[Pki-devel] [PATCH] 0127 Fix build on Fedora 25
The attached patch fixes build on Fedora 25 (JAX-RS API JAR had
moved). It also removes a bunch of redundant find_file directives.
This can probably be done for many other JARs but I've kept it to
just the one for now.
No urgency to get this in.
Cheers,
Fraser
From c818adaac1da2b43b42e199dc288d2c3b6a79bcc Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Tue, 28 Jun 2016 15:50:36 +1000
Subject: [PATCH] Fix build on Fedora 25
Look for the right JAX-RS API JAR (it has moved in Fedora 25).
Also remove a lot of redundant 'find_file' operations for this JAR.
---
base/CMakeLists.txt| 10 ++
base/ca/src/CMakeLists.txt | 7 ---
base/common/src/CMakeLists.txt | 7 ---
base/java-tools/src/CMakeLists.txt | 7 ---
base/kra/src/CMakeLists.txt| 7 ---
base/ocsp/src/CMakeLists.txt | 7 ---
base/server/cms/src/CMakeLists.txt | 7 ---
base/server/cmscore/src/CMakeLists.txt | 7 ---
base/server/tomcat/src/CMakeLists.txt | 7 ---
base/server/tomcat7/src/CMakeLists.txt | 7 ---
base/server/tomcat8/src/CMakeLists.txt | 7 ---
base/tks/src/CMakeLists.txt| 7 ---
base/tps/src/CMakeLists.txt| 14 --
13 files changed, 10 insertions(+), 91 deletions(-)
diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt
index
b9d5c7bac81ef9dfde2b32fb2127a946bc38a94b..bb156ba48c008ec12fb52f4f35fbb853d9b0fff5
100644
--- a/base/CMakeLists.txt
+++ b/base/CMakeLists.txt
@@ -2,6 +2,16 @@ project(base)
# The order is important!
if (APPLICATION_FLAVOR_PKI_CORE)
+
+find_file(JAXRS_API_JAR
+NAMES
+jaxrs-api.jar
+jboss-jaxrs-2.0-api.jar
+PATHS
+${RESTEASY_LIB}
+/usr/share/java
+)
+
add_subdirectory(test)
add_subdirectory(symkey)
add_subdirectory(util)
diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
index
2a43c8dbb4f88c22df244bb752ea963b2f0d646c..854ce28a25f729181a5009af13fde5bf0b4c013f
100644
--- a/base/ca/src/CMakeLists.txt
+++ b/base/ca/src/CMakeLists.txt
@@ -52,13 +52,6 @@ find_file(JACKSON_MAPPER_JAR
/usr/share/java/jackson
)
-find_file(JAXRS_API_JAR
-NAMES
-jaxrs-api.jar
-PATHS
-${RESTEASY_LIB}
-)
-
find_file(RESTEASY_JAXRS_JAR
NAMES
resteasy-jaxrs.jar
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index
072bd00307f6f299679c107836b2163ed0ff4b7c..ee41b2f47bdab9495c69167a6467cdc6471d86e3
100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -83,13 +83,6 @@ find_file(XERCES_JAR
/usr/share/java
)
-find_file(JAXRS_API_JAR
-NAMES
-jaxrs-api.jar
-PATHS
-${RESTEASY_LIB}
-)
-
find_file(RESTEASY_JAXRS_JAR
NAMES
resteasy-jaxrs.jar
diff --git a/base/java-tools/src/CMakeLists.txt
b/base/java-tools/src/CMakeLists.txt
index
9a3c72fa2a7f1c631bc91f5af1e73536904a42b2..e7ca5db627cb3e398c4220029d2a78ade45c1d60
100644
--- a/base/java-tools/src/CMakeLists.txt
+++ b/base/java-tools/src/CMakeLists.txt
@@ -60,13 +60,6 @@ find_file(XERCES_JAR
/usr/share/java
)
-find_file(JAXRS_API_JAR
-NAMES
-jaxrs-api.jar
-PATHS
-${RESTEASY_LIB}
-)
-
find_file(RESTEASY_JAXRS_JAR
NAMES
resteasy-jaxrs.jar
diff --git a/base/kra/src/CMakeLists.txt b/base/kra/src/CMakeLists.txt
index
bfc8cdddaf150a4030e9c48ddebf8e8e828018a6..400ec016fe22ea156ea94bbe124ecd5eb8bc684c
100644
--- a/base/kra/src/CMakeLists.txt
+++ b/base/kra/src/CMakeLists.txt
@@ -61,13 +61,6 @@ find_file(COMMONS_CODEC_JAR
/usr/share/java
)
-find_file(JAXRS_API_JAR
-NAMES
-jaxrs-api.jar
-PATHS
-${RESTEASY_LIB}
-)
-
find_file(RESTEASY_JAXRS_JAR
NAMES
resteasy-jaxrs.jar
diff --git a/base/ocsp/src/CMakeLists.txt b/base/ocsp/src/CMakeLists.txt
index
d4a2009a9b390d5401a338c0b86559d0d3adac51..32fcc92dba9cf0f877af8970890df033de1d2375
100644
--- a/base/ocsp/src/CMakeLists.txt
+++ b/base/ocsp/src/CMakeLists.txt
@@ -46,13 +46,6 @@ find_file(LDAPJDK_JAR
/usr/share/java
)
-find_file(JAXRS_API_JAR
-NAMES
-jaxrs-api.jar
-PATHS
-${RESTEASY_LIB}
-)
-
# '${JAVA_LIB_INSTALL_DIR}' jars
find_file(JSS_JAR
NAMES
diff --git a/base/server/cms/src/CMakeLists.txt
b/base/server/cms/src/CMakeLists.txt
index
33b1cd3baf8d321c7f1a2f50e5f3e8360c515695..93f4a8a4a275cc4997da1b9c031b830eee3190b3
100644
--- a/base/server/cms/src/CMakeLists.txt
+++ b/base/server/cms/src/CMakeLists.txt
@@ -90,13 +90,6 @@ find_file(XERCES_JAR
/usr/share/java
)
-find_file(JAXRS_API_JAR
-NAMES
-jaxrs-api.jar
-PATHS
-${RESTEASY_LIB}
-)
-
find_file(RESTEASY_JAXRS_JAR
NAMES
resteasy-jaxrs.jar
diff --git a/base/server/cmscore/src/CMakeLists.txt
b/base/server/cmscore/src/CMakeLists.txt
index
ef12938652250b98187e1e8157d12df902179ade..32e4351c
[Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails
The attached patch fixes https://fedorahosted.org/pki/ticket/2388.
Wanted for 10.3.4.
Thanks,
Fraser
From 3ad777d8009f025f1aac1159910dd0a4d327bd13 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Sat, 25 Jun 2016 00:14:11 +0200
Subject: [PATCH] Respond 400 if lightweight CA cert issuance fails
If certificate issuance fails during lightweight CA creation (e.g.
due to a profile constraint violation such as Subject DN not
matching pattern) the API responds with status 500.
Raise BadRequestDataException if cert issuance fails in a way that
indicates bad or invalid CSR data, and catch it to respond with
status 400.
Fixes: https://fedorahosted.org/pki/ticket/2388
---
base/ca/src/com/netscape/ca/CertificateAuthority.java | 18 +++---
.../org/dogtagpki/server/ca/rest/AuthorityService.java | 3 ++-
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index
e501380c8dd6d2d6fc400ad9f43677bfae7e258e..9f6445c56369f00cd857890fe63b577b6db81350
100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -74,6 +74,7 @@ import org.mozilla.jss.pkix.primitive.Name;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.BadRequestDataException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.EPropertyNotFound;
import com.netscape.certsrv.base.IConfigStore;
@@ -2680,8 +2681,16 @@ public class CertificateAuthority
if (result != null && !result.equals(IRequest.RES_SUCCESS))
throw new EBaseException("createSubCA: certificate request
submission resulted in error: " + result);
RequestStatus requestStatus = request.getRequestStatus();
-if (requestStatus != RequestStatus.COMPLETE)
-throw new EBaseException("createSubCA: certificate request did
not complete; status: " + requestStatus);
+if (requestStatus != RequestStatus.COMPLETE) {
+// The request did not complete. Inference: something
+// incorrect in the request (e.g. profile constraint
+// violated).
+String msg = "Failed to issue CA certificate. Final status: "
+ requestStatus + ".";
+String errorMsg = request.getExtDataInString(IRequest.ERROR);
+if (errorMsg != null)
+msg += " Additional info: " + errorMsg;
+throw new BadRequestDataException(msg);
+}
// Add certificate to nssdb
cert =
request.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
@@ -2697,7 +2706,10 @@ public class CertificateAuthority
// log this error.
CMS.debug("Error deleting new authority entry after failure
during certificate generation: " + e2);
}
-throw new ECAException("Error creating lightweight CA certificate:
" + e);
+if (e instanceof BadRequestDataException)
+throw (BadRequestDataException) e; // re-throw
+else
+throw new ECAException("Error creating lightweight CA
certificate: " + e);
}
CertificateAuthority ca = new CertificateAuthority(
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index
5ecabacd9a84a4d06e529ca0099f561155f7d791..7bca10fa1dfbfe7dbae5b5c0288c4c59c1075cf9
100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -38,6 +38,7 @@ import javax.ws.rs.core.UriInfo;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authority.AuthorityData;
import com.netscape.certsrv.authority.AuthorityResource;
+import com.netscape.certsrv.base.BadRequestDataException;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.ConflictingOperationException;
import com.netscape.certsrv.base.EBaseException;
@@ -207,7 +208,7 @@ public class AuthorityService extends PKIService implements
AuthorityResource {
audit(ILogger.SUCCESS, OpDef.OP_ADD,
subCA.getAuthorityID().toString(), auditParams);
return createOKResponse(readAuthorityData(subCA));
-} catch (IllegalArgumentException e) {
+} catch (IllegalArgumentException | BadRequestDataException e) {
throw new BadRequestException(e.toString());
} catch (CANotFoundException e) {
throw new ResourceNotFoundException(e.toString());
--
2.5.5
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo
Re: [Pki-devel] [PATCH] 779 Fixed problem reading HSM password from password file.
On 6/24/2016 8:46 PM, Christina Fu wrote: Looks like might do it. If tested to work (borrow a vm from QE if you don't have one), ack. Thanks! I've tested it with QE's machine with HSM. Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch
Just a few minor ones. * configuration parameters referencing token existence in tokendb should use names begin with "tokendb". e.g. tokendb.allowMultiActiveTokensPerUser.externalReg=false tokendb.allowMultiActiveTokensPerUser.nonExternalReg=false * boolean allowMultiCerts -- I think the name is misleading. how about alowMultiTokens * existing calls to tps.tdb.tdbHasActiveToken() need to be decided: e.g. 1. TPSEnrollProcessor.java search for tdbHasActiveToken (first occurrence) , you will find that it is called with "TODO:" comment. I believe that whole try/catch with the tps.tdb.tdbHasActiveToken(userid); call can be removed since you already call that earlier in your patch 2. TPSEnrollProcessor.java, the 2nd occurrence is when the enrolling token is suspended. You need to look into what it is doing at the point and whether that check can also be eliminated. thanks, Christina On 06/24/2016 11:08 AM, John Magne wrote: Add ability to disallow TPS to enroll a single user on multiple tokens. This patch will install a check during the early portion of the enrollment process check a configurable policy whether or not a user should be allowed to have more that one active token. This check will take place only for brand new tokens not seen before. The check will prevent the enrollment to proceed and will exit before the system has a chance to add this new token to the TPS tokendb. The behavior will be configurable for the the external reg and not external reg scenarios as follows: op.enroll.nonExternalReg.allowMultiActiveTokensUser=false op.enroll.externalReg.allowMultiActiveTokensUser=false ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
