystem is not available instead of falling back to username/password authentication. https://fedorahosted.org/pki/ticket/2326 -- Endi S. Dewata >From cc10c05d122df43bb5b09cfc09c42099c1fd08bd Mon Sep 17 00:00:00

Re: [Pki-devel] [PATCH] patch to fix pki ca-kraconnector and add man page

On 6/12/2016 6:46 PM, Ade Lee wrote: commit 01af3ee5928de2bacaf62210672e1e51524bd41d Author: Ade Lee Date: Fri Jun 10 22:18:03 2016 -0400 Add man page and clarify CLI for kra-connector Ended up changing the CLI for kra-connector to make things a lot clearer as discussed

Re: [Pki-devel] [PATCH] 303-306 Various issues

On 5/24/2016 10:32 PM, Ade Lee wrote: Patches 303, 305 and 306 have been modified as discussed and checked in. Patch 304 has been revised as discussed on IRC. Please review. Ade Just one thing, the maxAge unit is still hours. I'm not sure anybody wants to purge CRLs less than a day old.

Re: [Pki-devel] [PATCH] 758 Fixed error handling in ProxyRealm.

On 5/25/2016 10:34 PM, Endi Sukma Dewata wrote: The ProxyRealms for Tomcat 7 and 8 have been modified to return an error if the subsystem is not available instead of falling back to username/password authentication. https://fedorahosted.org/pki/ticket/2326 ACKed by alee (thanks!). Pushed

[Pki-devel] [PATCH] 759 Fixed hard-coded database name for TPS VLV indexes.

The vlv.ldif for TPS has been modified to remove the hard-coded database name and to use customizable parameter instead. The token and activity REST services have been modified to search the database using VLV. The existing database can be fixed using the following procedure:

Re: [Pki-devel] [PATCH] 754-755 Fixed problem submitting renewal request.

On 5/24/2016 11:55 AM, Endi Sukma Dewata wrote: Attached are patches to fix a problem with submitting renewal request. https://fedorahosted.org/pki/ticket/999 This was conditionally ACKed by jmagne (thanks!). It's been tested to work with the UI and CLI with a minor revision. Pushed

Re: [Pki-devel] [PATCH] 0116 Fix LDAP schema violation when instance name contains '_'

On 5/29/2016 10:25 PM, Fraser Tweedale wrote: The attached patch fixes https://fedorahosted.org/pki/ticket/2343 Cheers, Fraser ACK. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 775-776 Fixed Java dependency

On 6/17/2016 12:54 AM, Endi Sukma Dewata wrote: On 06/16/2016 06:09 PM, Endi Sukma Dewata wrote: The code has been modified to use the JAVA_HOME path specified in the pki.conf. The spec file has been modified to depend specifically on OpenJDK 1.8.0 and to provide the default JAVA_HOME path

[Pki-devel] [PATCH] 774 Added debugging log in ClientCertImportCLI.

Pushed to master under one-liner/trivial rule. -- Endi S. Dewata From 0ce4b2ea2966280652a4d971170eb2d7474e152a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 16 Jun 2016 13:48:41 -0500 Subject: [PATCH] Added debugging log in ClientCertImportCLI. ---

Re: [Pki-devel] [PATCH] 779 Fixed problem reading HSM password from password file.

On 6/24/2016 8:46 PM, Christina Fu wrote: Looks like might do it. If tested to work (borrow a vm from QE if you don't have one), ack. Thanks! I've tested it with QE's machine with HSM. Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list

[Pki-devel] [PATCH] 779 Fixed problem reading HSM password from password file.

A new method get_token_password() has been added into PKIInstance Python class in order to read the token password correctly from password.conf. If the token is an internal token, it will read the 'internal' password. If it is an HSM it will read the password for 'hardware-'. The codes that call

Re: [Pki-devel] [PATCH] 772 Updated instructions to customize TPS token lifecycle.

On 6/15/2016 7:47 PM, Fraser Tweedale wrote: ACK Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 676 Fixed LDAP error handling in TokenService.

On 2/4/2016 7:56 PM, Christina Fu wrote: looks fine. If tested to work, ACK. Christina Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 678 Fixed token modify operation.

On 2/8/2016 11:54 AM, Christina Fu wrote: Looks fine. If tested to work, ACK. Christina Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 680 Refactored PKCS12Export.

On 2/11/2016 6:17 PM, Matthew Harmsen wrote: ACK As discussed on IRC, since the default is to use the "-debug" switch to display things to console, I think that we should document this behaviour very clearly in the man pages that no informational messages are necessarily sent to log files.

Re: [Pki-devel] [PATCH] 0072 Weaken PKIPrincipal to superclass in several places

On 1/14/2016 12:10 AM, Fraser Tweedale wrote: Hi all, The attached patch (part of the GSS-API effort) weakens several soon-to-be-unsafe casts of the user principal object. It also adds some commentary (in the form of TODOs) to replace hardcoded role names with appropriate checks against

[Pki-devel] [PATCH] 673 Fixed TPS UI logout error message.

The TPS UI has been modified such that if the browser does not support logout operation it will show a message asking the user to clear the Active Logins or close the browser. https://fedorahosted.org/pki/ticket/1344 Pushed under one-liner/trivial rule. -- Endi S. Dewata From

[Pki-devel] [PATCH] 672 Fixed TPS token state transitions.

The TPS service has been modified to provide a list of allowed state transitions based on the current token state. The TPS UI was modified to display only the allowed state transitions when changing the token status. The allowed state transition list has been modified to remove invalid token

Re: [Pki-devel] [PATCH] 675 Added property file for token state and transition labels.

On 2/3/2016 12:45 PM, Endi Sukma Dewata wrote: The labels for token states and transitions are now stored in token-states.properties. The labels will be loaded when the UI is initialized. The dialog box for changing token status will now show the transition labels. The property file later can

[Pki-devel] [PATCH] 677 Fixed token add operation.

The TokenService has been fixed to allow adding a new token with empty attributes via the UI or CLI. The TPS UI has been modified to hide the status, create timestamp, and modify timestamp fields when adding a new token. The CLI has been modified to provide the parameters to specify the attribute

[Pki-devel] [PATCH] 676 Fixed LDAP error handling in TokenService.

The DBSSession has been modified to attach the LDAPException to the EDBException. The TokenService will catch the EDBException and obtain the orignal LDAPException. This way the TokenService can obtain the LDAP error code and throw the proper exception the client.

[Pki-devel] [PATCH] 674 Fixed error handling in TokenService.

The TokenService has been modified to re-throw the original PKIException. This way on invalid token state transition the client will receive the original BadRequestException. Other types of exception will be wrapped with PKIException. https://fedorahosted.org/pki/ticket/1684 -- Endi S. Dewata

[Pki-devel] [PATCH] 675 Added property file for token state and transition labels.

The labels for token states and transitions are now stored in token-states.properties. The labels will be loaded when the UI is initialized. The dialog box for changing token status will now show the transition labels. The property file later can be moved into the theme package to allow

Re: [Pki-devel] [PATCH] 674 Fixed error handling in TokenService.

On 2/3/2016 12:42 PM, Christina Fu wrote: looks fine. If tested to work, ACK. Christina Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 692 Added workaround for JSS limitation in pki pkcs12-import.

Currently JSS is unable to import CA certificates while preserving their nicknames. As a workaround, the pki pkcs12-import has been modified such that it exports individual CA certificates from PKCS The remaining user certificates will continue to be imported using JSS. A new pki

Re: [Pki-devel] [PATCH] 691 Added Python wrapper for pki pkcs12-import.

On 2/25/2016 3:59 PM, Endi Sukma Dewata wrote: Note: The build fails due to weird pylint errors. The Python code itself seems to be working just fine. I fixed three small issues of your patch. The pki package vs. command was a tricky one. Thanks for pointing it out. :) Christian Thanks

[Pki-devel] [PATCH] 693 Replaced confirmation dialog with HTML dialog.

The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahosted.org/pki/ticket/1685 -- Endi S. Dewata >From

Re: [Pki-devel] [PATCH] 668 Fixed installation summary for existing CA.

On 1/22/2016 5:11 PM, Matthew Harmsen wrote: ACK Pushed to master. Thanks! -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 685 Refactored PKCS12Util to use PKCS12 object.

The PKCS12Util has been modified such that it stores the certs and keys in PKCS12 object instead of PFX object. The PKCS12 object can be loaded either from NSS database or PKCS #12 file. The PKCS12 object can later be stored into NSS database or PKCS #12 file.

Re: [Pki-devel] [PATCH] 683 Added PKCS #12 attribute to store certificate trust flags.

On 2/15/2016 5:35 PM, Endi Sukma Dewata wrote: A new PKCS #12 attribute has been defined to store NSS certificate trust flags in PKCS #12 file. The PKCS12Util has been modified to store the trust flags during export and reset the trust flags in NSS database during import. https

Re: [Pki-devel] [PATCH] 684 Refactored PKCS12CertInfo and PKCS12KeyInfo classes.

On 2/16/2016 11:36 AM, Endi Sukma Dewata wrote: The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out of PKCS12Util into separate classes. The createLocalKeyID() has been modified to return BigInteger instead of byte array. https://fedorahosted.org/pki/ticket/1742 This depends

Re: [Pki-devel] [PATCH] 685 Refactored PKCS12Util to use PKCS12 object.

On 2/16/2016 11:40 AM, Endi Sukma Dewata wrote: The PKCS12Util has been modified such that it stores the certs and keys in PKCS12 object instead of PFX object. The PKCS12 object can be loaded either from NSS database or PKCS #12 file. The PKCS12 object can later be stored into NSS database

[Pki-devel] [PATCH] 695 Added TPS token filter dialog.

The TPS UI Tokens page and the pki tps-token-find CLI have been modified to provide an interface to filter tokens based on their attributes. The TokenService.findTokens() has been modified to accept additional search criteria based on token attributes. https://fedorahosted.org/pki/ticket/1482

Re: [Pki-devel] [PATCH] 698 Added support for cloning 3rd-party CA certificates.

On 3/18/2016 3:42 PM, Ade Lee wrote: ack Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 697 Additional clean-ups for PKCS #12 utilities.

The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server

Re: [Pki-devel] [PATCH] 704 Install tools clean-up.

On 3/30/2016 12:08 PM, Endi Sukma Dewata wrote: Some variables in pkispawn and pkidestroy have been renamed for clarity. The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed. The constant pki_self_signed_token property has been moved into default.cfg. https://fedorahosted.org/pki

[Pki-devel] [PATCH] 707 Fixed pki pkcs12-import backward compatibility.

For backward compatibility the pki pkcs12-import has been modified to generate default nicknames and trust flags for CA certificates if they are not specified in the PKCS #12 file. The PKCS12Util was also modified to find the certificate corresponding to a key more accurately using the local ID

Re: [Pki-devel] [PATCH] 696 Renamed PKCS #12 options for consistency.

On 3/18/2016 1:33 PM, Ade Lee wrote: ACK Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 696 Renamed PKCS #12 options for consistency.

The pki CLI's --pkcs12 options has been renamed to --pkcs12-file for consistency with pki-server CLI options. https://fedorahosted.org/pki/ticket/1742 -- Endi S. Dewata >From 576979d5c364f51e3930a3e7fd7458bfadd1b5b9 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu,

Re: [Pki-devel] [PATCH] 697 Additional clean-ups for PKCS #12 utilities.

On 3/18/2016 11:30 AM, Endi Sukma Dewata wrote: The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing

Re: [Pki-devel] [PATCH] 693 Replaced confirmation dialog with HTML dialog.

On 2/26/2016 10:15 PM, Endi Sukma Dewata wrote: The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahost

Re: [Pki-devel] [PATCH] 0077..0081 assorted code deletions

On 3/13/2016 7:25 PM, Fraser Tweedale wrote: Hi all, Attached patches implement various drive-by or long-threatened code deletions. 0077 Remove unuesd imports cause by me in a recent patch 0078 Remove unused vars/fields from ProfileService/ProfileSubsystem 0079 Remove RAEnrollProfile

Re: [Pki-devel] [PATCH] 699 Fixed exception handling in EnrollProfile.

On 3/23/2016 2:16 PM, Ade Lee wrote: ACK Thanks! Restored & updated some log messages per jmagne's feedback. Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 703 Fixed certificate chain import problem.

In the external CA case if the externally-signed CA certificate is included in the certificate chain the CA certificate may get imported with an incorrect nickname. The code has been modified such that the certificate chain is imported after the CA certificate is imported with the proper

[Pki-devel] [PATCH] 706 Fixed missing trust flags in certificate backup.

The ConfigurationUtils.backupKeys() has been modified to use PKCS12Util to export the certificates and their trust flags into a PKCS #12 file such that the file can be used for cloning. The code to generate PFX object has been refactored from the PKCS12Util.storeIntoFile() into a separate

Re: [Pki-devel] [PATCH] 701 Generating TEMP_LOST to UNINITIALIZED/ACTIVE transitions dynamically.

On 3/21/2016 9:59 PM, Endi Sukma Dewata wrote: The TPS subsystem has been modified to generate the token state transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically depending on whether the token has certificates. The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg

Re: [Pki-devel] [PATCH] 706 Fixed missing trust flags in certificate backup.

On 3/31/2016 7:39 PM, Endi Sukma Dewata wrote: The ConfigurationUtils.backupKeys() has been modified to use PKCS12Util to export the certificates and their trust flags into a PKCS #12 file such that the file can be used for cloning. The code to generate PFX object has been refactored from

Re: [Pki-devel] [PATCH] 297, 298 add validity check for external CA

On 4/22/2016 2:37 PM, Ade Lee wrote: commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f Author: Ade Lee Date: Fri Apr 22 15:31:43 2016 -0400 Add validity check for the signing certificate in pkispawn When either an existing CA or external CA installation is

Re: [Pki-devel] [PATCH] 718 Fixed TPS UI navigation.

On 4/18/2016 11:38 AM, Endi Sukma Dewata wrote: The TPS UI home page and the status menu item been temporarily removed. The home links will now redirect to the tokens page. https://fedorahosted.org/pki/ticket/2261 https://fedorahosted.org/pki/ticket/2262 ACKed by jmagne (thanks!). Pushed

Re: [Pki-devel] [PATCH] 285 - 293 Patches for fine grained authz in the KRA

On 4/19/2016 9:47 PM, Ade Lee wrote: Some comments inline, although most of this was discussed on #irc. I have added two additional patches which are to be applied on top of 258=293. 294: This patch fixes the problems identified in this review. In particular: Review comments addressed:

[Pki-devel] [PATCH] 725 Updated TPS UI version number.

Pushed under one-liner/trivial rule. -- Endi S. Dewata >From 849705a4cde92e61d3edaa5c266f97661d65f797 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 27 Apr 2016 01:45:59 +0200 Subject: [PATCH] Updated TPS UI version number. ---

Re: [Pki-devel] [PATCH] 726 Removed unused variables in deployment scriptlets.

On 4/27/2016 10:23 PM, Matthew Harmsen wrote: ACK Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 730 Fixed duplicate executions of finalization scriptlet.

On 4/29/2016 11:12 AM, Endi Sukma Dewata wrote: Previously the finalization scriptlet was always executed in each pkispawn execution. In multi-step installations (e.g. external CA, standalone, or installation/configuration-only mode) some of the code in the scriptlet such as enabling systemd

[Pki-devel] [PATCH] 730 Fixed duplicate executions of finalization scriptlet.

Previously the finalization scriptlet was always executed in each pkispawn execution. In multi-step installations (e.g. external CA, standalone, or installation/configuration-only mode) some of the code in the scriptlet such as enabling systemd service, restarting the service, and purging client

Re: [Pki-devel] [PATCH] 0100 Fix NSSDB certificate search method

On 4/26/2016 10:50 PM, Fraser Tweedale wrote: Hi all, Please review the attached patch, which fixes https://fedorahosted.org/pki/ticket/2301. Cheers, Fraser ACK. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com

Re: [Pki-devel] [PATCH] Incorrect clone installation summary

On 4/27/2016 5:37 PM, Matthew Harmsen wrote: Please review the attached patch which addresses: * PKI TRAC Ticket #856 - Incorrect clone installation summary The patch was tested by installing a 'pki-tomcat' CA master: ACK. -- Endi S. Dewata

[Pki-devel] [PATCH] 729 Fixed problem uninstalling standalone KRA.

When installing a standalone KRA the admin certificate is base-64 encoded and stored in the kra.admin.cert property in the CS.cfg. Previously the encoded certificate contains EOL characters which may cause uninstall to fail due to parsing error. The install code has been fixed to normalize the

Re: [Pki-devel] [PATCH] 721-724 Fixed activity logs for certificate revocations.

On 4/21/2016 10:05 PM, Endi Sukma Dewata wrote: Attached are some patches to fix the activity logs for token certificate revocations. The code had to be refactored to reduce the complexity. ACKed by jmagne with minor revision (thanks!). Pushed to master. -- Endi S. Dewata

Re: [Pki-devel] [PATCH] Fix bashisms

On 4/26/2016 12:16 PM, Matthew Harmsen wrote: Please review the attached patch which addresses: * PKI TRAC Ticket #2249 - fix bashisms This was only tested on Fedora 23 using bash to make certain that it did not cause any issues. ACK. -- Endi

[Pki-devel] [PATCH] 751 Added TPS UI for managing user roles.

The TPS UI has been modified to provide an interface to manage the user roles. The ErrorDialog was modified to handle both text and JSON error responses. https://fedorahosted.org/pki/ticket/2267 -- Endi S. Dewata >From 9298272305693771e22cbb59e37c5da05f679983 Mon Sep 17 00:00:00 2001 From:

[Pki-devel] [PATCH] 752 Added TPS UI for managing user certificates.

The TPS UI has been modified to provide an interface to manage the user certificates. The UserService has been modified to provide better error messages. https://fedorahosted.org/pki/ticket/1434 -- Endi S. Dewata >From 6176ce70a64999d007dd4f6d91606a304a04278a Mon Sep 17 00:00:00 2001 From:

Re: [Pki-devel] [PATCH] 751 Added TPS UI for managing user roles.

On 5/19/2016 9:38 PM, Endi Sukma Dewata wrote: The TPS UI has been modified to provide an interface to manage the user roles. The ErrorDialog was modified to handle both text and JSON error responses. https://fedorahosted.org/pki/ticket/2267 New patch attached. Fixed column label. -- Endi S

Re: [Pki-devel] [PATCH] 752 Added TPS UI for managing user certificates.

On 5/20/2016 2:45 PM, Endi Sukma Dewata wrote: The TPS UI has been modified to provide an interface to manage the user certificates. The UserService has been modified to provide better error messages. https://fedorahosted.org/pki/ticket/1434 ACKed by jmagne with minor revision (thanks

[Pki-devel] [PATCH] 754-755 Fixed problem submitting renewal request.

Attached are patches to fix a problem with submitting renewal request. https://fedorahosted.org/pki/ticket/999 -- Endi S. Dewata >From baea3b89ad5c3866ee8e40059b1ca5774984e355 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 24 May 2016 16:47:31 +0200 Subject:

Re: [Pki-devel] [PATCH] 303-306 Various issues

On 5/20/2016 2:20 PM, Ade Lee wrote: Please review: Patches listed in reverse order (306 -> 303) Ade Some comments/questions: Patch #303: 1. Instead of using underscores (i.e. ca.publishing.cert_enable and ca.publishing.crl_enable) it would be more consistent to use dots (i.e.

Re: [Pki-devel] [PATCH] 737-739 Added deployment parameters for number ranges.

On 5/6/2016 9:21 PM, Endi Sukma Dewata wrote: Attached are patches to add deployment parameters for serial, request, and replica number ranges. https://fedorahosted.org/pki/ticket/2278 ACKed by alee (thanks!). Pushed to master. The man page will be updated in ticket #2318. -- Endi S

Re: [Pki-devel] [PATCH] patches for authz realm and fixing output on request rejection

On 5/9/2016 2:18 PM, Ade Lee wrote: Patch descriptions .. in reverse order. Note that the CA setup for authz is further documented at pki.fedoraproject.org/wiki/Kra_authz_realm , where I have added a section on 'CA Configuration". Thanks, Ade

Re: [Pki-devel] [PATCH] 302 - migration script for registry.cfg for realm

On 5/9/2016 5:11 PM, Ade Lee wrote: Migration script to add entries for new constraints and defaults for authz realm changes. Please review, Thanks, Ade Couple things: 1. I think we still have to create an empty 10.3.0 folder in the base/common to make sure both system and server upgrades

[Pki-devel] [PATCH] 740-742 Added token status UNFORMATTED.

A new token status UNFORMATTED has been added for new tokens added via UI/CLI and for TERMINATED tokens that are to be reused. The token status READY has been renamed to FORMATTED for clarity. -- Endi S. Dewata >From ed68e77505b58a72c98de3ada7ea69aa003c877a Mon Sep 17 00:00:00 2001 From: "Endi

Re: [Pki-devel] [PATCH] 743 Fixed install-only message in external CA case.

On 5/11/2016 9:04 PM, Matthew Harmsen wrote: ACK Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 744-745 Fixed missing CSR extensions for external CA case.

On 5/11/2016 7:20 PM, Endi Sukma Dewata wrote: The deployment tool has been modified to generate CSR with basic constraints and key usage extensions for the externally-signed CA signing certificate. The ConfigurationUtils.handleCertRequest() has been modified to throw an exception on error

Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

On 5/13/2016 12:06 AM, Fraser Tweedale wrote: The patch itself is fine. I'm just struggling with where this script should exist. pki-server ca-cert-db-upgrade seems like an awfully generic description for this operation - which basically provides a very specific db migration. For that matter,

[Pki-devel] [PATCH] 747 Fixed pki-server subsystem-cert-validate command.

The system certificate validation command has been modified to check for both 'internal' and 'Internal Key Storage Token' since both are valid names for the internal token. Additional checks have been added to validate the certificate parameters in CS.cfg. The output of the command has been

[Pki-devel] [PATCH] 743 Fixed install-only message in external CA case.

Previously, in external CA case if pkispawn was executed with pki_skip_configuration=True, it would stop the execution before the step 1 was fully completed (i.e. generating CSR), but it would incorrectly show a message indicating the CSR has been generated. The code that displays the

Re: [Pki-devel] [PATCH] 728 Removed unused code for existing CA installation.

On 4/29/2016 1:50 PM, Matthew Harmsen wrote: ACK Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 730 Fixed duplicate executions of finalization scriptlet.

On 4/29/2016 4:13 PM, Matthew Harmsen wrote: ACK Thanks! Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 735 Removed default certificate validity delay.

On 5/2/2016 8:19 PM, Fraser Tweedale wrote: On Mon, May 02, 2016 at 09:30:11AM -0500, Endi Sukma Dewata wrote: Some certificate profiles have been modified to remove the default one minute validity delay, allowing the certificate issued with those profiles to be used immediately. https

Re: [Pki-devel] [PATCH] 734 Removed unsupported token states from TPS CS.cfg.

On 4/29/2016 5:15 PM, Endi Sukma Dewata wrote: The in-line documentation in CS.cfg for TPS has been updated to remove unsupported token states in the corresponding properties: * tokendb.allowedTransitions * tps.operations.allowedTransitions New patch attached. Added default transition

Re: [Pki-devel] [PATCH] 734 Removed unsupported token states from TPS CS.cfg.

On 5/5/2016 6:15 PM, Endi Sukma Dewata wrote: On 4/29/2016 5:15 PM, Endi Sukma Dewata wrote: The in-line documentation in CS.cfg for TPS has been updated to remove unsupported token states in the corresponding properties: * tokendb.allowedTransitions * tps.operations.allowedTransitions New

[Pki-devel] [PATCH] 736 Fixed token status search filter.

The LDAP attribute for token status has been modified to store the same values displayed on the CLI. This way searching tokens with specific status can be done correctly with simple LDAP filter such as (tokenStatus=). https://fedorahosted.org/pki/ticket/2296 -- Endi S. Dewata >From

Re: [Pki-devel] [PATCH] 0102 Lightweight CAs: allow specifying authority via ProfileSubmitServlet

On 5/6/2016 1:09 AM, Fraser Tweedale wrote: Attached patch does what it says on the tin ;) Cheers, and have a good weekend y'all. Fraser ACK. Same thing, could you chain the original exception to BadRequestDataException? -- Endi S. Dewata ___

Re: [Pki-devel] [PATCH] 0101 Lightweight CAs: accept "host-authority" as valid parent

On 5/5/2016 1:54 AM, Fraser Tweedale wrote: The attached patch allows "host-authority" to be used as valid reference to the host authority when creating a LWCA. It makes life easier for me one the FreeIPA side :) Cheers, Fraser ACK. Just one thing, could you chain the original exception to

Re: [Pki-devel] [PATCH] 731-733 Renamed TPS token states.

On 4/29/2016 12:06 PM, Endi Sukma Dewata wrote: To improve clarity and to anticipate future expansion (ticket #2287) some TPS token states have been renamed. ACKed by jmagne (thanks!) with the following changes: * the TokenService was reverted to use switch statement * the AVAILABLE token

[Pki-devel] [PATCH] 737-739 Added deployment parameters for number ranges.

Attached are patches to add deployment parameters for serial, request, and replica number ranges. https://fedorahosted.org/pki/ticket/2278 -- Endi S. Dewata >From 13b60b88ae13c84129dc0e8b6db9eda7388e880e Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 6 May 2016

Re: [Pki-devel] [PATCH] 736 Fixed token status search filter.

On 5/5/2016 12:59 PM, Endi Sukma Dewata wrote: The LDAP attribute for token status has been modified to store the same values displayed on the CLI. This way searching tokens with specific status can be done correctly with simple LDAP filter such as (tokenStatus=). https://fedorahosted.org/pki

[Pki-devel] [PATCH] 720 Replaced TPS OP_DO_TOKEN activity.

For clarity the TPS operatons that generate OP_DO_TOKEN activity has been modified to generate OP_MODIFY instead, except for the changeTokenStatus() which will generate OP_STATUS_CHANGE. https://fedorahosted.org/pki/ticket/2268 -- Endi S. Dewata >From b3bf3073b7135352cd85c271c79c23221ddce1e8

[Pki-devel] [PATCH] 713-716 Simplifying existing CA installation.

Attached are the changes to simplify the existing CA installation: https://fedorahosted.org/pki/ticket/1736 The documentation has been updated: http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate -- Endi S. Dewata >From 23a31ee0df98a6104df1a8b34d88eb4d96d75f1a Mon Sep

[Pki-devel] [PATCH] 727 Fixed build issue with apache-commons-codec 1.8.

The StringUtils.equals() invocation in AuthzSubsystem has been replaced with regular String.equals() since it's unavailable in apache-commons-codec 1.8. Pushed to master under one-liner/trivial rule. -- Endi S. Dewata >From fbea6ffbb974ee5883795e3d9e72c211a08083a0 Mon Sep 17 00:00:00 2001 From:

[Pki-devel] [PATCH] 728 Removed unused code for existing CA installation.

The print_existing_ca_step_one_information() has been removed from pkispawn since existing CA installation no longer requires two-step operation. https://fedorahosted.org/pki/ticket/1736 -- Endi S. Dewata >From 33cd9a1a9749748a841c087518b898b55e0b23ae Mon Sep 17 00:00:00 2001 From: "Endi S.

[Pki-devel] [PATCH] 756 Updated system certificate selftests.

The CertUtils.verifySystemCertByNickname() has been modified to call CryptoManager.verifyCertificate() to validate the system certificates which will provide better information (i.e. NSS error message and stack trace) to troubleshoot validation issues. https://fedorahosted.org/pki/ticket/850 --

Re: [Pki-devel] [PATCH] 796 Added CMake target dependencies.

On 7/22/2016 2:16 PM, Endi Sukma Dewata wrote: To help troubleshooting build issues, some CMake dependencies have been added to some targets even though the actual codes do not require those dependencies. This will ensure the targets are built sequentially so build failures can be found more

Re: [Pki-devel] [PATCH] 800-801 Removed hard-coded paths in deployment tool.

On 7/24/2016 1:40 PM, Endi Sukma Dewata wrote: The deployment tool has been modified to link /common to /usr/share/pki/server/common instead of creating separate links for each dependency. This allows the RPM spec to customize the links for different platforms. https://fedorahosted.org/pki

  1   2   3   4   >