Re: [Pki-devel] Certificate Transparency SCT signature verification?

ers, > Fraser > > On Thu, Jun 11, 2020 at 05:08:25PM -0700, Christina Fu wrote: > > HI Fraser, > > verifySCT still fails. I still think the fact the rfc does not require > the > > signed object to accompany the signature presents undue challenge to the > > party t

Re: [Pki-devel] Certificate Transparency SCT signature verification?

et verifySCT returns success for now just so people could still play with CT. Much appreciated! Christina On Tue, Jun 2, 2020 at 3:05 PM Christina Fu wrote: > Hi Fraser, > Thanks for the response! > Regarding the poison extension, yes I was aware that it needed to be > removed so the code

Re: [Pki-devel] Certificate Transparency SCT signature verification?

suggested. Finally, nice catch with the missing data length!! I'll add that and go from there. thanks again! Christina On Mon, Jun 1, 2020 at 7:31 PM Fraser Tweedale wrote: > Hi Christina, > > Adding pki-devel@ for wider audience. Comments below. > > On Mon, Jun 01, 2020 at

Re: [Pki-devel] KRA Admin certificate

After running pkispawn to install KRA, you should see an "Installation Summary" displayed where it shows where to locate the PKCS #12 file. the p12 file is a package consisted of the your admin cert and its keys. Password is what you specified in your pkispawn config file. For more detail, check o

Re: [Pki-devel] Issues with certmonger SCEP enrollment with Dogtag

Hi Trevor, I'll need a bit of clarification and some info... On 01/31/2018 10:52 AM, Trevor Vaughan wrote: Hi All, I've hit a bit of a roadblock with debugging SCEP enrollment from certmonger to Dogtag and I'm hoping that someone can help. I am attempting to register with a subordinate CA

[Pki-devel] [REVIEW] Ticket #2921 CMC: Revocation works with an unknown revRequest.issuer

Up for review: https://review.gerrithub.io/398312 Volunteered reviewer: jmagne thanks, Christina ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [REVIEW] Ticket 2920 - CMC: Audit Events needed for failures in SharedToken scenarios

Up for review: https://review.gerrithub.io/398279 Volunteered reviewer: jmagne thanks, Christina ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [REVIEW] Ticket 2880 - Need to record CMC requests and responses

Up for review: https://pagure.io/dogtagpki/issue/2880#comment-491865 Assigned reviewer: jmagne thanks, Christina ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Ticket-2757-CMC-enrollment-profiles-for-system-certi.patch (First Part - non-TMS)

here: http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29 The 2nd part (TMS) will be submitted soon. thanks, Christina From e471035822a5447fddc67c8abf8a1a0ffb9a5bcf Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 26 Jun 2017 18:09:55

Re: [Pki-devel] [pki-devel][PATCH] 0098-SCP03-support-fix-Key-Changeover-with-HSM-RHCS.patch

looks good. ACK. Christina On 06/29/2017 03:43 PM, John Magne wrote: [PATCH] SCP03 support: fix Key Changeover with HSM (RHCS) Ticket #2764. This relatively simple fix involves making sure the correct crypto token is being used to search for the master key int the case of symmetric key chan

Re: [Pki-devel] [PATCH] Ticket-2616-CMC-replace-id-cmc-statusInfo-with-id-cm.patch

and here is the patch... On 06/21/2017 05:29 PM, Christina Fu wrote: This patch addresses: https://pagure.io/dogtagpki/issue/2616 CMC: replace id-cmc-statusInfo with id-cmc-statusInfoV2 See patch comment for detail. thanks, Christina

[Pki-devel] [PATCH] Ticket-2616-CMC-replace-id-cmc-statusInfo-with-id-cm.patch

This patch addresses: https://pagure.io/dogtagpki/issue/2616 CMC: replace id-cmc-statusInfo with id-cmc-statusInfoV2 See patch comment for detail. thanks, Christina ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/lis

[Pki-devel] [PATCH] Ticket-2618-UniqueKeyConstraint-fix-on-subjectDN-com.patch

eliminates room for error. thanks, Christina >From 2d69d9332eea7ddc5205dc9e44d15452be4be61f Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 20 Jun 2017 15:04:12 -0700 Subject: [PATCH] Ticket #2618 UniqueKeyConstraint fix on subjectDN comparison --- .../com/netscape/cms/profile/constra

[Pki-devel] [PATCH] Ticket-2737-CMC-check-HTTPS-client-authentication-ce.patch

This patch addresses: https://pagure.io/dogtagpki/issue/2737 CMC: check HTTPS client authentication cert against CMC signer Please review, Thanks >From 4b3ca371e1e505faff0b215798adbf78c4fcd837 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Wed, 14 Jun 2017 14:57:10 -0700 Subject: [PA

Re: [Pki-devel] [PATCH] Ticket-2619-Allow-CA-to-process-user-signed-CMC-revo.patch

for #1 - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Wednesday, June 7, 2017 6:16:56 PM Subject: [Pki-devel] [PATCH] Ticket-2619-Allow-CA-to-process-user-signed-CMC-revo.patch This patch is the implementation for ticket https://pagure.io/dogta

[Pki-devel] [PATCH] Ticket-2619-Allow-CA-to-process-user-signed-CMC-revo.patch

00:00:00 2001 From: Christina Fu Date: Tue, 30 May 2017 14:12:06 -0700 Subject: [PATCH] Ticket #2619 Allow CA to process user-signed CMC revocation requests First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it w

Re: [Pki-devel] [PATCH] Ticket-2617-part2-add-revocation-check-to-signing-ce.patch

Received verbal ack from jmagne. pushed to master: commit 380f7fda040cc5d394e34eead45ebb921532cc07 thanks, Christina On 06/05/2017 09:03 AM, Christina Fu wrote: This patch adds the missing revocation check (and possibly validity check) to https://pagure.io/dogtagpki/issue/2617 Allow CA

[Pki-devel] [PATCH] Ticket-2617-part2-add-revocation-check-to-signing-ce.patch

k for revocation status when I used a revoked cert to sign the cmc request. I am adding revocation and validity checks to make sure that the check is more complete. thanks, Christina >From 380f7fda040cc5d394e34eead45ebb921532cc07 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 5 Jun

Re: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

From: "Christina Fu" To: pki-devel@redhat.com Sent: Friday, May 19, 2017 5:31:37 PM Subject: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process pre-signed CMC renewal cert reques

[Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true. Thanks, Christina >From 63af93d4b7ba2bdda405bb585ed1e4c096e7ceb2 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 19 May 2017 11:55:14 -0

Re: [Pki-devel] [PATCH] Bug-1447145-CMC-cmc.popLinkWitnessRequired-false-wou.patch

pushed to master: commit c95cff5899e2975b16db61b811b626742e5e7114 thanks! Christina On 05/02/2017 11:43 AM, John Magne wrote: Makes sense. ACK if tested to work. - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Monday, May 1, 2017 5:54:19 PM Sub

[Pki-devel] [PATCH] Bug-1447145-CMC-cmc.popLinkWitnessRequired-false-wou.patch

rom c5ae7f6889af0ed218eef93e856eb2fb201f8cfc Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 1 May 2017 17:48:33 -0700 Subject: [PATCH] Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error This patch would fix the issue. It also adds the CMCUserSignedAuth authenticat

Re: [Pki-devel] [PATCH] Ticket-2717-CMC-user-signed-enrollment-request.patch

Received verbal ack from jmagne. Did a demo to him as well. pushed to master: commit 3ff9de6a517d7fdcdee6c4a8c884eff052f8f824 On 04/28/2017 06:06 PM, Christina Fu wrote: https://pagure.io/dogtagpki/issue/2617 This patch provides implementation that allows user-signed CMC requests to be

Re: [Pki-devel] availability/behaviour of internal NSS token in FIPS mode

Hi Fraser, Given that today is the code freeze for this round, and I need to wrap up a ticket today so it's hard to squeeze it into my time to context switch and give your question a proper thinking, I suggest we handle it after this release. Hope it's okay with you. thanks, Christina O

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

On 04/26/2017 07:11 AM, Fraser Tweedale wrote: On Tue, Apr 11, 2017 at 03:23:18PM -0700, Christina Fu wrote: Thank you. Please see review comments: https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6 I will review PKCS12Util later. Christina Updated patch jss-0002 and also created

Re: [Pki-devel] [PATCH] #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation

, identified with - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Thursday, April 13, 2017 5:03:06 PM Subject: [Pki-devel] [PATCH] #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation Please review. thanks!

[Pki-devel] [PATCH] #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation

Please review. thanks! Christina >From 23f532da661f2528c47df67c8663a0f4f96401ea Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 13 Apr 2017 16:53:58 -0700 Subject: [PATCH] Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation This patch provides the feature for CMC

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

Fraser, On second thought, you could also ask Endi or Ade to view the tool side of code, if their time coincides with yours better. thanks, Christina On 04/11/2017 03:23 PM, Christina Fu wrote: Thank you. Please see review comments: https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

Thank you. Please see review comments: https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6 I will review PKCS12Util later. Christina On 04/10/2017 11:30 PM, Fraser Tweedale wrote: On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote: Hi Fraser, Could you please do the

Re: [Pki-devel] [pki-devel][PATCH] 0091-SCP03 support for g&d 7 card.patch

looks fine. ack. Christina On 03/29/2017 11:22 AM, John Magne wrote: [PATCH] SCP03 support for g&d sc 7 card. Ticket: https://pagure.io/dogtagpki/issue/1663 Add SCP03 support This allows the use of the g&d 7 card. This will require the following: 1. An out of band method is needed to gen

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

Hi Fraser, Could you please do the following first? 1. file a Mozilla bugzilla bug for this against Product JSS Release 4.4.1, then assign to yourself: https://bugzilla.mozilla.org/ 2. After making sure your patch compiles well with the 4.4.1 base, attach the patch to that ticket, and mark r

[Pki-devel] [PATCH] Bug-2615-CMC-cleanup-code-for-Encrypted-Decrypted-PO.patch

: Christina Fu Date: Sun, 26 Mar 2017 17:34:51 -0400 Subject: [PATCH] Bug #2615 CMC: cleanup code for Encrypted Decrypted POP This patch adds more error checking and debugging --- .../netscape/cms/profile/common/EnrollProfile.java | 190 - .../cms/servlet/common

[Pki-devel] [PATCH] Bug 1419734 CMC: id-cmc-identityProofV2 feature

please review. thanks, ChristinaFrom 322fc30f6bd5f8a7d419a865bf6ad6b7c64de979 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Sat, 18 Feb 2017 12:27:49 -0800 Subject: [PATCH] Bug 1419734 CMC: id-cmc-identityProofV2 feature implementation This patch adds both client and server support for two

[Pki-devel] [PATCH] Issuance Protection Cert establishment and convenience crypto routines

materializes. thanks, Christina >From db2a9326ed3c93e0463444900875021d269f27ae Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 17 Mar 2017 11:49:41 -0700 Subject: [PATCH] pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1) This patch provides methods that can be sha

[Pki-devel] [PATCH] Issuance Protection Cert establishment and convenience encrypt/decrypt/hash routines

rom db2a9326ed3c93e0463444900875021d269f27ae Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 17 Mar 2017 11:49:41 -0700 Subject: [PATCH] pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1) This patch provides methods that can be shared between the CA and the ISharedToken plugins: 1. the convenience routi

Re: [Pki-devel] [PATCH] 957 Added access banner for PKI UI.

I only have time to play with it. So this review is not based on code reading. I was able to trigger a session timeout and the banner appears again as expected. So from that point of view, as long as the patches don't break existing banner-ignorant clients, ack. And again, please make sure i

Re: [Pki-devel] [PATCH] 957 Added access banner for PKI UI.

On 02/22/2017 04:51 PM, Christina Fu wrote: First, as discussed over irc, the banner should be re-displayed when an ssl session ends. Sounds like sessonStorage might not do what is expected. correction. I meant to say "the banner should be re-displayed when an ssl session ends

Re: [Pki-devel] [PATCH] 957 Added access banner for PKI UI.

First, as discussed over irc, the banner should be re-displayed when an ssl session ends. Sounds like sessonStorage might not do what is expected. Please also make sure the resulting code works with IE. thanks! Christina On 02/22/2017 11:57 AM, Endi Sukma Dewata wrote: The PKI UI main page

Re: [Pki-devel] [PATCH] pki-cfu-0159-Ticket-1741-ECDSA-certs-Alg-IDs-contian-parameter-fi.patch

thank you! Pushed to master: commit 76ca6d1691e56274945b6f03760273208fafd791 Christina On 01/23/2017 06:06 PM, John Magne wrote: Looks good. ACK - Original Message - From: "Christina Fu" To: pki-devel@redhat.com Sent: Friday, January 20, 2017 5:00:02 PM Subject:

Re: [Pki-devel] [PATCH] 918 Replaced CryptoManager.getTokenByName().

A lot of areas (both on server and on various tools) have been touched, although the changes are simple in nature and are all similar. Please make sure everything that's touched by this patch are still working. ACK if all tested to work. thanks, Christina On 01/25/2017 06:41 AM, Endi Sukma

Re: [Pki-devel] [PATCH] 917 Fixed inconsistent internal token detection.

Looks straightforward. This patch appears to just replace existing calls to use CryptoUtil.isInternalToken(tokenname) instead. If tested to work, ACK. Christina On 01/25/2017 06:41 AM, Endi Sukma Dewata wrote: The codes that detects internal token name have been modified to use CryptoUtil.i

Re: [Pki-devel] [PATCH] 916 Updated CryptoUtil.

looks good. Only requesting to have comment for isInternalToken() to explain why if name is empty its considered true. conditional ACK if tested to work. thanks, Christina On 01/25/2017 06:41 AM, Endi Sukma Dewata wrote: The CryptoUtil has been modified to provide separate methods to obtai

[Pki-devel] [PATCH] pki-cfu-0159-Ticket-1741-ECDSA-certs-Alg-IDs-contian-parameter-fi.patch

rom 5e914a3855d95a0bbca5fc565757fea5e40f16a1 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 20 Jan 2017 16:01:17 -0800 Subject: [PATCH] Ticket #1741 ECDSA certs Alg IDs contian parameter field Per rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA

Re: [Pki-devel] [pki-devel][PATCH] 0086-Ticket-2569-Token-memory-not-wiped-after-key-deletio.patch

Overall, it looks good. Just some minor suggestions, mostly for clarification purposes. * SecureChannel.java : clearAppletKeySlotData - would appreciate comments describing the content and format expected in the input "data" - maybe a positive debug message after the successful cleanup

Re: [Pki-devel] [PATCH] pki-cfu-0157-Ticket-2534-additional-reset-cert-status-after-succe.patch

Thanks! pushed to master: commit c1656bd16dfca8bb5eef4436ee64b95daaac70c8 Christina On 01/04/2017 11:50 AM, John Magne wrote: Looks good. Looks like we are now updating the proper entry each time when unrevoking. If tested to work, ACK - Original Message - From: "Christi

[Pki-devel] [PATCH] pki-cfu-0157-Ticket-2534-additional-reset-cert-status-after-succe.patch

successfully on the CA. thanks, Christina >From c1656bd16dfca8bb5eef4436ee64b95daaac70c8 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Wed, 4 Jan 2017 11:20:06 -0800 Subject: [PATCH] Ticket #2534 (additional) - reset cert status after successful unrevoke --- .../tps/src/org/dogtagpki/ser

Re: [Pki-devel] [PATCH] pki-cfu-0156-Ticket-2534-Automatic-recovery-of-encryption-cert-CA.patch

got verbal ack from jmagne. Pushed to master: commit c633da8d43894258d9a4b1050a0d16316c17dbd5 thanks, Christina On 11/18/2016 12:23 PM, Christina Fu wrote: https://fedorahosted.org/pki/ticket/2534 Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status

[Pki-devel] [PATCH] pki-cfu-0156-Ticket-2534-Automatic-recovery-of-encryption-cert-CA.patch

tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed. thanks, Christina >From d81e2a31181c7d8487171fd7fb7c64bc87296c39 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 18

Re: [Pki-devel] [pki-devel][PATCH]

I compared this patch with the original C patch. There was a check in C that does not exist in your Java patch: 1019 if(data.size() != 3){ 1020 lifecycle = 0xf0; 1021 RA::Error(LL_PER_PDU, "RA_Processor::GetLifecycle", "apdu response is the wrong size, the

Re: [Pki-devel] [PATCH] 866 Fixed problem installing subordinate CA with HSM in FIPS mode.

looks good. if tested to work, ack. Christina On 11/15/2016 01:57 PM, Endi Sukma Dewata wrote: Due to certutil issue (bug #1393668) the installation code has been modified to import certificates into the NSS database in two steps. This workaround is needed to install subordinate CA with HSM i

Re: [Pki-devel] [PATCH] 853-854 Added man pages for PKCS #12 utilities.

looks good. The only thing I had question with was whether the file> referred to in the man pages was in DER binary encoding or base64 encoded PEM. It would help if you clarify that. Conditional ACK. Christina On 11/02/2016 05:37 PM, Endi Sukma Dewata wrote: New man pages have been added:

[Pki-devel] simple TPS debug messages added

qualifies for "simple checkin that does not affect code". commit 443dcb1914f010ce8fc7c737dd8163e05a3d71db Author: Christina Fu Date: Mon Oct 24 09:59:42 2016 -0700 a few simple debugging messages in TPS that will make debugging easier.

Re: [Pki-devel] [pki-devel][PATCH] 0084-TPS-token-enrollment-fails-to-setupSecureChannel-whe.patch

Just a minor suggestion. Endi added in CryptalUtil.java lately to fix similar FIPS related issue: isInternalToken(). You might want to take advantage of that instead as it does ignore case. It's up to you. ACK. Christina On 10/20/2016 03:24 PM, John Magne wrote: TPS token enrollment fail

Re: [Pki-devel] [pki-devel][PATCH] 0083-PIN_RESET-policy-is-not-giving-expected-results-when.patch

code looks fine. If tested to work, ACK. Christina On 10/18/2016 07:02 PM, John Magne wrote: PIN_RESET policy is not giving expected results when set on a token. Simple fix to actually honor the PIN_RESET=or policy for a given token. Minor logging improvements added as well for th

Re: [Pki-devel] [pki-devel][PATCH] 0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch

If tested to work for all cases, ACK. Christina On 10/18/2016 03:22 PM, John Magne wrote: Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Fixes this bug #1381375. The portion this patch fixes involves URL encoding glitch we

Re: [Pki-devel] [PATCH] 844 Fixed CryptoUtil.getTokenName().

Code looks good. ACK if tested to work in both FIPS and non-FIPS, with or without HSM. Might be a future exercise to find out where the string "Internal Key Storage Token" comes from. Christina On 10/13/2016 06:57 PM, Endi Sukma Dewata wrote: The CryptoUtil.getTokenName() has been modifie

[Pki-devel] [PATCH]pki-cfu-0155-Ticket-2498-Token-format-with-external-reg-fails-whe.patch

rom 9d91230e99e6d96fd19e18e83b356c8bcbe20f52 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 10 Oct 2016 16:05:26 -0700 Subject: [PATCH] Ticket #2498 Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true This patch adds the missing parameters in the CS.cfg

Re: [Pki-devel] Fwd: [pli-devel][PATCH] 0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch

Code looks good. One suggestion. Since we have to appease to the current NSS way of looking up certs, how about making the default true so that it will keep the old encryption certs by default? Of course we are taking up more space now on the token when it's true, so we should plan to revert

Re: [Pki-devel] [PATCH] pki-cfu-0153-Ticket-2496-Cert-Key-recovery-is-successful-when-the.patch

s a small chance of impact to certain external reg features, such as retention, it might make sense to recommend a quick sanity test of the external reg feature after this. In the future we might want to more strongly discourage the keyid pathway. - Original Message - From: "Christi

[Pki-devel] [PATCH] pki-cfu-0153-Ticket-2496-Cert-Key-recovery-is-successful-when-the.patch

:00:00 2001 From: Christina Fu Date: Wed, 5 Oct 2016 16:09:24 -0700 Subject: [PATCH] Ticket #2496 Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Problem: There are two ways to recover the keys with a. by cert b. by keyId When recovering by c

Re: [Pki-devel] [PATCH] pki-cfu-0152-Ticket-1527-TPS-Enrollment-always-goes-to-ca1-bug-fi.patch

pushed to master commit 3b93a22c4ffa6e5e16cfd5c8ec02348c58b78422 thanks! Christina On 10/05/2016 08:19 AM, Endi Sukma Dewata wrote: On 10/3/2016 7:14 PM, Christina Fu wrote: This patch fixes an additional issue in ticket: https://fedorahosted.org/pki/ticket/1527 where after proper

[Pki-devel] [PATCH] pki-cfu-0152-Ticket-1527-TPS-Enrollment-always-goes-to-ca1-bug-fi.patch

rom: Christina Fu Date: Mon, 3 Oct 2016 17:02:10 -0700 Subject: [PATCH] Ticket #1527 TPS Enrollment always goes to "ca1" (bug fix) This patch fixes the bug that after revocation ca discovery, the revokeCertificate call goes back to the default ca, the ca that the certificate is to be e

Re: [Pki-devel] [PATCH] pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch

pushed to master: commit 1195ee9d6e45783d238edc1799363c21590febce thanks, Christina On 08/31/2016 03:29 PM, Endi Sukma Dewata wrote: ACK. -- Endi S. Dewata - Original Message - Patch for https://fedorahosted.org/pki/ticket/2446 pkispawn: make subject_dn defaults unique per instanc

Re: [Pki-devel] [PATCH] 827 Added support to create system certificates in different tokens.

I'm less familiar with the area, so I'm just going to ask a question. Where in the new code does it handle taking in passwords and logging into the extra token(s)? thanks, Christina On 08/31/2016 12:35 PM, Endi Sukma Dewata wrote: Previously all system certificates were always created in t

[Pki-devel] [PATCH] pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch

Patch for https://fedorahosted.org/pki/ticket/2446 pkispawn: make subject_dn defaults unique per instance name (for shared HSM) Please review. thanks, Christina >From 1195ee9d6e45783d238edc1799363c21590febce Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Wed, 31 Aug 2016 14:03:02 -0

[Pki-devel] Karma Requests for jss-4.2.6-42 on F24, F25 and rawhide

The following candidate build of jss-4.2.6-41 on Fedora24 consists of the following: http://koji.fedoraproject.org/koji/buildinfo?buildID=790383 Please provide Karma for this build in Bodhi located at: https://bodhi.fedoraproject.org/updates/FEDORA-2016-35dc802080 And for Fedora 25 http://k

Re: [Pki-devel] JSS/NSS

On 08/09/2016 05:34 PM, Christina Fu wrote: On 08/07/2016 06:17 PM, Fraser Tweedale wrote: On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote: Are there any plans on the dogtag roadmap to ever migrate away from using JSS/NSS? Hi George, I dont't think there are any such

Re: [Pki-devel] JSS/NSS

On 08/07/2016 06:17 PM, Fraser Tweedale wrote: On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote: Are there any plans on the dogtag roadmap to ever migrate away from using JSS/NSS? Hi George, I dont't think there are any such plans. Why do you ask? Right, there is no such plan to

Re: [Pki-devel] [PATCH] pki-cfu-0150-Ticket-2428-broken-request-links-for-CA-s-system-cer.patch

pushed to master: commit d2e8c9c5fb54e39884ecf304a234f8cb52c5a40e thanks, Christina On 08/04/2016 05:07 PM, Matthew Harmsen wrote: On 08/04/2016 05:46 PM, Christina Fu wrote: Attached please find the patch that fixes the broken link from cert->request or just simply visiting requ

[Pki-devel] [PATCH] pki-cfu-0150-Ticket-2428-broken-request-links-for-CA-s-system-cer.patch

Attached please find the patch that fixes the broken link from cert->request or just simply visiting request records from agent page on CA's system certs. thanks, Christina >From 4f4e08db5034daa63519fa68d766f6d5b37651d6 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 4 Aug

Re: [Pki-devel] [PATCH]pki-cfu-0149-Ticket-2246-MAN-Man-Page-AuditVerify.patch

pushed per Endi's verbal conditional ack: commit 078dfc1f01dea30800f19eed6df4ed547edffee3 thanks!! Christina On 07/14/2016 08:45 PM, Endi Sukma Dewata wrote: On 7/12/2016 8:27 PM, Christina Fu wrote: man page for AuditVerify https://fedorahosted.org/pki/ticket/2246 Some com

[Pki-devel] [PATCH]pki-cfu-0149-Ticket-2246-MAN-Man-Page-AuditVerify.patch

man page for AuditVerify https://fedorahosted.org/pki/ticket/2246 thanks, Christina >From 79aba2c8b2d507649a1d65e429f3cf42b3740471 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 12 Jul 2016 18:18:39 -0700 Subject: [PATCH] Ticket #2246 [MAN] Man Page: AuditVerify This patch conta

Re: [Pki-devel] [PATCH] pki-cfu-0148-Ticket-2389-fix-for-regular-CA-installation.patch

received verbal ACK from edewata. Pushed to master: commit ee68baccc5510184ff67b903288410d3ccc6a831 thanks! Christina On 07/11/2016 06:19 PM, Christina Fu wrote: This patch addresses the issue that with the previous patch, the regular (non-external and non-existing) CA installation

[Pki-devel] [PATCH] pki-cfu-0148-Ticket-2389-fix-for-regular-CA-installation.patch

This patch addresses the issue that with the previous patch, the regular (non-external and non-existing) CA installation fails. https://fedorahosted.org/pki/ticket/2389 thanks, Christina >From 1ddd1db04baa8773d4fc17562ec92e66797927fe Mon Sep 17 00:00:00 2001 From: Christina Fu Date:

Re: [Pki-devel] [PATCH] pki-cfu-0146-Ticket-978-PS-connector-man-page-add-revocation-rout.patch

.ca Maybe just somewhere make it clear that represents an integer between 1 and whatever we support. Maybe just say that in the section talking about the ca list : "ca1,ca2" - Original Message - From: "Christina Fu" To: "pki-devel" Sent: Thursday, 7 July

[Pki-devel] [PATCH] pki-cfu-0146-Ticket-978-PS-connector-man-page-add-revocation-rout.patch

Attached please find the patch that addresses: https://fedorahosted.org/pki/ticket/978 TPS connector man page: add revocation routing info thanks, Christina >From 79555bd4bfd74a97af8cf8d674f0a7df62a8a98e Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 7 Jul 2016 14:02:18 -0700 Subj

[Pki-devel] Karma Request for jss-4.2.6-41 on Fedora24

The following candidate build of jss-4.2.6-41 on Fedora24 consists of the following: jss-4.2.6-41.fc24 Please provide Karma for this build in Bodhi located at: https://bodhi.fedoraproject.org/updates/FEDORA-2016-113d8c06f5 Addition

[Pki-devel] Karma Request for tomcatjss-7.1.4-1 on on Fedora 24

The following candidate build of tomcatjss-7.1.4-1 on on Fedora 24 consists of the following: tomcatjss-7.1.4-1.fc24 Please provide Karma for this build in Bodhi located at: https://bodhi.fedoraproject.org/updates/FEDORA-2016-167163e

Re: [Pki-devel] [PATCH] Bug 1203407 - tomcatjss: missing ciphers

got verbal ack from Jack. Pushed to master (the dogtag patch): commit f0ad71e8a4fbae665a6b4875cce5b82895ad74f0 tomcatjss will be built in the next few days. Christina On 06/30/2016 03:04 PM, Christina Fu wrote: The tomcatjss patch address: *Bug 1203407* <https://bugzilla.redhat.

[Pki-devel] [PATCH] Bug 1203407 - tomcatjss: missing ciphers

System.err.println("SSLSocket.setCipherPreferenceDefault exception:" +e); if (eccCipherMap.containsKey(cipherid)) { System.err .println("Warning: SSL ECC cipher \"" From c0bf4a016709d000f81df

Re: [Pki-devel] [PATCH] pki-cfu-0144-Ticket-1306-config-params-Add-granularity-to-token-t.patch

got verbal ack from Jack. Pushed to master: commit 63a58cf51ef2982e8a35eff1f98dd42453e5681e thanks, Christina On 06/30/2016 02:11 PM, Christina Fu wrote: This patch is for https://fedorahosted.org/pki/ticket/1306 [RFE] Add granularity to token termination in TPS It 1. adds the missing

[Pki-devel] [PATCH] pki-cfu-0144-Ticket-1306-config-params-Add-granularity-to-token-t.patch

This patch is for https://fedorahosted.org/pki/ticket/1306 [RFE] Add granularity to token termination in TPS It 1. adds the missing parameters 2. adds a table for revocation code thanks, Christina >From 63a58cf51ef2982e8a35eff1f98dd42453e5681e Mon Sep 17 00:00:00 2001 From: Christina Fu D

Re: [Pki-devel] [PATCH] pki-cfu-0143-Ticket-2389-Installation-subsystem-certs-could-have-.patch

addressed comment. pushed to master: commit 659c90869a27871eda27fd730d00b0499873dae2 thanks! Christina On 06/28/2016 07:30 PM, Endi Sukma Dewata wrote: On 6/28/2016 8:03 PM, Christina Fu wrote: This patch addresses https://fedorahosted.org/pki/ticket/2389 Installation: subsystem certs could

[Pki-devel] [PATCH] pki-cfu-0143-Ticket-2389-Installation-subsystem-certs-could-have-.patch

This patch addresses https://fedorahosted.org/pki/ticket/2389 Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA thanks, Christina >From c79ff72288dd27b6b55840c0d5066b9b233a2b3a Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue,

Re: [Pki-devel] [PATCH] pki-cfu-0142-Ticket-1308-RFE-Provide-ability-to-perform-off-card-.patch

received verbal ack from Jack. Pushed to master: commit 98c12f05c38c9d21389f03a99f849151d9b68c84 thanks, Christina On 06/28/2016 02:55 PM, Christina Fu wrote: This is the patch to add missing serverKeygen params for non-encryption certs. By default it is disabled. thanks, Christina

[Pki-devel] [PATCH] pki-cfu-0142-Ticket-1308-RFE-Provide-ability-to-perform-off-card-.patch

This is the patch to add missing serverKeygen params for non-encryption certs. By default it is disabled. thanks, Christina >From 98c12f05c38c9d21389f03a99f849151d9b68c84 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 28 Jun 2016 11:28:42 -0700 Subject: [PATCH] Ticket #1308 [

Re: [Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch

Just a few minor ones. * configuration parameters referencing token existence in tokendb should use names begin with "tokendb". e.g. tokendb.allowMultiActiveTokensPerUser.externalReg=false tokendb.allowMultiActiveTokensPerUser.nonExternalReg=false * boolean allowMultiCerts -- I think

Re: [Pki-devel] [PATCH] 779 Fixed problem reading HSM password from password file.

Looks like might do it. If tested to work (borrow a vm from QE if you don't have one), ack. Christina On 06/24/2016 03:45 PM, Endi Sukma Dewata wrote: A new method get_token_password() has been added into PKIInstance Python class in order to read the token password correctly from password.con

Re: [Pki-devel] [PATCH] pki-cfu-0140-Ticket-2346-support-SHA384withRSA.patch

pushed to master: commit 158bb22a87832ff2be07ac4b75c8f2927caefd55 thanks, Christina On 06/17/2016 05:31 PM, John Magne wrote: Looked over. Pretty straightforward additions. As long as the stated successful test worked. ACK - Original Message - From: "Christina Fu" To:

Re: [Pki-devel] [PATCH] pki-cfu-0140-Ticket-2346-support-SHA384withRSA.patch

forgot to attach patch... here you go. On 06/17/2016 04:48 PM, Christina Fu wrote: This patch adds support for SHA384withRSA signing algorithm. It addresses ticket: https://fedorahosted.org/pki/ticket/2346 java.security.NoSuchAlgorithmException: no such algorithm: OID.1.2.840.113549.1.1.12

[Pki-devel] [PATCH] pki-cfu-0140-Ticket-2346-support-SHA384withRSA.patch

This patch adds support for SHA384withRSA signing algorithm. It addresses ticket: https://fedorahosted.org/pki/ticket/2346 java.security.NoSuchAlgorithmException: no such algorithm: OID.1.2.840.113549.1.1.12 for provider Mozilla-JSS when signing a CSR using SHA384withRSA Tested to work with 1

Re: [Pki-devel] [PATCH] pki-cfu-0139-Ticket-2298-Part3-trim-down-debug-log-in-non-TMS-crm.patch

pushed to master: commit 62d8908d91e74320db647b939c0d9900c09d0608 thanks, Christina On 06/17/2016 03:06 PM, John Magne wrote: If tested to work and no offending logs remain: ACK - Original Message - From: "Christina Fu" To: "pki-devel" Sent: Friday, June 17, 201

[Pki-devel] [PATCH] pki-cfu-0139-Ticket-2298-Part3-trim-down-debug-log-in-non-TMS-crm.patch

patch, CS.cfg is introduced a new profile, which accidentally got copied in a hard coded path, which is fixed too. thanks, Christina >From 62d8908d91e74320db647b939c0d9900c09d0608 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 17 Jun 2016 14:48:17 -0700 Subject: [PATCH] Ticket #2298 Pa

Re: [Pki-devel] [PATCH] pki-cfu-0133-Ticket-2298-exclude-some-ldap-record-attributes-with.patch

Received verbal ACK from Jack. Pushed to master: commit 51f34c3edb73a78b42468b756b89d07fc9ec7839 thanks, Christina On 06/16/2016 05:41 PM, Christina Fu wrote: Thanks for Jack's sharp eye, i accidentally messed up the git wit one new profile. This new patch 1. fixed the git issue 2. c

Re: [Pki-devel] [PATCH] pki-cfu-0133-Ticket-2298-exclude-some-ldap-record-attributes-with.patch

the default of excludedLdapAttrs.enabled to false. thanks, Christina On 06/16/2016 03:50 PM, Christina Fu wrote: This is part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs This patch allows one to exclude certain ldap attr

[Pki-devel] [PATCH] pki-cfu-0133-Ticket-2298-exclude-some-ldap-record-attributes-with.patch

on cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion. thanks, Christina From a95da0485758d5385fde425e3d5132aa2d3275a4 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 16 Jun 2016 15:4

Re: [Pki-devel] [pki-devel][PATCH] 0071-UdnPwdDirAuth-authentication-plugin-instance-is-not-.patch

Looks good. If compiles, installs, and runs, ACK. Christina On 06/08/2016 10:58 AM, John Magne wrote: UdnPwdDirAuth authentication plugin instance is not working. Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer w

Re: [Pki-devel] [PATCH] 763-764 Fixed TPS VLV indexes.

I was able to follow the VLV upgrade instruction and tried out the patches. Love the reverse activities order. tokens too. The previously "missing" activities now also show up. Since I'm not familiar with the area of the code you touched, I can give you ACK on the merit that they seem to work

Re: [Pki-devel] [PATCH] pki-cfu-0131-Ticket-2335-Missing-activity-logs-when-formatting-en.patch

) thanks, Christina On 06/06/2016 09:14 AM, Christina Fu wrote: Hi Endi, first, thanks for the review! Please see my response in-line below. thanks, Christina On 06/05/2016 01:39 PM, Endi Sukma Dewata wrote: On 6/3/2016 7:29 PM, Christina Fu wrote: https://fedorahosted.org/pki/ticket/2335 Ticket

Re: [Pki-devel] [PATCH] pki-cfu-0131-Ticket-2335-Missing-activity-logs-when-formatting-en.patch

Hi Endi, first, thanks for the review! Please see my response in-line below. thanks, Christina On 06/05/2016 01:39 PM, Endi Sukma Dewata wrote: On 6/3/2016 7:29 PM, Christina Fu wrote: https://fedorahosted.org/pki/ticket/2335 Ticket #2335 Missing activity logs when formatting/enrolling

  1   2   >