Re: [Freeipa-devel] [PATCH] 357 Added symmetric and asymmetric vaults.

2014-11-05 Thread Petr Spacek 

On 5.11.2014 09:32, Martin Kosek wrote:

On 11/05/2014 08:14 AM, Jan Cholasta wrote:

Hi,

Dne 4.11.2014 v 17:54 Endi Sukma Dewata napsal(a):

Hi,

In this patch I'm adding ipaVaultSalt and ipaVaultPublicKey attribute
types to store salt and public key for vault. Are there existing
attribute types that I can use instead? I see there's an ipaPublicKey,
should I use that and maybe add ipaSalt/ipaEncSalt? Thanks.



yes, please re-use existing attributes where possible.

Honza



+1. Also, if ipaSalt/ipaEncSalt is usable outside of Vault, I would go with it,
instead of adding ipaVaultSalt.


Existing schema including ipaPublicKey attribute is described on:
http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema

Please note that there are defined data formats too, not only OIDs.

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 357 Added symmetric and asymmetric vaults.

2014-11-05 Thread Martin Kosek 
On 11/05/2014 08:14 AM, Jan Cholasta wrote:
> Hi,
> 
> Dne 4.11.2014 v 17:54 Endi Sukma Dewata napsal(a):
>> Hi,
>>
>> In this patch I'm adding ipaVaultSalt and ipaVaultPublicKey attribute
>> types to store salt and public key for vault. Are there existing
>> attribute types that I can use instead? I see there's an ipaPublicKey,
>> should I use that and maybe add ipaSalt/ipaEncSalt? Thanks.
>>
> 
> yes, please re-use existing attributes where possible.
> 
> Honza
> 

+1. Also, if ipaSalt/ipaEncSalt is usable outside of Vault, I would go with it,
instead of adding ipaVaultSalt.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 357 Added symmetric and asymmetric vaults.

2014-11-04 Thread Jan Cholasta 

Hi,

Dne 4.11.2014 v 17:54 Endi Sukma Dewata napsal(a):

Hi,

In this patch I'm adding ipaVaultSalt and ipaVaultPublicKey attribute
types to store salt and public key for vault. Are there existing
attribute types that I can use instead? I see there's an ipaPublicKey,
should I use that and maybe add ipaSalt/ipaEncSalt? Thanks.



yes, please re-use existing attributes where possible.

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 357 Added symmetric and asymmetric vaults.

2014-11-04 Thread Endi Sukma Dewata 

Hi,

In this patch I'm adding ipaVaultSalt and ipaVaultPublicKey attribute 
types to store salt and public key for vault. Are there existing 
attribute types that I can use instead? I see there's an ipaPublicKey, 
should I use that and maybe add ipaSalt/ipaEncSalt? Thanks.


--
Endi S. Dewata

On 11/4/2014 12:30 AM, Endi Sukma Dewata wrote:

The IPA vault has been modified to support symmetric and asymmetric
vaults to allow client to pre-encrypt the data. Due to the status
of the crypto library the actual encryption will be added separately
later.

New LDAP attribute types have been added to store vault type, salt
and public key.

https://fedorahosted.org/freeipa/ticket/3872


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 357 Added symmetric and asymmetric vaults.

2014-11-03 Thread Endi Sukma Dewata 

The IPA vault has been modified to support symmetric and asymmetric
vaults to allow client to pre-encrypt the data. Due to the status
of the crypto library the actual encryption will be added separately
later.

New LDAP attribute types have been added to store vault type, salt
and public key.

https://fedorahosted.org/freeipa/ticket/3872

--
Endi S. Dewata
From 062d86c4bf4f58eadb863cbcd01bd39ef30691d8 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 24 Oct 2014 19:53:16 -0400
Subject: [PATCH] Added symmetric and asymmetric vaults.

The IPA vault has been modified to support symmetric and asymmetric
vaults to allow client to pre-encrypt the data. Due to the status
of the crypto library the actual encryption will be added separately
later.

New LDAP attribute types have been added to store vault type, salt
and public key.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt |  27 +++-
 VERSION |   4 +-
 install/share/60basev4.ldif |   7 +-
 ipalib/plugins/vault.py | 332 +++-
 4 files changed, 358 insertions(+), 12 deletions(-)

diff --git a/API.txt b/API.txt
index 
7668e8ceebb1a2b6e6ebcd6d70c9209f5a874627..7c4a87dcab4a523977cc63341801120816088db1
 100644
--- a/API.txt
+++ b/API.txt
@@ -4476,14 +4476,20 @@ output: Output('result', , None)
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
 command: vault_add
-args: 1,11,3
+args: 1,17,3
 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Bytes('data?', cli_name='data')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, 
required=False)
 option: Str('in?', cli_name='in')
+option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', 
multivalue=False, required=False)
+option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', 
multivalue=False, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', 
default=u'standard', multivalue=False, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Str('parent', attribute=False, cli_name='parent', multivalue=False, 
required=False)
+option: Str('password?', cli_name='password')
+option: Str('password_file?', cli_name='password_file')
+option: Str('public_key_file?', cli_name='public_key_file')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Flag('rights', autofill=True, default=False)
 option: Str('text?', cli_name='text')
@@ -4519,7 +4525,7 @@ output: Output('completed', , None)
 output: Output('failed', , None)
 output: Entry('result', , Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 command: vault_archive
-args: 1,12,3
+args: 1,14,3
 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Bytes('data?', cli_name='data')
@@ -4528,6 +4534,8 @@ option: Str('in?', cli_name='in')
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Bytes('nonce?', cli_name='nonce')
 option: Str('parent?', cli_name='parent')
+option: Str('password?', cli_name='password')
+option: Str('password_file?', cli_name='password_file')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Flag('rights', autofill=True, default=False)
 option: Str('text?', cli_name='text')
@@ -4546,11 +4554,14 @@ output: Output('result', , None)
 output: Output('summary', (, ), None)
 output: ListOfPrimaryKeys('value', None, None)
 command: vault_find
-args: 1,11,4
+args: 1,14,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('cn', attribute=True, autofill=False, cli_name='vault_name', 
maxlength=255, multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', 
multivalue=False, query=True, required=False)
+option: Bytes('ipavaultpublickey', attribute=True, autofill=False, 
cli_name='public_key', multivalue=False, query=True, required=False)
+option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', 
multivalue=False, query=True, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', 
default=u'standard', multivalue=False, query=True, required=False)
 option: Flag('no_members', autofill=True, default=Fal