Re: [Pki-devel] [PATCH] pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-connector-co.patch

[John Magne]

Looks good.

If tested to work conditional ACK.

Just one thing, when throwing a TPSException at the end of the patch,
please give it the error code, TPSStatus.STATUS_ERROR_CONTACT_ADMIN

- Original Message -
> From: "Christina Fu" 
> To: "pki-devel" 
> Sent: Tuesday, May 17, 2016 6:13:01 PM
> Subject: [Pki-devel] [PATCH] 
> pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-connector-co.patch
> 
> Ticket #1527 (reopened) retrieved wrong ca connector config parameter
>  This ticket was reopened due to retrieving wrong ca connector
> config param under the situation when format is performed during enrollment.
>  The following is attempted:
>  op.enroll.userKey.ca.conn
>  while the following is intended:
>  op.format.userKey.ca.conn
>  In addition, this patch also fixes the following issues;
>  a. reason param name is not conforming: "reason" instead of
> "revokeReason"
>  b. adding default reason to format TPS profiles
>  c. by default mappingResolver.formatProfileMappingResolver resolves
> to tokenKey, while enroll resolves to userKey.
> -> now changed the userKey
>  d. if revocation fails during format, it was forgiving.
> -> now changed so that error is logged in activity log and exception
>thrown and bail out
> 
> Tested to work.
> 
> thanks,
> Christina
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-connector-co.patch

[Christina Fu]

Ticket #1527 (reopened) retrieved wrong ca connector config parameter
This ticket was reopened due to retrieving wrong ca connector 
config param under the situation when format is performed during enrollment.

The following is attempted:
op.enroll.userKey.ca.conn
while the following is intended:
op.format.userKey.ca.conn
In addition, this patch also fixes the following issues;
a. reason param name is not conforming: "reason" instead of 
"revokeReason"

b. adding default reason to format TPS profiles
c. by default mappingResolver.formatProfileMappingResolver resolves
   to tokenKey, while enroll resolves to userKey.
   -> now changed the userKey
d. if revocation fails during format, it was forgiving.
   -> now changed so that error is logged in activity log and exception
  thrown and bail out

Tested to work.

thanks,
Christina
>From 81a475e7a8fe0ff086047bf3295abea253a7e394 Mon Sep 17 00:00:00 2001
From: Christina Fu 
Date: Tue, 17 May 2016 17:57:11 -0700
Subject: [PATCH] Ticket #1527 (reopened) retrieved wrong ca connector config
 parameter This ticket was reopened due to retrieving wrong ca connector
 config param. The following is attempted: op.enroll.userKey.ca.conn while the
 following is intended: op.format.userKey.ca.conn In addition, this patch also
 fixes the following issues; a. reason param name is not conforming: "reason"
 instead of "revokeReason" b. adding default reason to format TPS profiles c.
 by default mappingResolver.formatProfileMappingResolver resolvesto
 tokenKey, while enroll resolves to userKey.-> now changed the userKey d.
 if revocation fails during format, it was forgiving.-> now changed so
 that error is logged in activity log and exception   thrown and bail out

---
 base/tps/shared/conf/CS.cfg| 12 +++-
 .../org/dogtagpki/server/tps/processor/TPSProcessor.java   | 14 --
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 638787d225ca819f051ad999ca92c75c9d51cb88..90d1747dd4617b097e11207f8c10e0bbd8c5ccee 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -428,6 +428,7 @@ op.format.delegateIEtoken.issuerinfo.enable=true
 op.format.delegateIEtoken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.delegateIEtoken.loginRequest.enable=true
 op.format.delegateIEtoken.revokeCert=false
+op.format.delegateIEtoken.revokeCert.reason=0
 op.format.delegateIEtoken.tks.conn=tks1
 op.format.delegateIEtoken.update.applet.directory=/usr/share/pki/tps/applets
 op.format.delegateIEtoken.update.applet.emptyToken.enable=true
@@ -686,6 +687,7 @@ op.format.delegateISEtoken.issuerinfo.enable=true
 op.format.delegateISEtoken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome
 op.format.delegateISEtoken.loginRequest.enable=true
 op.format.delegateISEtoken.revokeCert=false
+op.format.delegateISEtoken.revokeCert.reason=0
 op.format.delegateISEtoken.tks.conn=tks1
 op.format.delegateISEtoken.update.applet.directory=/usr/share/pki/tps/applets
 op.format.delegateISEtoken.update.applet.emptyToken.enable=true
@@ -770,6 +772,7 @@ op.format.externalRegAddToToken.update.applet.requiredVersion=1.4.54de790f
 op.format.externalRegAddToToken.update.symmetricKeys.enable=false
 op.format.externalRegAddToToken.update.symmetricKeys.requiredVersion=1
 op.format.externalRegAddToToken.revokeCert=false
+op.format.externalRegAddToToken.revokeCert.reason=0
 op.enroll.allowUnknownToken=true
 op.enroll.mappingResolver=enrollProfileMappingResolver
 op.enroll.soKey.cuidMustMatchKDD=false
@@ -1392,6 +1395,7 @@ op.format.cleanToken.issuerinfo.enable=true
 op.format.cleanToken.issuerinfo.value=
 op.format.cleanToken.loginRequest.enable=true
 op.format.cleanToken.revokeCert=true
+op.format.cleanToken.revokeCert.reason=0
 op.format.cleanToken.tks.conn=tks1
 op.format.cleanToken.update.applet.directory=[TPS_DIR]/applets
 op.format.cleanToken.update.applet.emptyToken.enable=true
@@ -1413,6 +1417,7 @@ op.format.soCleanSOToken.issuerinfo.enable=true
 op.format.soCleanSOToken.issuerinfo.value=
 op.format.soCleanSOToken.loginRequest.enable=false
 op.format.soCleanSOToken.revokeCert=true
+op.format.soCleanSOToken.revokeCert.reason=0
 op.format.soCleanSOToken.tks.conn=tks1
 op.format.soCleanSOToken.update.applet.directory=[TPS_DIR]/applets
 op.format.soCleanSOToken.update.applet.emptyToken.enable=true
@@ -1434,6 +1439,7 @@ op.format.soCleanUserToken.issuerinfo.enable=true
 op.format.soCleanUserToken.issuerinfo.value=
 op.format.soCleanUserToken.loginRequest.enable=false
 op.format.soCleanUserToken.revokeCert=true
+op.format.soCleanUserToken.revokeCert.reason=0
 op.format.soCleanUserToken.tks.conn=tks1
 op.format.soCleanUserToken.update.applet.directory=[TPS_DIR]/applets
 op.format.soCleanUserToken.update.applet.emptyToken.enable=true
@@ -1455,6 +1461,7 @@ op

[Pki-devel] Updated External EPEL CentOS 7 COPR builds are now available . . .

[Matthew Harmsen]

An updated external EPEL CentOS 7 COPR repo is available now available which 
contains Dogtag 10.3.1 builds:

 *

   
https://copr.fedorainfracloud.org/coprs/g/pki/10.3.1/repo/epel-7/group_pki-10.3.1-epel-7.repo

   [group_pki-10.3.1]
   name=Copr repo for 10.3.1 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.1/epel-7-$basearch/
   skip_if_unavailable=True
   gpgcheck=1
   gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.1/pubkey.gpg
   enabled=1
   enabled_metadata=1

-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Request for Dogtag 10.3.1 on Fedora 24

[Matthew Harmsen]

The following candidate builds of Dogtag 10.3.1 for Fedora 24 (final) 
consist of the following:


 * dogtag-pki-theme-10.3.1-1.fc24
   
 * dogtag-pki-10.3.1-1.fc24
   
 * pki-core-10.3.1-1.fc24
   
 * pki-console-10.3.1-1.fc24
   

Please provide Karma for these builds in Bodhi located at:

 * dogtag-pki-theme-10.3.1-1.fc24
   
 * dogtag-pki-10.3.1-1.fc24
   
 * pki-core-10.3.1-1.fc24
   
 * pki-console-10.3.1-1.fc24
   

Additionally, the following builds have been provided for Fedora 25 
(rawhide):


 * dogtag-pki-theme-10.3.1-1.fc25
   
 * dogtag-pki-10.3.1-1.fc25
   
 * pki-core-10.3.1-1.fc25
   
 * pki-console-10.3.1-1.fc25
   

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0113..0114 Lightweight CAs: renewal support

[Fraser Tweedale]

Attached patches implement LWCA renewal support
(https://fedorahosted.org/pki/ticket/2327).

It includes REST API

POST /ca/rest/authorities//renew

But not implemented in CLI tool yet.  If we decide to make it a
first-class CLI feature (cf certmonger, IPA, etc managing the
renewal) then I'll file the ticket and implement it at that time.

Cheers,
Fraser
From 61a91278466ffbbe695a008833dc800ab10eea59 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 17 May 2016 12:44:03 +1000
Subject: [PATCH 113/114] Lightweight CAs: renew certs with same issuer

When renewing a certificate, propagate the Authority ID from the
original request to the new request, to ensure that the new
certificate is issued by the same issuer as the original.

Part of: https://fedorahosted.org/pki/ticket/2327
---
 .../cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java| 7 +++
 1 file changed, 7 insertions(+)

diff --git 
a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java 
b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
index 
87291a08bf915838c0347287f962bd4a6f591e96..1e4e02c9e3503ed543ff4a0a1da6c8e85c17bf3d
 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
@@ -159,6 +159,9 @@ public class RenewalProcessor extends CertProcessor {
 String profileId = origReq.getExtDataInString("profileId");
 CMS.debug("RenewalSubmitter: renewal original profileId=" + 
profileId);
 
+String aidString = origReq.getExtDataInString(
+IEnrollProfile.REQUEST_AUTHORITY_ID);
+
 Integer origSeqNum = 
origReq.getExtDataInInteger(IEnrollProfile.REQUEST_SEQ_NUM);
 IProfile profile = ps.getProfile(profileId);
 if (profile == null) {
@@ -171,6 +174,10 @@ public class RenewalProcessor extends CertProcessor {
 }
 
 IProfileContext ctx = profile.createContext();
+
+if (aidString != null)
+ctx.set(IEnrollProfile.REQUEST_AUTHORITY_ID, aidString);
+
 IProfileAuthenticator authenticator = 
renewProfile.getAuthenticator();
 IProfileAuthenticator origAuthenticator = 
profile.getAuthenticator();
 
-- 
2.5.5

From 77619d8891d9eec9b9d009d903b8118a134be23b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Fri, 13 May 2016 09:00:44 +1000
Subject: [PATCH 114/114] Lightweight CAs: add method to renew certificate

Add the CertificateAuthority.renewAuthority() method that creates
and processes a renewal request for the lightweight CA's signing
cert.  The new certificate replaces the old certificate in the NSSDB
and the serial number is stored in the 'authoritySerial' attribute.

Clones observe when the 'authoritySerial' attribute has changed and
update the certificate in their NSSDB, too.

The renewal behaviour is available in the REST API as a POST to
/ca/rest/authorities//renew.

Fixes: https://fedorahosted.org/pki/ticket/2327
---
 .../src/com/netscape/ca/CertificateAuthority.java  | 119 -
 .../dogtagpki/server/ca/rest/AuthorityService.java |  34 ++
 .../certsrv/authority/AuthorityResource.java   |   7 ++
 .../netscape/certsrv/ca/ICertificateAuthority.java |   6 ++
 .../cms/servlet/cert/RenewalProcessor.java |  15 ++-
 5 files changed, 175 insertions(+), 6 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
8ef6fd4b6dc97b9108f470a38f45eec864f24015..62bfe4de13564983d7e820c6d1dc6a4015431322
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -120,6 +120,7 @@ import com.netscape.certsrv.security.ISigningUnit;
 import com.netscape.certsrv.util.IStatsSubsystem;
 import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
 import com.netscape.cms.servlet.cert.EnrollmentProcessor;
+import com.netscape.cms.servlet.cert.RenewalProcessor;
 import com.netscape.cms.servlet.processors.CAProcessor;
 import com.netscape.cmscore.base.ArgBlock;
 import com.netscape.cmscore.dbs.CRLRepository;
@@ -207,6 +208,7 @@ public class CertificateAuthority
 protected CertificateAuthority hostCA = null;
 protected AuthorityID authorityID = null;
 protected AuthorityID authorityParentID = null;
+protected BigInteger authoritySerial = null;
 protected String authorityDescription = null;
 protected Collection authorityKeyHosts = null;
 protected boolean authorityEnabled = true;
@@ -343,6 +345,7 @@ public class CertificateAuthority
 X500Name dn,
 AuthorityID aid,
 AuthorityID parentAID,
+BigInteger serial,
 String signingKeyNickname,
 Collection authorityKeyHosts,
 String authorityDescription,
@@ -357,6 +360,7 @@ public class CertificateAuthori

[Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

[Fraser Tweedale]

Hi all,
attached patch fixes https://fedorahosted.org/pki/ticket/2332

Cheers,
Fraser
From baf904216848a5d775948853764d2657ea6405e9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 17 May 2016 14:47:11 +1000
Subject: [PATCH] Return 410 Gone if target CA of request has been deleted

When processing a request whose target CA has been deleted in
between request submission and request approval, the server does not
handle the CANotFoundException, resulting in response status 500.

Catch the CANotFoundException and respond with status 410 Gone.

Fixes: https://fedorahosted.org/pki/ticket/2332
---
 base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
index 
80aaf6f7899d92675c15c6f944b7a3a491784145..d154e8eec31c3c74883e606d95eaa2094f36ff2f
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
@@ -41,6 +41,7 @@ import com.netscape.certsrv.base.BadRequestDataException;
 import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.HTTPGoneException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.base.ServiceUnavailableException;
@@ -49,6 +50,7 @@ import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
 import com.netscape.certsrv.ca.CAMissingCertException;
 import com.netscape.certsrv.ca.CAMissingKeyException;
+import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
 import com.netscape.certsrv.cert.CertRequestInfo;
@@ -252,6 +254,11 @@ public class CertRequestService extends PKIService 
implements CertRequestResourc
 } catch (BadRequestDataException e) {
 CMS.debug("changeRequestState: bad request data: " + e);
 throw new BadRequestException(e.toString());
+} catch (CANotFoundException e) {
+// The target CA does not exist (deleted between
+// request submission and approval).
+CMS.debug("changeRequestState: CA not found: " + e);
+throw new HTTPGoneException(e.toString());
 } catch (CADisabledException e) {
 CMS.debug("changeRequestState: CA disabled: " + e);
 throw new ConflictingOperationException(e.toString());
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel