[Pki-devel] [PATCH] 0104 Lightweight CAs: fix bad import in key retriever script

[Fraser Tweedale]

Attached patch fixes a typo in the LWCA key retrieval Python helper
script.

Pushed to master (e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f) under
one-liner rule.

Cheers,
Fraser
From e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 3 May 2016 16:24:16 +1000
Subject: [PATCH] Lightweight CAs: fix bad import in key retriever script

Part of: https://fedorahosted.org/pki/ticket/1625
---
 base/server/libexec/pki-ipa-retrieve-key | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/server/libexec/pki-ipa-retrieve-key 
b/base/server/libexec/pki-ipa-retrieve-key
index 
8098e534e54670c3a5d8776fe934f1f13037b373..301f818b859577ef1a861bc7a855b6103a6f3af8
 100755
--- a/base/server/libexec/pki-ipa-retrieve-key
+++ b/base/server/libexec/pki-ipa-retrieve-key
@@ -9,7 +9,7 @@ import sys
 
 from jwcrypto.common import json_decode
 
-from ipalib.constants import constants
+from ipalib import constants
 from ipaplatform.paths import paths
 from ipapython.secrets.client import CustodiaClient
 
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid

[Fraser Tweedale]

The attached patch fixes https://fedorahosted.org/pki/ticket/2317.
It will result in better error messages and help users to diagnose
bad profile configurations (especially with IPA).

Thanks,
Fraser
From ff7ff61c6cc97f695f3db2058bf3639014278299 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 9 May 2016 12:57:32 +1000
Subject: [PATCH] Reject cert request if resultant subject DN is invalid

An unparseable subject DN is ignored, causing NPE in subsequent
processing becaues the subject DN was not set.  Throw
ERejectException if the subject DN is invalid, to ensure that a
useful response can be returned to the requestor.

Fixes: https://fedorahosted.org/pki/ticket/2317
---
 .../com/netscape/certsrv/profile/ERejectException.java   |  8 
 .../com/netscape/cms/profile/def/SubjectNameDefault.java | 16 ++--
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/profile/ERejectException.java 
b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
index 
cceeb12ab8354b05dec0d0212d7a0f04de9e6184..1ada1c4ebca50ed79a443e2e47b3251a7303ff37
 100644
--- a/base/common/src/com/netscape/certsrv/profile/ERejectException.java
+++ b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
@@ -43,4 +43,12 @@ public class ERejectException extends EProfileException {
 public ERejectException(String msg) {
 super(msg);
 }
+
+public ERejectException(String msg, Throwable cause) {
+super(msg, cause);
+}
+
+public ERejectException(Throwable cause) {
+super(cause.getMessage(), cause);
+}
 }
diff --git 
a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java 
b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
index 
31aee6dd6d9299438fb62493f61879f9a01dd9ed..629f4bcc10869518ff890a96fa6657565df00abe
 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
@@ -27,6 +27,7 @@ import netscape.security.x509.X509CertInfo;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
 import com.netscape.certsrv.profile.IProfile;
 import com.netscape.certsrv.property.Descriptor;
 import com.netscape.certsrv.property.EPropertyException;
@@ -166,19 +167,14 @@ public class SubjectNameDefault extends EnrollDefault {
 return;
 try {
 name = new X500Name(subjectName);
-} catch (IOException e) {
-// failed to build x500 name
-CMS.debug("SubjectNameDefault: populate " + e.toString());
-}
-if (name == null) {
-// failed to build x500 name
-}
-try {
 info.set(X509CertInfo.SUBJECT,
 new CertificateSubjectName(name));
 } catch (Exception e) {
-// failed to insert subject name
-CMS.debug("SubjectNameDefault: populate " + e.toString());
+CMS.debug("SubjectNameDefault: failed to populate: " + e);
+throw new ERejectException(CMS.getUserMessage(
+getLocale(request),
+"CMS_PROFILE_INVALID_SUBJECT_NAME",
+subjectName), e);
 }
 }
 }
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0101 Lightweight CAs: accept "host-authority" as valid parent

[Fraser Tweedale]

On Fri, May 06, 2016 at 09:31:07PM -0500, Endi Sukma Dewata wrote:
> On 5/5/2016 1:54 AM, Fraser Tweedale wrote:
> >The attached patch allows "host-authority" to be used as valid
> >reference to the host authority when creating a LWCA.  It makes life
> >easier for me one the FreeIPA side :)
> >
> >Cheers,
> >Fraser
> 
> ACK. Just one thing, could you chain the original exception to
> BadRequestException?
> 
Thanks; made the change and pushed to master
(bdd9ceca09d570f9ac976bed6bc980e6527d92b5)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0102 Lightweight CAs: allow specifying authority via ProfileSubmitServlet

[Fraser Tweedale]

On Fri, May 06, 2016 at 09:31:24PM -0500, Endi Sukma Dewata wrote:
> On 5/6/2016 1:09 AM, Fraser Tweedale wrote:
> >Attached patch does what it says on the tin ;)
> >
> >Cheers, and have a good weekend y'all.
> >Fraser
> 
> ACK. Same thing, could you chain the original exception to
> BadRequestDataException?
> 
Thanks; made the change and pushed to master
(ba6c1318711cda4adb9cdb0bdf969bc5ef590bd6)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel