Re: [Pki-devel] [PATCH] 0051 Lightweight CAs: lookup correct issuer for OCSP responses
On Mon, Feb 22, 2016 at 12:02:49PM -0500, Ade Lee wrote: > Couple of comments .. > > 1. First off, there is a typo in the comments on the method. I think > you mean .. > > 3. Either we WERE the issuing CA, or we .. rather than "were not" > > 2. We can go with the heuristic of taking the first CA, but I do not > think we should leak information about other certs if the CA is > incorrect. The way the code is now, we will still return data on > whether a particular cert serial number is valid -- even if that cert > was not issued on that CA. > > A simple solution is to simply pass code to processRequest() to ignore > the request if the issuer is not correct and not return a response for > that request. > RFC 6960 says: The response MUST include a SingleResponse for each certificate in the request. So the best we can do is return 'unknown' status in this case. I've attached updated patch 0051-2 - the only change is the comment fixup - and two new patches: 0074 refactors digest lookup and adds support for SHA-2 algos, and 0075 changes the OCSP behaviour to return 'unknown' cert status for certs that from a different issuer. Cheers, Fraser From f24c753bde6f744d64a06fbe6c07a55575085691 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 1 Oct 2015 08:26:01 -0400 Subject: [PATCH] Lightweight CAs: lookup correct issuer for OCSP responses --- .../src/com/netscape/ca/CertificateAuthority.java | 39 +- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 889e7e3f7595a0f831c61cecec6ee2c8fa462d44..cbb155a3bedd1517256b89ab8d2803d6ccbbb8c5 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -2121,12 +2121,49 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori return null; } +TBSRequest tbsReq = request.getTBSRequest(); + +/* An OCSP request can contain CertIDs for certificates + * issued by different CAs, but each SingleResponse is valid + * only if the combined response was signed by its issuer or + * an authorised OCSP signing delegate. + * + * Even though it is silly to send an OCSP request + * asking about certs issued by different CAs, we must + * employ some heuristic to deal with this case. Our + * heuristic is: + * + * 1. Find the issuer of the cert identified by the first + *CertID in the request. + * + * 2. If this CA is *not* the issuer, look up the issuer + *by its DN in the caMap. If not found, fail. If + *found, dispatch to its 'validate' method. Otherwise + *continue. + * + * 3. If this CA is NOT the issuing CA, we locate the + *issuing CA and dispatch to its 'validate' method. + *Otherwise, we move forward to generate and sign the + *aggregate OCSP response. + */ +ICertificateAuthority ocspCA = this; +if (tbsReq.getRequestCount() > 0) { +com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(0); +BigInteger serialNo = req.getCertID().getSerialNumber(); +X509CertImpl cert = mCertRepot.getX509Certificate(serialNo); +X500Name certIssuerDN = (X500Name) cert.getIssuerDN(); +ocspCA = getCA(certIssuerDN); +} +if (ocspCA == null) +throw new CANotFoundException("Could not locate issuing CA"); +if (ocspCA != this) +return ((IOCSPService) ocspCA).validate(request); + mNumOCSPRequest++; IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); long startTime = CMS.getCurrentDate().getTime(); try { //log(ILogger.LL_INFO, "start OCSP request"); -TBSRequest tbsReq = request.getTBSRequest(); // (3) look into database to check the // certificate's status -- 2.5.0 From bc2461f2051247f59b68ba39d0eba9796b3ddfe0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 1 Mar 2016 20:46:49 -0500 Subject: [PATCH 74/75] Move OCSP digest name lookup to CertID class The OCSP digest name lookup is currently defined in IOCSPAuthority and implemented by OCSPAuthority, but /any/ code that deals with CertID might need to know the digest, so move the lookup there. Also refactor the lookup to use a HashMap, and add mappings for SHA2 algorithms. --- .../com/netscape/certsrv/ocsp/IOCSPAuthority.java | 9 - base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java | 21 - .../cms/src/com/netscape/cms/ocsp/DefStore.java | 3 +-- .../cms/src/com/netscape/cms/ocsp/LDAPStore.java| 3 +-- base/util/src/com/netscape/cmsutil/ocsp/CertID.java | 19
Re: [Pki-devel] [PATCH] 278 - handle external certs
Found an error .. lets try again .. Ade On Tue, 2016-03-01 at 17:20 -0500, Ade Lee wrote: > Based on feedback, revamped the internals to make it look much nicer. > > Ade > On Tue, 2016-03-01 at 13:19 -0500, Ade Lee wrote: > > On Mon, 2016-02-29 at 20:36 -0500, John Magne wrote: > > > Review Notes: > > > > > > Looks like good stuff. > > > > > > Just a couple of small picky questions. > > > > > > We can delay the final ACK to after we either decide that the > > > questions > > > are not that important or we decide to make any minor changes. > > > > > > > > > thanks, > > > jack > > > > > > > > > This method: > > > > > > in __init__.py : > > > > > > > > > +def load_external_certs(self, conf_file): > > > +# load external certs data > > > +if os.path.exists(conf_file): > > > +lines = open(conf_file).read().splitlines() > > > +for line in lines: > > > +parts = line.split('=', 1) > > > +name = parts[0] > > > +value = parts[1] > > > +self.external_certs[name] = value > > > +else: > > > +self.external_certs['num_certs'] = 0 > > > + > > > > > > I see if there is no file, the value of num_certs is 0. > > > > > > What about in the loop that reads the file when it does exist? > > > What > > > if it's empty? > > > Also when doing the splitting for the values, do we need some > > > simple > > > sanity checking? > > > > > How about this -- > > > > +def load_external_certs(self, conf_file): > > +# load external certs data > > +if os.path.exists(conf_file) and > > os.stat(conf_file).st_size > > > 0: > > +lines = open(conf_file).read().splitlines() > > +for line in lines: > > +parts = line.split('=', 1) > > if len(parts) != 2: > > // throw some exception > > +name = parts[0] > > +value = parts[1] > > +self.external_certs[name] = value > > +else: > > +self.external_certs['num_certs'] = 0 > > > > +if 'num_certs' not in self.external_certs: > > // throw some exception > > > > > Same Q's for method: def update_external_cert_conf(self, > > > external_path, deployer): > > > > > > > > > def delete_external_cert(self, nickname, token): > > > +match_found = False > > > +num_certs = int(self.external_certs['num_certs']) > > > +if num_certs > 0: > > > +for num in range(0, num_certs): > > > +current_nick = self.external_certs[str(num) + > > > ".nickname"] > > > +current_token = self.external_certs[str(num) + > > > ".token"] > > > +if current_nick == nickname and current_token == > > > token: > > > +del self.external_certs[str(num) + > > > ".nickname"] > > > +del self.external_certs[str(num) + ".token"] > > > +match_found = True > > > +continue > > > +if match_found: > > > +self.external_certs[str(num - 1) + > > > ".nickname"] = current_nick > > > +self.external_certs[str(num - 1) + ".token"] > > > = > > > current_token > > > + > > > +self.external_certs['num_certs'] = num_certs - 1 > > > +self.save_external_cert_data() > > > > > > I may have this wrong, but if you find a match and then continue? > > > Will the "match_found if, ever get executed? > > > > > It will get executed on the next -- and every subsequent value. > > The purpose is to reorder subsequent values. > > > > So lets say we have values 0,1,2,3,4, and we have a match on 1. > > Then > > we will remove 1 and set 2-> 1, 3-> 2, 4->3. So the result will be > > 0,1,2,3 > > > > > Also you could if you wanted pre-calculate those hash indexes > > > into > > > a > > > var and use them. > > > > > yeah - but it doesn't really help as much -- see comment above. > > > > > > Question: Here: > > > > > > nicks = self.import_certs( > > > +instance, cert_file, nickname, token, trust_args) > > > +self.update_instance_config(instance, nicks, token) > > > + > > > +self.print_message('Certificate imported for instance > > > %s.' > > > % > > > + instance_name) > > > > > > Question is is there somewhere in that call chain that throws an > > > exception if something goes wrong? > > > > yes. I'm tested a number of cases where that does happen. The > > exception comes all the way from nss out. > > > > > Just checking to see if those late to lines get called (along > > > with > > > the print, even if there is an error importing certs) ?? > > > > > No they don't. The exceptions cause the code to break out. > > > > > > Method: > > > > > > class InstanceExternalCertDeleteCLI(pki.cli.CLI): > > > > > > Would there be any value in allowing multiple nicknames to be
Re: [Pki-devel] [PATCH] 0054 Lightweight CAs: add audit events
On Wed, Mar 02, 2016 at 10:05:56AM +1000, Fraser Tweedale wrote: > On Mon, Feb 22, 2016 at 02:21:58PM -0500, Ade Lee wrote: > > This patch needs to be rebased. > > > > Tt was possible, however, to review the contents. In general, > > everything looks good. It would be be useful though, to be able to > > distinguish the many failure cases. For instance -- > > > > try { > > ca.modifyAuthority(data.getEnabled(), data.getDescription()); > > +audit(ILogger.SUCCESS, OpDef.OP_MODIFY, > > ca.getAuthorityID().toString(), auditParams); > > return createOKResponse(readAuthorityData(ca)); > > } catch (CATypeException e) { > > +audit(ILogger.FAILURE, OpDef.OP_MODIFY, > > ca.getAuthorityID().toString(), auditParams); > > throw new ForbiddenException(e.toString()); > > } catch (IssuerUnavailableException e) { > > +audit(ILogger.FAILURE, OpDef.OP_MODIFY, > > ca.getAuthorityID().toString(), auditParams); > > throw new ConflictingOperationException(e.toString()); > > } catch (EBaseException e) { > > CMS.debug(e); > > +audit(ILogger.FAILURE, OpDef.OP_MODIFY, > > ca.getAuthorityID().toString(), auditParams); > > throw new PKIException("Error modifying authority: " + > > e.toString()); > > } > > > > It would be nice to be able to determine if the modify failed because of > > permissions or otherwise. > > Can we add the exception error message to the auditParams? > > > > Ade > > > Updated patch attached. The "exception" key is added to the > auditParams map to indicate the exception (if any), rather than > adding a whole new audit message parameter. > > Cheers, > Fraser FRACKed by Ade (Fix, retest -> ACK). Pushed to master (2d7722f2c9b8230e79d258ad7aa1be1e87804518) ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 0054 Lightweight CAs: add audit events
On Mon, Feb 22, 2016 at 02:21:58PM -0500, Ade Lee wrote: > This patch needs to be rebased. > > Tt was possible, however, to review the contents. In general, > everything looks good. It would be be useful though, to be able to > distinguish the many failure cases. For instance -- > > try { > ca.modifyAuthority(data.getEnabled(), data.getDescription()); > +audit(ILogger.SUCCESS, OpDef.OP_MODIFY, > ca.getAuthorityID().toString(), auditParams); > return createOKResponse(readAuthorityData(ca)); > } catch (CATypeException e) { > +audit(ILogger.FAILURE, OpDef.OP_MODIFY, > ca.getAuthorityID().toString(), auditParams); > throw new ForbiddenException(e.toString()); > } catch (IssuerUnavailableException e) { > +audit(ILogger.FAILURE, OpDef.OP_MODIFY, > ca.getAuthorityID().toString(), auditParams); > throw new ConflictingOperationException(e.toString()); > } catch (EBaseException e) { > CMS.debug(e); > +audit(ILogger.FAILURE, OpDef.OP_MODIFY, > ca.getAuthorityID().toString(), auditParams); > throw new PKIException("Error modifying authority: " + > e.toString()); > } > > It would be nice to be able to determine if the modify failed because of > permissions or otherwise. > Can we add the exception error message to the auditParams? > > Ade > Updated patch attached. The "exception" key is added to the auditParams map to indicate the exception (if any), rather than adding a whole new audit message parameter. Cheers, Fraser From 2d7722f2c9b8230e79d258ad7aa1be1e87804518 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 2 Nov 2015 01:43:26 -0500 Subject: [PATCH] Lightweight CAs: add audit events Add audit events for lightweight CA administration. Fixes: https://fedorahosted.org/pki/ticket/1590 --- base/ca/shared/conf/CS.cfg.in | 4 +- .../dogtagpki/server/ca/rest/AuthorityService.java | 72 +++--- .../src/com/netscape/certsrv/common/ScopeDef.java | 3 + base/server/cmsbundle/src/LogMessages.properties | 8 +++ 4 files changed, 64 insertions(+), 23 deletions(-) diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in index 05508f8b289e027cc4e97df3fe584dfbc2290f7e..c679af5b3fd7f1fcda79848f68a9258580457b63 100644 --- a/base/ca/shared/conf/CS.cfg.in +++ b/base/ca/shared/conf/CS.cfg.in @@ -901,11 +901,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY
Re: [Pki-devel] [PATCH] 278 - handle external certs
Based on feedback, revamped the internals to make it look much nicer. Ade On Tue, 2016-03-01 at 13:19 -0500, Ade Lee wrote: > On Mon, 2016-02-29 at 20:36 -0500, John Magne wrote: > > Review Notes: > > > > Looks like good stuff. > > > > Just a couple of small picky questions. > > > > We can delay the final ACK to after we either decide that the > > questions > > are not that important or we decide to make any minor changes. > > > > > > thanks, > > jack > > > > > > This method: > > > > in __init__.py : > > > > > > +def load_external_certs(self, conf_file): > > +# load external certs data > > +if os.path.exists(conf_file): > > +lines = open(conf_file).read().splitlines() > > +for line in lines: > > +parts = line.split('=', 1) > > +name = parts[0] > > +value = parts[1] > > +self.external_certs[name] = value > > +else: > > +self.external_certs['num_certs'] = 0 > > + > > > > I see if there is no file, the value of num_certs is 0. > > > > What about in the loop that reads the file when it does exist? What > > if it's empty? > > Also when doing the splitting for the values, do we need some > > simple > > sanity checking? > > > How about this -- > > +def load_external_certs(self, conf_file): > +# load external certs data > +if os.path.exists(conf_file) and os.stat(conf_file).st_size > > 0: > +lines = open(conf_file).read().splitlines() > +for line in lines: > +parts = line.split('=', 1) > if len(parts) != 2: > // throw some exception > +name = parts[0] > +value = parts[1] > +self.external_certs[name] = value > +else: > +self.external_certs['num_certs'] = 0 > > +if 'num_certs' not in self.external_certs: > // throw some exception > > > Same Q's for method: def update_external_cert_conf(self, > > external_path, deployer): > > > > > > def delete_external_cert(self, nickname, token): > > +match_found = False > > +num_certs = int(self.external_certs['num_certs']) > > +if num_certs > 0: > > +for num in range(0, num_certs): > > +current_nick = self.external_certs[str(num) + > > ".nickname"] > > +current_token = self.external_certs[str(num) + > > ".token"] > > +if current_nick == nickname and current_token == > > token: > > +del self.external_certs[str(num) + > > ".nickname"] > > +del self.external_certs[str(num) + ".token"] > > +match_found = True > > +continue > > +if match_found: > > +self.external_certs[str(num - 1) + > > ".nickname"] = current_nick > > +self.external_certs[str(num - 1) + ".token"] = > > current_token > > + > > +self.external_certs['num_certs'] = num_certs - 1 > > +self.save_external_cert_data() > > > > I may have this wrong, but if you find a match and then continue? > > Will the "match_found if, ever get executed? > > > It will get executed on the next -- and every subsequent value. > The purpose is to reorder subsequent values. > > So lets say we have values 0,1,2,3,4, and we have a match on 1. Then > we will remove 1 and set 2-> 1, 3-> 2, 4->3. So the result will be > 0,1,2,3 > > > Also you could if you wanted pre-calculate those hash indexes into > > a > > var and use them. > > > yeah - but it doesn't really help as much -- see comment above. > > > > Question: Here: > > > > nicks = self.import_certs( > > +instance, cert_file, nickname, token, trust_args) > > +self.update_instance_config(instance, nicks, token) > > + > > +self.print_message('Certificate imported for instance %s.' > > % > > + instance_name) > > > > Question is is there somewhere in that call chain that throws an > > exception if something goes wrong? > > yes. I'm tested a number of cases where that does happen. The > exception comes all the way from nss out. > > > Just checking to see if those late to lines get called (along with > > the print, even if there is an error importing certs) ?? > > > No they don't. The exceptions cause the code to break out. > > > > Method: > > > > class InstanceExternalCertDeleteCLI(pki.cli.CLI): > > > > Would there be any value in allowing multiple nicknames to be > > deleted? > > > perhaps - we can add as a refinement later if needed. > > > Also same at above here: > > > > instance = pki.server.PKIInstance(instance_name) > > +instance.load() > > + > > +self.remove_cert(instance, nickname, token) > > +instance.delete_external_cert(nickname, token) > > + > > +self.print_message('Certificate removed from instance %s.' > > % > >
Re: [Pki-devel] [PATCH] 0056 Fix sphinx build
On 2016-03-01 18:39, Christian Heimes wrote: > Hi, > > this patch fixes Python package lookup for sphinx-builder. Now sphinx > picks up the correct files from the current source directory. Pushed to master in 298e15c16e266d2ca81e62354edb9dc5626c1f72 ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 278 - handle external certs
On Mon, 2016-02-29 at 20:36 -0500, John Magne wrote: > Review Notes: > > Looks like good stuff. > > Just a couple of small picky questions. > > We can delay the final ACK to after we either decide that the > questions > are not that important or we decide to make any minor changes. > > > thanks, > jack > > > This method: > > in __init__.py : > > > +def load_external_certs(self, conf_file): > +# load external certs data > +if os.path.exists(conf_file): > +lines = open(conf_file).read().splitlines() > +for line in lines: > +parts = line.split('=', 1) > +name = parts[0] > +value = parts[1] > +self.external_certs[name] = value > +else: > +self.external_certs['num_certs'] = 0 > + > > I see if there is no file, the value of num_certs is 0. > > What about in the loop that reads the file when it does exist? What > if it's empty? > Also when doing the splitting for the values, do we need some simple > sanity checking? > How about this -- +def load_external_certs(self, conf_file): +# load external certs data +if os.path.exists(conf_file) and os.stat(conf_file).st_size > 0: +lines = open(conf_file).read().splitlines() +for line in lines: +parts = line.split('=', 1) if len(parts) != 2: // throw some exception +name = parts[0] +value = parts[1] +self.external_certs[name] = value +else: +self.external_certs['num_certs'] = 0 +if 'num_certs' not in self.external_certs: // throw some exception > Same Q's for method: def update_external_cert_conf(self, > external_path, deployer): > > > def delete_external_cert(self, nickname, token): > +match_found = False > +num_certs = int(self.external_certs['num_certs']) > +if num_certs > 0: > +for num in range(0, num_certs): > +current_nick = self.external_certs[str(num) + ".nickname"] > +current_token = self.external_certs[str(num) + ".token"] > +if current_nick == nickname and current_token == token: > +del self.external_certs[str(num) + ".nickname"] > +del self.external_certs[str(num) + ".token"] > +match_found = True > +continue > +if match_found: > +self.external_certs[str(num - 1) + ".nickname"] = > current_nick > +self.external_certs[str(num - 1) + ".token"] = > current_token > + > +self.external_certs['num_certs'] = num_certs - 1 > +self.save_external_cert_data() > > I may have this wrong, but if you find a match and then continue? > Will the "match_found if, ever get executed? > It will get executed on the next -- and every subsequent value. The purpose is to reorder subsequent values. So lets say we have values 0,1,2,3,4, and we have a match on 1. Then we will remove 1 and set 2-> 1, 3-> 2, 4->3. So the result will be 0,1,2,3 > Also you could if you wanted pre-calculate those hash indexes into a > var and use them. > yeah - but it doesn't really help as much -- see comment above. > > Question: Here: > > nicks = self.import_certs( > +instance, cert_file, nickname, token, trust_args) > +self.update_instance_config(instance, nicks, token) > + > +self.print_message('Certificate imported for instance %s.' % > + instance_name) > > Question is is there somewhere in that call chain that throws an > exception if something goes wrong? yes. I'm tested a number of cases where that does happen. The exception comes all the way from nss out. > Just checking to see if those late to lines get called (along with > the print, even if there is an error importing certs) ?? > No they don't. The exceptions cause the code to break out. > > Method: > > class InstanceExternalCertDeleteCLI(pki.cli.CLI): > > Would there be any value in allowing multiple nicknames to be > deleted? > perhaps - we can add as a refinement later if needed. > Also same at above here: > > instance = pki.server.PKIInstance(instance_name) > +instance.load() > + > +self.remove_cert(instance, nickname, token) > +instance.delete_external_cert(nickname, token) > + > +self.print_message('Certificate removed from instance %s.' % > + instance_name) > > > Do we get to the end if instance.load does not work? > No we don't. Exceptions propagate up. > > > > > > - Original Message - > From: "Ade Lee" > To: pki-devel@redhat.com > Sent: Monday, February 29, 2016 9:25:30 AM > Subject: [Pki-devel] [PATCH] 278 - handle external certs > > This is to resolve ticket 1742. > > For this ticket, we need a mechanism to import thi
Re: [Pki-devel] [PATCH] 0056 Fix sphinx build
On 03/01/2016 10:39 AM, Christian Heimes wrote: Hi, this patch fixes Python package lookup for sphinx-builder. Now sphinx picks up the correct files from the current source directory. Christian ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel Thanks! Worked like a charm. ACK ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [PATCH] 0056 Fix sphinx build
Hi, this patch fixes Python package lookup for sphinx-builder. Now sphinx picks up the correct files from the current source directory. Christian From 620872288075a9ffeb52d670d7e26543c87c067c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 1 Mar 2016 11:08:59 +0100 Subject: [PATCH] Use CMAKE_CURRENT_SOURCE_DIR for sphinx-build sphinx-build used wrong search path for pki Python package. This caused builds to fail on some machines. On systems with pki-base installed, sphinx-build picked up the wrong files. --- base/common/python/CMakeLists.txt | 8 ++-- base/common/python/conf.py| 3 ++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/base/common/python/CMakeLists.txt b/base/common/python/CMakeLists.txt index d667421bfb3d42577ee11a21d919a65ff6828633..a164597755e4a48169610fbf81a092c57cc0dd9f 100644 --- a/base/common/python/CMakeLists.txt +++ b/base/common/python/CMakeLists.txt @@ -16,23 +16,27 @@ configure_file( add_custom_target(dogtag_python_client_docs ALL ${SPHINX_EXECUTABLE} -b html --c "${CMAKE_CURRENT_BINARY_DIR}" +-c "${CMAKE_CURRENT_SOURCE_DIR}" -w "${CMAKE_CURRENT_BINARY_DIR}/python-client-lib-html.log" -a -W "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_CURRENT_BINARY_DIR}/html" +WORKING_DIRECTORY +${CMAKE_CURRENT_SOURCE_DIR} COMMENT "Building Python Client Library HTML documentation") add_custom_target(dogtag_python_client_man_docs ALL ${SPHINX_EXECUTABLE} -b man --c "${CMAKE_CURRENT_BINARY_DIR}" +-c "${CMAKE_CURRENT_SOURCE_DIR}" -w "${CMAKE_CURRENT_BINARY_DIR}/python-client-lib-man.log" -a -W "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_CURRENT_BINARY_DIR}/man" +WORKING_DIRECTORY +${CMAKE_CURRENT_SOURCE_DIR} COMMENT "Building Python Client Library manual pages") install( diff --git a/base/common/python/conf.py b/base/common/python/conf.py index 3e548147ea9b3c3928100e0f2dd0623a9bd68c02..f996c6371cbd545ae5fc9cc3e12cab0977d56cdb 100644 --- a/base/common/python/conf.py +++ b/base/common/python/conf.py @@ -19,7 +19,8 @@ import sphinx # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. -sys.path.insert(0, os.path.abspath('pki')) +sys.path.insert(0, os.path.dirname(os.path.abspath(__file__))) + # -- General configuration --- -- 2.5.0 signature.asc Description: OpenPGP digital signature ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 281 - separate pki-base into python and java components
Thanks. Fixed. pushed to master. To ssh://vakw...@git.fedorahosted.org/git/pki.git 11f8fbb..49e4fff master -> master On Tue, 2016-03-01 at 12:44 +0100, Christian Heimes wrote: > On 2016-03-01 06:53, Ade Lee wrote: > > In this patch, I move all java components (and requirements) for > > pki-base to a new package pki-base-java. > > > > This makes the footprint much smaller for dogtag python clients - > > like openstack for instance. > > Shouldn't pki-base-java depend on pki-base, too? > > %package -n pki-base-java > ... > Requires: pki-base = %{version}-%{release} > > Christian > ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 281 - separate pki-base into python and java components
On 2016-03-01 06:53, Ade Lee wrote: > In this patch, I move all java components (and requirements) for > pki-base to a new package pki-base-java. > > This makes the footprint much smaller for dogtag python clients - > like openstack for instance. Shouldn't pki-base-java depend on pki-base, too? %package -n pki-base-java ... Requires: pki-base = %{version}-%{release} Christian signature.asc Description: OpenPGP digital signature ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel