Re: [Pki-devel] [PATCH] 0120..0121 Remove pki-ipa-retrieve-key script

2016-06-03 Thread Fraser Tweedale
On Thu, Jun 02, 2016 at 11:45:43PM -0500, Endi Sukma Dewata wrote: > On 5/31/2016 11:45 PM, Fraser Tweedale wrote: > > G'day comrades, > > > > Please review the attached two patches, which... > > > > (Patch 0120) > > > > - provide for passing o

Re: [Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

2016-06-02 Thread Fraser Tweedale
On Thu, Jun 02, 2016 at 08:02:35PM -0500, Endi Sukma Dewata wrote: > On 5/17/2016 12:20 AM, Fraser Tweedale wrote: > > Hi all, > > attached patch fixes https://fedorahosted.org/pki/ticket/2332 > > > > Cheers, > > Fraser > > Assuming an identical CA cannot

Re: [Pki-devel] [PATCH] 0123 Do not attempt cert update unless signing key is present

2016-06-14 Thread Fraser Tweedale
On Tue, Jun 14, 2016 at 07:40:12PM -0500, Endi Sukma Dewata wrote: > On 6/13/2016 9:38 PM, Fraser Tweedale wrote: > > Hi all, > > > > The attached patch fixes https://fedorahosted.org/pki/ticket/2359. > > Please review for inclusion in 10.3.3. > > > >

[Pki-devel] [PATCH] 0122 Modify ExternalProcessKeyRetriever to read JSON

2016-06-04 Thread Fraser Tweedale
dependency, but should I also add it spec file as explicit dependency? Cheers, Fraser From 7183cece34b766b5e1db6837291151b4d58aa9c9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Sat, 4 Jun 2016 20:49:38 +1000 Subject: [PATCH] Modify ExternalProcessKeyRetriever to rea

Re: [Pki-devel] [PATCH] 0116 Fix LDAP schema violation when instance name contains '_'

2016-05-31 Thread Fraser Tweedale
On Tue, May 31, 2016 at 11:07:51AM -0500, Endi Sukma Dewata wrote: > On 5/29/2016 10:25 PM, Fraser Tweedale wrote: > > The attached patch fixes https://fedorahosted.org/pki/ticket/2343 > > > > Cheers, > > Fraser > > ACK. > Thanks Endi! Pushed to master (a401

[Pki-devel] [PATCH] 0116 Fix LDAP schema violation when instance name contains '_'

2016-05-29 Thread Fraser Tweedale
The attached patch fixes https://fedorahosted.org/pki/ticket/2343 Cheers, Fraser From a40139d5f21139d31b62d3c35002b454131245f1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 30 May 2016 12:17:12 +1000 Subject: [PATCH] Fix LDAP schema violation when instanc

[Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

2016-06-22 Thread Fraser Tweedale
17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 22 Jun 2016 13:34:01 +1000 Subject: [PATCH] Add profiles container to LDAP if missing CMS startup was changed a while back to wait for LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem initialisation waits f

Re: [Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

2016-06-20 Thread Fraser Tweedale
On Tue, Jun 21, 2016 at 07:29:22AM +0200, Jan Cholasta wrote: > On 18.6.2016 02:38, Fraser Tweedale wrote: > > On Fri, Jun 17, 2016 at 03:21:07PM +0200, Jan Cholasta wrote: > > > On 17.6.2016 09:34, Fraser Tweedale wrote: > > > > On Mon, May 09, 2016 at 09:35:

Re: [Pki-devel] [PATCH] 768 Added pki pkcs12-cert-mod command.

2016-06-15 Thread Fraser Tweedale
On Mon, Jun 13, 2016 at 07:24:01PM -0500, Endi Sukma Dewata wrote: > A new CLI has been added to update the certificate trust flags in > PKCS #12 file which will be useful to import OpenSSL certificates. > Tested; does what it says on the tin. ACK. Cheers, Fraser

Re: [Pki-devel] [PATCH] 772 Updated instructions to customize TPS token lifecycle.

2016-06-15 Thread Fraser Tweedale
On Wed, Jun 15, 2016 at 11:36:28AM -0500, Endi Sukma Dewata wrote: > The TPS's CS.cfg and token-states.properties have been updated > to include instructions to customize token state transitions and > labels. > > https://fedorahosted.org/pki/ticket/2300 > ACK

Re: [Pki-devel] [PATCH] 767 Fixed VLV usage in TPS token and activity services.

2016-06-15 Thread Fraser Tweedale
On Fri, Jun 10, 2016 at 10:29:51AM -0500, Endi Sukma Dewata wrote: > The TPS token and activity services have been modified to use VLV > only when the search filter matches the VLV, which is the default > filter when there is no search keyword/attributes specified by > the client. In other cases

Re: [Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths

2016-01-18 Thread Fraser Tweedale
Updated patch attached; comments inline. On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote: > On 11/4/2015 11:22 PM, Fraser Tweedale wrote: > >The attached patch fixes GET-based OCSP requests, > >https://fedorahosted.org/pki/ticket/1658 > > > >Cheers, &

[Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails

2016-06-27 Thread Fraser Tweedale
The attached patch fixes https://fedorahosted.org/pki/ticket/2388. Wanted for 10.3.4. Thanks, Fraser From 3ad777d8009f025f1aac1159910dd0a4d327bd13 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 25 Jun 2016 00:14:11 +0200 Subject: [PATCH] Respond 400 if lightweight

Re: [Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

2016-06-17 Thread Fraser Tweedale
On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote: > Hi, > > On 6.5.2016 08:01, Fraser Tweedale wrote: > > Hullo all, > > > > FreeIPA Lightweight CAs implementation is progressing well. The > > remaining big unknown in the design is how to do

Re: [Pki-devel] [PATCH] 0065 Profile service: respond 409 on conflicting operations

2016-02-14 Thread Fraser Tweedale
On Thu, Feb 11, 2016 at 08:58:41PM -0600, Endi Sukma Dewata wrote: > On 1/6/2016 11:22 PM, Fraser Tweedale wrote: > >Please review attached patch which fixes: > >https://bugzilla.redhat.com/show_bug.cgi?id=1257518 > > > >Cheers, > >Fraser >

Re: [Pki-devel] [PATCH] 684 Refactored PKCS12CertInfo and PKCS12KeyInfo classes.

2016-02-18 Thread Fraser Tweedale
On Wed, Feb 17, 2016 at 01:02:26AM -0600, Endi Sukma Dewata wrote: > On 2/16/2016 11:36 AM, Endi Sukma Dewata wrote: > >The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out > >of PKCS12Util into separate classes. > > > >The createLocalKeyID() has been modified to return BigInteger >

Re: [Pki-devel] [PATCHES] Updated tomcatjss and pki-core to work with Tomcat 7.0.68 on F22

2016-03-18 Thread Fraser Tweedale
On Wed, Mar 16, 2016 at 06:51:11PM -0600, Matthew Harmsen wrote: > Everyone, > > Bodhi contains a proposed Fedora 22 update to Tomcat 7.0.68: > > * tomcat-7.0.68-3.fc22 > > > This required changes to both tomcatjss (attached)

[Pki-devel] [PATCH] 0083 Add CRL dist points extension to OIDMap unconditionally

2016-03-18 Thread Fraser Tweedale
Hello all, The attached patch fixes https://fedorahosted.org/pki/ticket/2237. Cheers, Fraser From 54d1a922789c500d5e2ae828105861227093 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 18 Mar 2016 10:53:18 +1100 Subject: [PATCH] Add CRL dist points ext

Re: [Pki-devel] [PATCH] 0076 Avoid XML parse fail with double-hyphen in hostname

2016-03-15 Thread Fraser Tweedale
On Tue, Mar 15, 2016 at 12:24:58PM -0500, Endi Sukma Dewata wrote: > On 3/2/2016 10:04 PM, Fraser Tweedale wrote: > >On Thu, Mar 03, 2016 at 11:40:15AM +1000, Fraser Tweedale wrote: > >>Attached patch fixes #1260: Installation fails due to double hyphen > >>"

[Pki-devel] [PATCH] 0082 Allow multiple ACLs of same name (union of rules)

2016-03-15 Thread Fraser Tweedale
The attached patch makes a change to how ACLs are loaded from database, to allow a single ACL to be specified across several values. Thanks, Fraser From 1fd4824d8b46d995286e5bad689e903e5e954831 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 15 Mar 2016 18

[Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

2016-03-19 Thread Fraser Tweedale
fae1f14095cba4a9a14486230f9b0d353dcf7513 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 9 Mar 2016 02:18:41 -0500 Subject: [PATCH 84/86] Lightweight CAs: monitor database for changes Implement a thread that performs an LDAP persistent search to keep a running CA's view of lightweight CAs i

Re: [Pki-devel] [PATCH] 0077..0081 assorted code deletions

2016-03-21 Thread Fraser Tweedale
On Mon, Mar 21, 2016 at 10:16:43PM -0500, Endi Sukma Dewata wrote: > On 3/13/2016 7:25 PM, Fraser Tweedale wrote: > >Hi all, > > > >Attached patches implement various drive-by or long-threatened code > >deletions. > > > >0077 > > Remove unuesd

Re: [Pki-devel] [PATCH] 0082 Allow multiple ACLs of same name (union of rules)

2016-03-21 Thread Fraser Tweedale
On Mon, Mar 21, 2016 at 10:39:08PM -0500, Endi Sukma Dewata wrote: > On 3/15/2016 8:14 PM, Fraser Tweedale wrote: > >The attached patch makes a change to how ACLs are loaded from > >database, to allow a single ACL to be specified across several > >values. > > >

Re: [Pki-devel] [PATCH] 0082 Allow multiple ACLs of same name (union of rules)

2016-03-23 Thread Fraser Tweedale
On Wed, Mar 23, 2016 at 12:55:24AM -0500, Endi Sukma Dewata wrote: > On 3/22/2016 12:52 AM, Fraser Tweedale wrote: > >>On 3/15/2016 8:14 PM, Fraser Tweedale wrote: > >>>The attached patch makes a change to how ACLs are loaded from > >>>database, to allow a singl

[Pki-devel] Lightweight CAs key replication design

2016-03-29 Thread Fraser Tweedale
Hi team, Lightweight CA key replication is taking shape. I have updated the design page with juicy details: http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs#Key_replication Could interested parties and Simo please eyeball it. Simo, I particularly want your feedback on feasibility /

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

2016-04-14 Thread Fraser Tweedale
On Thu, Apr 14, 2016 at 09:04:31AM +1000, Fraser Tweedale wrote: > On Wed, Apr 13, 2016 at 05:26:44PM -0400, Ade Lee wrote: > > Still reviewing .. > > > > See comment on 87. ACK on 88,89,90,91,92,93, 94, 95. > > > > Ade > > > > On Mon, 201

[Pki-devel] [PATCH] 0100 Fix NSSDB certificate search method

2016-04-26 Thread Fraser Tweedale
Hi all, Please review the attached patch, which fixes https://fedorahosted.org/pki/ticket/2301. Cheers, Fraser From f912026913a93e40d1e06ba93f873b621feffbc6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 27 Apr 2016 13:35:41 +1000 Subject: [PATCH] Fix

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

2016-04-23 Thread Fraser Tweedale
thm().equals("EC") > + ? PrivateKey.Type.EC > +: PrivateKey.Type.RSA; > +return wrapper.unwrapPrivate(encPrivKey.getBits(), keyType, pubkey); > +} > > > - Original Message - > > From: "Fraser Tweedale" <f

Re: [Pki-devel] [PATCH] 0101 Lightweight CAs: accept "host-authority" as valid parent

2016-05-08 Thread Fraser Tweedale
On Fri, May 06, 2016 at 09:31:07PM -0500, Endi Sukma Dewata wrote: > On 5/5/2016 1:54 AM, Fraser Tweedale wrote: > >The attached patch allows "host-authority" to be used as valid > >reference to the host authority when creating a LWCA. It makes life > >eas

[Pki-devel] [PATCH] 0104 Lightweight CAs: fix bad import in key retriever script

2016-05-08 Thread Fraser Tweedale
Attached patch fixes a typo in the LWCA key retrieval Python helper script. Pushed to master (e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f) under one-liner rule. Cheers, Fraser From e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com>

[Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid

2016-05-08 Thread Fraser Tweedale
The attached patch fixes https://fedorahosted.org/pki/ticket/2317. It will result in better error messages and help users to diagnose bad profile configurations (especially with IPA). Thanks, Fraser From ff7ff61c6cc97f695f3db2058bf3639014278299 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale

[Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

2016-05-09 Thread Fraser Tweedale
scriptlet to perform the upgrade for Dogtag CA subsystem on the host? Is there a precedent for invoking pki-server (or subroutines thereof) from pki-server-upgrade scriptlets? Cheers, Fraser From 9d994fe2c4e31c3d4212673f1dd3a0c8e84c40a3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.

Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

2016-05-09 Thread Fraser Tweedale
On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote: > Isn't all this predicated on a schema change that adds the issuer as an > optional field for the certRecord? > The schema already exists but was unused. > Ade > > On Mon, 2016-05-09 at 17:15 +1000, Fraser Tweedale

Re: [Pki-devel] [PATCH] 0106..0107 Add issuer DN to cert search params/result

2016-05-10 Thread Fraser Tweedale
On Tue, May 10, 2016 at 01:29:17PM -0400, Ade Lee wrote: > ACK. > Thanks Ade; pushed to master: 502db07ee8ef3e9f6b4bc2b030b29e8db639bc69 Include issuer DN in CertDataInfo 70d751e837cbf375ebd068169e591cd4a971f472 Support certificate search by issuer DN. > Is the new search parameter added to

[Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

2016-05-17 Thread Fraser Tweedale
Hi all, attached patch fixes https://fedorahosted.org/pki/ticket/2332 Cheers, Fraser From baf904216848a5d775948853764d2657ea6405e9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 17 May 2016 14:47:11 +1000 Subject: [PATCH] Return 410 Gone if target CA of r

Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

2016-05-12 Thread Fraser Tweedale
erably, in LDAP itself). Updates themselves should be idempotent. > Opening up for others to chime in .. > > Ade > > On Tue, 2016-05-10 at 08:32 +1000, Fraser Tweedale wrote: > > On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote: > > > Isn't all this predica

[Pki-devel] [PATCH] 0111 Lightweight CAs: remove NSSDB material when processing deletion

2016-05-15 Thread Fraser Tweedale
The attached patch makes clones delete lightweight CA keys/certs from local NSSDB when processing LWCA deletion. Ticket: https://fedorahosted.org/pki/ticket/2328 Thanks, Fraser From 96079be3caea27ab1ecd5e6486a31c5c3629 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com>

[Pki-devel] [PATCH] 0108 Lightweight CAs: add issuer DN and serial to AuthorityData

2016-05-12 Thread Fraser Tweedale
913fced6709f30da2ac05e5367fcfc05e1698a75 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 13 May 2016 14:22:08 +1000 Subject: [PATCH] Lightweight CAs: add issuer DN and serial to AuthorityData Add issuer DN and serial number to the AuthorityData object, as read-only attr

Re: [Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid

2016-05-12 Thread Fraser Tweedale
On Mon, May 09, 2016 at 01:19:50PM +1000, Fraser Tweedale wrote: > The attached patch fixes https://fedorahosted.org/pki/ticket/2317. > It will result in better error messages and help users to diagnose > bad profile configurations (especially with IPA). > > Thanks, > Fras

Re: [Pki-devel] [PATCH] 0100 Fix NSSDB certificate search method

2016-05-02 Thread Fraser Tweedale
On Wed, Apr 27, 2016 at 12:35:28PM -0500, Endi Sukma Dewata wrote: > On 4/26/2016 10:50 PM, Fraser Tweedale wrote: > >Hi all, > > > >Please review the attached patch, which fixes > >https://fedorahosted.org/pki/ticket/2301. > > > >Cheers, > >Fras

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

2016-05-02 Thread Fraser Tweedale
On Fri, Apr 22, 2016 at 07:50:06PM -0400, John Magne wrote: > I took a look at the stuff alee asked for. > > CFU even took a quick look when I asked her a couple of questions. > She was unsure of something (as was I) and she would like to be able > to take a closer look next week. I will give my

Re: [Pki-devel] [PATCH] 735 Removed default certificate validity delay.

2016-05-03 Thread Fraser Tweedale
On Tue, May 03, 2016 at 02:52:50PM -0500, Endi Sukma Dewata wrote: > On 5/2/2016 8:19 PM, Fraser Tweedale wrote: > >On Mon, May 02, 2016 at 09:30:11AM -0500, Endi Sukma Dewata wrote: > >>Some certificate profiles have been modified to remove the default > >>one minu

[Pki-devel] [PATCH] 0101 Lightweight CAs: accept "host-authority" as valid parent

2016-05-05 Thread Fraser Tweedale
The attached patch allows "host-authority" to be used as valid reference to the host authority when creating a LWCA. It makes life easier for me one the FreeIPA side :) Cheers, Fraser From f1860c2315f13d458a33521f78327b8c3a84a246 Mon Sep 17 00:00:00 2001 From: Fraser Tweed

[Pki-devel] [DESIGN] Lightweight CA renewal

2016-05-06 Thread Fraser Tweedale
Hullo all, FreeIPA Lightweight CAs implementation is progressing well. The remaining big unknown in the design is how to do renewal. I have put my ideas into the design page[1] and would appreciate any and all feedback! [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal Some brief commentary

[Pki-devel] [PATCH] 0102 Lightweight CAs: allow specifying authority via ProfileSubmitServlet

2016-05-06 Thread Fraser Tweedale
Attached patch does what it says on the tin ;) Cheers, and have a good weekend y'all. Fraser From cabae0a050fb752b290ece28d5dac927f01b3c01 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 6 May 2016 16:03:57 +1000 Subject: [PATCH] Lightweight CAs: allow spec

Re: [Pki-devel] [PATCH] 735 Removed default certificate validity delay.

2016-05-02 Thread Fraser Tweedale
On Mon, May 02, 2016 at 09:30:11AM -0500, Endi Sukma Dewata wrote: > Some certificate profiles have been modified to remove the default > one minute validity delay, allowing the certificate issued with > those profiles to be used immediately. > > https://fedorahosted.org/pki/ticket/2304 > LGTM.

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

2016-04-14 Thread Fraser Tweedale
On Thu, Apr 14, 2016 at 05:34:45PM -0400, Ade Lee wrote: > Couple of points on 96/97. > > 1. First off, I'm not sure you followed my concern about being able to > distinguish between CA instances. > > On an IPA system, this is not an issue because there is only one CA on > the server. In this

[Pki-devel] Trac; add "Lightweight CAs" feature?

2016-04-20 Thread Fraser Tweedale
Hi all, Could someone with the relevant permissions please add a "Lightweight CAs" feature to the pki trac? There's a substantial quantity of outstanding tickets for this feature so it would be good to have something more formal than the summary by which to group them. Thanks, Fraser

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

2016-04-20 Thread Fraser Tweedale
necessary: - Dogtag is restarted - LDAP disconnect-reconnect - LDAP modification of authority replicated from another clone > 97- ACK > > 98 - ACK > Thanks. Any feedback on patch 0099? From a256168d91c799d37e1e4f6e7af8dfb97b4340be Mon Sep 17 00:00:00 2001 From: Fraser Twe

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

2016-04-19 Thread Fraser Tweedale
odia/retriever process - and then initialize the signing unit from > the NSS DB. Or am I completely confused? > > Ade > > > > On Thu, 2016-04-14 at 16:35 -0400, Ade Lee wrote: > > Still reviewing .. ACK on 87-95 (inclusive). > > > > On Thu, 2016-04-14 at

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

2016-04-13 Thread Fraser Tweedale
On Wed, Apr 13, 2016 at 05:26:44PM -0400, Ade Lee wrote: > Still reviewing .. > > See comment on 87. ACK on 88,89,90,91,92,93, 94, 95. > > Ade > > On Mon, 2016-04-11 at 12:32 +1000, Fraser Tweedale wrote: > > Thanks for review, Ade. Comments to specific f

[Pki-devel] [PATCH] 0128 Fix CA OCSP responder when LWCA's are not in use

2016-07-26 Thread Fraser Tweedale
Hi team, The attached patch fixes https://fedorahosted.org/pki/ticket/2420. Thanks, Fraser From 86030eb0c231734a3020b201a9be60e84d023e75 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 26 Jul 2016 14:07:10 +1000 Subject: [PATCH] Fix CA OCSP responder when

Re: [Pki-devel] [PATCH] Added fix for pki-server for db-update

2016-07-14 Thread Fraser Tweedale
On Thu, Jul 14, 2016 at 03:51:18PM +0530, Geetika Kapoor wrote: > > > On 07/14/2016 03:02 PM, Geetika Kapoor wrote: > > > > On 07/14/2016 01:53 PM, Fraser Tweedale wrote: > >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: > >>> On Thu,

Re: [Pki-devel] [PATCH] Added fix for pki-server for db-update

2016-07-13 Thread Fraser Tweedale
On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: > Hi, > > Please review this patch.Below is a small summary about this fix and > what we are trying to achieve. > > CLI : pki-server db-upgrade > > what it should be doing is if it sees that issuerName doesn't exist,NULL > it will

Re: [Pki-devel] JSS/NSS

2016-08-07 Thread Fraser Tweedale
On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote: > Are there any plans on the dogtag roadmap to ever migrate away from using > JSS/NSS? > Hi George, I dont't think there are any such plans. Why do you ask? Cheers, Fraser ___ Pki-devel

Re: [Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

2016-06-30 Thread Fraser Tweedale
On Thu, Jun 30, 2016 at 10:10:32AM -0500, Endi Sukma Dewata wrote: > On 6/22/2016 4:53 AM, Fraser Tweedale wrote: > > The attached patch fixes https://fedorahosted.org/pki/ticket/2285. > > See commit message and bz1323400[1] for full history and details. > > > > [1]

Re: [Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails

2016-06-30 Thread Fraser Tweedale
On Thu, Jun 30, 2016 at 10:49:12AM -0500, Endi Sukma Dewata wrote: > On 6/27/2016 9:52 PM, Fraser Tweedale wrote: > > The attached patch fixes https://fedorahosted.org/pki/ticket/2388. > > Wanted for 10.3.4. > > > > Thanks, > > Fraser > > Two things:

Re: [Pki-devel] [PATCH] 780 Fixed pki-server subsystem-cert-update.

2016-06-30 Thread Fraser Tweedale
On Wed, Jun 29, 2016 at 11:19:46AM -0500, Endi Sukma Dewata wrote: > The pki-server subsystem-cert-update is supposed to restore the > system certificate data and requests into CS.cfg. The command was > broken since the CASubsystem class that contains the code to find > the certificate requests

Re: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands.

2016-06-30 Thread Fraser Tweedale
On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote: > The pki-server ca-* commands have been modified to validate > the instance and the CA subsystem before proceeding with the > operation. > > The usage() methods and invocations have been renamed into > print_help() for

[Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

2017-01-31 Thread Fraser Tweedale
Thanks, Fraser From 3f913b1857712dd0a962d42f56f29d7faebf244e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 1 Feb 2017 16:15:39 +1000 Subject: [PATCH 151/155] DNSName: add method to get value To implement a profile default that copies CN to SAN dNSName, w

[Pki-devel] [PATCH] 0156 Remove unused dependency from tomcat classes build

2017-02-06 Thread Fraser Tweedale
Pushed under one-liner/trivial rule. Thanks, Fraser From 463be6afd824f39c9e02881d7b9b168cd92093a1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 7 Feb 2017 10:31:32 +1000 Subject: [PATCH 156/158] Remove unused dependency from tomcat classes build --- base/

[Pki-devel] [PATCH] 0157..0158 authToken-related refactors

2017-02-06 Thread Fraser Tweedale
Please review attached patches; a couple of small refactors to ease upcoming GSS-API work. Thanks, Fraser From 71a94aba941b395a07a849eacb125b9657f70f59 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 7 Feb 2017 11:38:03 +1000 Subject: [PATCH 157/158]

[Pki-devel] [PATCH] 0159..0161 Fix config param removal in profile modification

2017-02-07 Thread Fraser Tweedale
Please review the attached patches which fix https://fedorahosted.org/pki/ticket/2588, a bug in profile modification where config params can only be added or changed, but not removed. Thanks, Fraser From 0a86f63cfe2d5391befe401541e9dcc0dae6ce29 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale

Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

2017-02-08 Thread Fraser Tweedale
On Wed, Feb 01, 2017 at 05:25:58PM +1000, Fraser Tweedale wrote: > Hi all, > > The attached patches implement the long-desired feature to copy CN > to SubjectAltName (https://fedorahosted.org/pki/ticket/1710). > > I've also pushed the branch to my GitHub repo; feel free to re

Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

2017-02-02 Thread Fraser Tweedale
a KBase article about using the new component. Let me know what you think. Cheers, Fraser On Thu, Feb 02, 2017 at 12:46:30PM -0700, Matthew Harmsen wrote: > On 02/01/2017 12:25 AM, Fraser Tweedale wrote: > > Hi all, > > > > The attached patches implement the long-desir

[Pki-devel] [PATCH] 0149 Use BigInteger for entryUSN

2017-01-22 Thread Fraser Tweedale
The attached patch fixes https://fedorahosted.org/pki/ticket/2579. Thanks, Fraser From 4201b2c02546e4d404816a4932ba2d0d688f2c55 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 23 Jan 2017 17:11:26 +1000 Subject: [PATCH] Use BigInteger for entryUSN Currently

[Pki-devel] [PATCH] 0163..0165 Include revocation reason in REST cert data

2017-02-21 Thread Fraser Tweedale
The following patches add the revocation reason to the REST cert data (i.e. GET /ca/rest/certs/{id}). Patches 0163 and 0164 were pushed under trivial rule. Please review 0165. Thanks, Fraser From f50507eac86edba2fba01ff25d6937f7d991770e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ft

[Pki-devel] [PATCH] 0162 Fix NPE in server shutdown when startup failed

2017-02-19 Thread Fraser Tweedale
The attached patch fixes an NPE that can occur if startup fails (e.g. due to database unavailable). Pushed under trivial rule. Thanks, Fraser From aa9bca02d0469e16a93812564bf44369c30002da Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 20 Feb 2017 11:08:50

Re: [Pki-devel] [PATCH] 0150 Allow DirAclAuthz to be configured to read alternative entry

2017-02-09 Thread Fraser Tweedale
On Tue, Jan 24, 2017 at 02:45:48PM +1000, Fraser Tweedale wrote: > The attached patch (part of the GSS-API effort) allows DirAclAuthz > configuration to specify to read the ACLs from a different entry (it > is currently hard-coded). > > Thanks, > Fraser > ACKed by a

[Pki-devel] [PATCH] 0166 CMS.getLogMessage: escape format elements in arguments

2017-03-01 Thread Fraser Tweedale
:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 2 Mar 2017 16:32:21 +1000 Subject: [PATCH] CMS.getLogMessage: escape format elements in arguments CMS.getLogMessage performs message formatting via MessageFormat, then the message gets logged via a Logger. The Logger also pe

[Pki-devel] [PATCH] 0134 Block reads during reload of LDAP-based profiles

2016-09-14 Thread Fraser Tweedale
Hi team, The attached patch fixes (yet another) race condition in LDAPProfileSubsystem. https://fedorahosted.org/pki/ticket/2453 Additional context: https://fedorahosted.org/freeipa/ticket/6274 Thanks, Fraser From 24a5ad6f84387055468e0125df90fea6635da484 Mon Sep 17 00:00:00 2001 From: Fraser

Re: [Pki-devel] [PATCH] 0134 Block reads during reload of LDAP-based profiles

2016-09-14 Thread Fraser Tweedale
On Wed, Sep 14, 2016 at 07:16:32PM -0500, Endi Sukma Dewata wrote: > On 9/14/2016 7:14 AM, Fraser Tweedale wrote: > > Hi team, > > > > The attached patch fixes (yet another) race condition in > > LDAPProfileSubsystem. > > > > https://fedorahosted.org/pki/

[Pki-devel] [PATCH] 0135 Do not attempt LWCA key retrieval for host authority

2016-09-21 Thread Fraser Tweedale
From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 21 Sep 2016 20:18:37 +1000 Subject: [PATCH] Do not attempt LWCA key retrieval for host authority During two-step installation of externally-signed CA, installation can fail because host authority's private key cannot be located (a tem

[Pki-devel] [PATCH] 0130 Prevent deletion of host CA cert and key from NSSDB

2016-08-23 Thread Fraser Tweedale
Hi, Attached patch fixes https://fedorahosted.org/pki/ticket/2443. Thanks, Fraser From e0a546113b65d57e4b00b495f4ef50616ad744c1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 24 Aug 2016 14:40:46 +1000 Subject: [PATCH] Prevent deletion of host CA cert a

[Pki-devel] [PATCH] 0139 Merge duplicate authz plugin code into superclass

2016-11-29 Thread Fraser Tweedale
afc5fc3da5f1ea61305fb237e002bbe8b3d26e8c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 25 Nov 2016 14:29:40 +1000 Subject: [PATCH 139/141] Merge duplicate authz plugin code into superclass DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is still a lot of duplicat

[Pki-devel] [PATCH] 0137 Remove unused member

2016-11-29 Thread Fraser Tweedale
Just a drive-by removal of an unused class member. Pushed under one-liner rule. Thanks, Fraser From e613f485e9ed08b9b5e6b2ad568a0953b742b0e5 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 28 Nov 2016 14:52:11 +1000 Subject: [PATCH] Remove unused member ---

[Pki-devel] [PATCH] 0138 Move AuthToken key constants to IAuthToken

2016-11-29 Thread Fraser Tweedale
From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 29 Nov 2016 16:10:58 +1000 Subject: [PATCH 138/141] Move AuthToken key constants to IAuthToken Part of: https://fedorahosted.org/pki/ticket/1359 --- .../netscape/certsrv/authentication/AuthToken.java | 34 -- .../c

[Pki-devel] [PATCH] 0141 Add getAuthzManagerNameByRealm to IAuthzSubsystem

2016-11-29 Thread Fraser Tweedale
This patch renames (a better name) and moves to the IAuthzSubsystem interface a method in AuthzSubsystem that may be useful for doing authorisation checks for external principals. Thanks, Fraser From 6a1ddf4cf79e40ff0a0702e063afa6e6237f0fb6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ft

Re: [Pki-devel] [PATCH] 0144..0146 Move IRequest extdata-related constants

2016-12-11 Thread Fraser Tweedale
; IRequest extdata key prefix in one place Thanks, Fraser On Wed, Dec 07, 2016 at 02:39:22PM +1000, Fraser Tweedale wrote: > The attached patches relocate / redefine some constants that are > used as keys when setting or getting IRequest extdata attributes. > > In some cases this remo

[Pki-devel] [PATCH] 0148 Remove principal type assumption from AuthorityService

2016-12-11 Thread Fraser Tweedale
Reviewed by alee: https://github.com/frasertweedale/pki/commit/967727ea3104accbf1bd1e05fc676bfef0d9ba6d Pushed to master (1d706a075f32d7c30a6259be675b8f34ef2a9c99). Thanks, Fraser From 1d706a075f32d7c30a6259be675b8f34ef2a9c99 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.

[Pki-devel] [PATCH] 0143 Remove unused string constant

2016-12-06 Thread Fraser Tweedale
What it says on the tin. Pushed under one-liner rule. Thanks, Fraser From 01956aedf62f20713ca191c254a20f0b50d8e7af Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 7 Dec 2016 14:23:18 +1000 Subject: [PATCH 143/143] Remove unused string constant Part of:

[Pki-devel] [PATCH] 0144..0146 Move IRequest extdata-related constants

2016-12-06 Thread Fraser Tweedale
in IRequest, which is the appropriate place. This is refactoring work undertaken as part of GSSAPI support. Thanks, Fraser From 31d9026f2be5204dd4742ce00542bc80b614d9b9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 7 Dec 2016 12:25:01 +1000 Subject: [PAT

Re: [Pki-devel] [PATCH] 0138 Move AuthToken key constants to IAuthToken

2016-12-11 Thread Fraser Tweedale
Acked by alee: https://github.com/frasertweedale/pki/commit/b775ca19b2c1a3d554aca3134308a71fecd7bdd0 Pushed to master (1407b5f3af27d05970bb42ac2fefe51cb6b01abd) Thanks, Fraser On Tue, Nov 29, 2016 at 07:02:12PM +1000, Fraser Tweedale wrote: > The attached patch moves some string constants f

Re: [Pki-devel] [PATCH] 0139 Merge duplicate authz plugin code into superclass

2016-12-11 Thread Fraser Tweedale
Acked by alee: https://github.com/frasertweedale/pki/commit/2d6e917470fce977d2537eba0b9ef2ee17fd0a41 Pushed to master (bfcf597d569e24fe6ec60062e37908c62bcff76) On Tue, Nov 29, 2016 at 07:04:26PM +1000, Fraser Tweedale wrote: > The attached patch merges some duplicate authz manager c

Re: [Pki-devel] [PATCH] 0140 Allow ':' to appear in ACL expressions

2016-12-11 Thread Fraser Tweedale
Acked by alee: https://github.com/frasertweedale/pki/commit/037c16e3e78bccfa16e3d50ef840675ad2e0f3ec Pushed to master (7ab1bbb708d539d4db4e494418fedb952e4880bc) Thanks, Fraser On Tue, Nov 29, 2016 at 07:08:48PM +1000, Fraser Tweedale wrote: > With current ACL parsing, if you h

Re: [Pki-devel] [PATCH] 0141 Add getAuthzManagerNameByRealm to IAuthzSubsystem

2016-12-11 Thread Fraser Tweedale
Acked by alee: https://github.com/frasertweedale/pki/commit/4a43f08a96f80a44ad0d8fffcb49f70b5d274277 Pushed to master (e2e4b70bab9c81b9007057cafd25447190d6cde4). Thanks, Fraser On Tue, Nov 29, 2016 at 07:12:28PM +1000, Fraser Tweedale wrote: > This patch renames (a better name) and mo

Re: [Pki-devel] [Pki-users] CS Server error

2016-12-07 Thread Fraser Tweedale
. Thanks, Fraser > On Wed, Dec 7, 2016 at 4:25 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > > > On Wed, Dec 07, 2016 at 02:11:53PM -0800, Rafael Leiva-Ochoa wrote: > > > Hi Team, > > > > > > I have installed Dogtag on one of my Raspberry PI 3 de

Re: [Pki-devel] [Pki-users] CS Server error

2016-12-07 Thread Fraser Tweedale
(Sorry, I sent this to the wrong list.) On Thu, Dec 08, 2016 at 01:59:45PM +1000, Fraser Tweedale wrote: > On Wed, Dec 07, 2016 at 05:29:41PM -0800, Rafael Leiva-Ochoa wrote: > > Here you goI hope you can help. I am already starting to use it in > > production testing...I woul

Re: [Pki-devel] [PATCH] 0167..0175 external authentication support

2017-03-16 Thread Fraser Tweedale
On Tue, Mar 07, 2017 at 11:16:37AM +1000, Fraser Tweedale wrote: > Hi team, > > Please review the attached patches, which add support for external > authentication (e.g. GSS-API/SPNEGO). > > These patches depend on some other outstanding patches: > 0157, 0158, 0165, 0166

[Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

2017-04-04 Thread Fraser Tweedale
de2d7f049eb4462c7442795a77a8a915ae70d216 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Mon, 3 Apr 2017 11:07:24 +1000 Subject: [PATCH 0/2] Add SEC_OID mappings for AES ECB/CBC algorithms --- org/mozilla/jss/crypto/Algorithm.c | 8 +++- org/mozilla/jss/crypto/Algor

[Pki-devel] KRA questions

2017-04-05 Thread Fraser Tweedale
Hi all, I have some questions about KRA operation. These questions came up as part of my PKCS #12 AES key bag encryption effort. 1) the kra.allowEncDecrypt.recovery setting controls whether unwrapping the archived key takes place on a crypto token (the default) or within Dogtag. It seems to be

[Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

2017-04-06 Thread Fraser Tweedale
The attached patch fixes a regression (I think?) where recovered keys accumulate in the key storage token. Thanks, Fraser From ab470a00827673f327d5f171ff3fdf1baea4ae5e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 6 Apr 2017 16:07:07 +1000 Subject: [PATC

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

2017-04-11 Thread Fraser Tweedale
is not active when I go to Edit Bug. Also not sure how to "mark reviewers". I added you and Elio to Cc though. Thanks, Fraser > > On 04/04/2017 02:56 AM, Fraser Tweedale wrote: > > Hi team, > > > > Please review attached patches for JSS and Dogtag that:

Re: [Pki-devel] [PATCH] 0159..0161 Fix config param removal in profile modification

2017-04-19 Thread Fraser Tweedale
I have created a gerrit review for this patchset: https://review.gerrithub.io/#/c/357607/ Thanks, Fraser On Tue, Feb 07, 2017 at 09:39:52PM +1000, Fraser Tweedale wrote: > Please review the attached patches which fix > https://fedorahosted.org/pki/ticket/2588, a bug in profile > mod

[Pki-devel] [PATCH] 0176..0177 small manpage fixes

2017-03-08 Thread Fraser Tweedale
Please review attached patches that fix a couple of problems in pkispawn.8 and pki_default.cfg.5. Thanks, Fraser From e6c683eec351be54fb65f22629e78865839bf263 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 9 Mar 2017 14:30:29 +1000 Subject: [PATCH 1

Re: [Pki-devel] [PATCH] 0163..0165 Include revocation reason in REST cert data

2017-03-13 Thread Fraser Tweedale
On Mon, Mar 13, 2017 at 03:59:24PM -0400, Ade Lee wrote: > ACK > Thanks; 0165 pushed to master (6fa6b692882d00c8228aed7f5780b13f1b09c98c) > On Wed, 2017-02-22 at 12:12 +1000, Fraser Tweedale wrote: > > The following patches add the revocation reason to the REST cert > > da

Re: [Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

2017-04-26 Thread Fraser Tweedale
On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote: > The attached patch fixes a regression (I think?) where recovered > keys accumulate in the key storage token. > > Thanks, > Fraser Gerrit review: https://review.gerrithu

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

2017-04-26 Thread Fraser Tweedale
d above. Thanks, Fraser > > On 04/10/2017 11:30 PM, Fraser Tweedale wrote: > > On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote: > > > Hi Fraser, > > > > > > Could you please do the following first? > > > > > > 1. file a Mozilla

Re: [Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

2017-04-26 Thread Fraser Tweedale
On Wed, Apr 26, 2017 at 06:40:59PM +1000, Fraser Tweedale wrote: > On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote: > > The attached patch fixes a regression (I think?) where recovered > > keys accumulate in the key storage token. > > > > Thanks, &g

[Pki-devel] Gerrit submit type

2017-10-06 Thread Fraser Tweedale
To whoever has management permission on gerrithub, Could you please change the `Submit Type' config to `Rebase if Necessary'? This will avoid explicit merge commits without the developer having to explicitly rebase the change before submitting.

  1   2   >