[Pki-devel] [PATCH] 925 Troubleshooting improvements for CAEnrollProfile.
To help troubleshooting the CAEnrollProfile class has been modified
to chain the original exceptions.
Pushed to master under trivial rule.
--
Endi S. Dewata
>From 8592db4465c3957afebcabb1c9c1bf6c9cf97ab8 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Thu, 2 Feb 2017 01:53:45 +0100
Subject: [PATCH] Troubleshooting improvements for CAEnrollProfile.
To help troubleshooting the CAEnrollProfile class has been modified
to chain the original exceptions.
---
.../cms/profile/common/CAEnrollProfile.java| 31 +-
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
index 8c14e91767f6cc765413821da71b2c26d86f77d3..44c1245939974dfb5628418d3511bc9dc9eb9e48 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
@@ -19,10 +19,6 @@ package com.netscape.cms.profile.common;
import java.util.Enumeration;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-
import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
import com.netscape.certsrv.apps.CMS;
@@ -41,6 +37,10 @@ import com.netscape.certsrv.profile.IProfileUpdater;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.RequestStatus;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
/**
* This class implements a Certificate Manager enrollment
* profile.
@@ -53,7 +53,6 @@ public class CAEnrollProfile extends EnrollProfile {
"LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
public CAEnrollProfile() {
-super();
}
public IAuthority getAuthority() {
@@ -93,8 +92,8 @@ public class CAEnrollProfile extends EnrollProfile {
auditArchiveID = id.trim();
}
-CMS.debug("CAEnrollProfile: execute reqId=" +
-request.getRequestId().toString());
+CMS.debug("CAEnrollProfile: execute request ID " + id);
+
ICertificateAuthority ca = (ICertificateAuthority) getAuthority();
ICAService caService = (ICAService) ca.getCAService();
@@ -105,6 +104,7 @@ public class CAEnrollProfile extends EnrollProfile {
// if PKI Archive Option present, send this request
// to DRM
byte optionsData[] = request.getExtDataInByteArray(REQUEST_ARCHIVE_OPTIONS);
+
// do not archive keys for renewal requests
if ((optionsData != null) && (!request.getRequestType().equals(IRequest.RENEWAL_REQUEST))) {
PKIArchiveOptions options = toPKIArchiveOptions(optionsData);
@@ -166,7 +166,7 @@ public class CAEnrollProfile extends EnrollProfile {
if (e instanceof ERejectException) {
throw (ERejectException) e;
}
-CMS.debug("CAEnrollProfile: " + e.toString());
+CMS.debug("CAEnrollProfile: " + e);
CMS.debug(e);
auditMessage = CMS.getLogMessage(
@@ -177,32 +177,36 @@ public class CAEnrollProfile extends EnrollProfile {
auditArchiveID);
audit(auditMessage);
-throw new EProfileException(e.toString());
+throw new EProfileException(e);
}
}
}
+
// process certificate issuance
X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO);
-X509CertImpl theCert = null;
// #615460 - added audit log (transaction)
SessionContext sc = SessionContext.getExistingContext();
sc.put("profileId", getId());
+
String setId = request.getExtDataInString("profileSetId");
if (setId != null) {
sc.put("profileSetId", setId);
}
+
AuthorityID aid = null;
String aidString = request.getExtDataInString(IRequest.AUTHORITY_ID);
if (aidString != null)
aid = new AuthorityID(aidString);
+
+X509CertImpl theCert;
try {
theCert = caService.issueX509Cert(
aid, info, getId() /* profileId */, id /* requestId */);
} catch (EBaseException e) {
-CMS.debug(e.toString());
-
-throw new EProfileException(e.toString());
+CMS.debug(e);
+throw new EProfileException(e);
}
+
request.setExtData(REQUEST_ISSUED_CERT, theCert);
long endTime = CMS.getCurrentDate().getTime();
@@ -230,6 +234,7 @@ public class CAEnrollProfile extends EnrollProfile {
}
request.setRequestStatus(RequestStatus.COMPLETE);
+
// notifies updater plugins
Enumeration upd
[Pki-devel] [PATCH] 926 Added --renewal param to pki ca-cert-request-submit.
A new parameter has been added to set the renewal field in
CertEnrollmentRequest.
Pushed to master under trivial rule.
--
Endi S. Dewata
>From 3c1b6188cfdd71511ef3f7b1c2499a30f57f08d3 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Thu, 2 Feb 2017 18:03:10 +0100
Subject: [PATCH] Added --renewal param to pki ca-cert-request-submit.
A new parameter has been added to set the renewal field in
CertEnrollmentRequest.
---
.../src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java | 9 +
1 file changed, 9 insertions(+)
diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
index acdaebe0825f217f8b88cd181bfebe509aa8d7c5..6223a8e66d52c2142da67155ab0d70f72a7db427 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
@@ -56,6 +56,9 @@ public class CertRequestSubmitCLI extends CLI {
option.setArgName("type");
options.addOption(option);
+option = new Option(null, "renewal", false, "Submit renewal request");
+options.addOption(option);
+
option = new Option(null, "csr-file", true, "File containing the CSR");
option.setArgName("path");
options.addOption(option);
@@ -154,6 +157,8 @@ public class CertRequestSubmitCLI extends CLI {
}
}
+request.setRenewal(cmd.hasOption("renewal"));
+
String csrFilename = cmd.getOptionValue("csr-file");
if (csrFilename != null) {
@@ -226,6 +231,10 @@ public class CertRequestSubmitCLI extends CLI {
request.setAttribute("pwd", certRequestPassword);
}
+if (verbose) {
+System.out.println(request);
+}
+
CertRequestInfos cri = certCLI.certClient.enrollRequest(request, aid, adn);
MainCLI.printMessage("Submitted certificate request");
CertCLI.printCertRequestInfos(cri);
--
2.5.5
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [PATCH] 927 Added --serial param to pki ca-cert-request-submit.
A new parameter has been added to set the serial number field in
CertEnrollmentRequest and in profile input if available.
Pushed to master under trivial rule.
--
Endi S. Dewata
>From e7b589d83cdcde960d1f24993f9bfff971d6963a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Thu, 2 Feb 2017 01:13:35 +0100
Subject: [PATCH] Added --serial param to pki ca-cert-request-submit.
A new parameter has been added to set the serial number field in
CertEnrollmentRequest and in profile input if available.
---
.../cmstools/cert/CertRequestSubmitCLI.java| 23 ++
1 file changed, 23 insertions(+)
diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
index 6223a8e66d52c2142da67155ab0d70f72a7db427..e49dba2406a07697468855c93b71735849527256 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
@@ -16,6 +16,7 @@ import org.apache.commons.cli.Option;
import com.netscape.certsrv.ca.AuthorityID;
import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.cert.CertRequestInfos;
+import com.netscape.certsrv.dbs.certdb.CertId;
import com.netscape.certsrv.profile.ProfileAttribute;
import com.netscape.certsrv.profile.ProfileInput;
import com.netscape.cmstools.cli.CLI;
@@ -63,6 +64,10 @@ public class CertRequestSubmitCLI extends CLI {
option.setArgName("path");
options.addOption(option);
+option = new Option(null, "serial", true, "Serial number of certificate for renewal");
+option.setArgName("number");
+options.addOption(option);
+
option = new Option(null, "subject", true, "Subject DN");
option.setArgName("DN");
options.addOption(option);
@@ -177,6 +182,24 @@ public class CertRequestSubmitCLI extends CLI {
}
}
+String serial = cmd.getOptionValue("serial");
+if (serial != null) {
+
+if (verbose) {
+System.out.println("Serial: " + serial);
+}
+
+request.setSerialNum(new CertId(serial));
+
+// store serial number in profile input if available
+for (ProfileInput input : request.getInputs()) {
+ProfileAttribute serialAttr = input.getAttribute("serial_num");
+if (serialAttr != null) {
+serialAttr.setValue(serial);
+}
+}
+}
+
String subjectDN = cmd.getOptionValue("subject");
if (subjectDN != null) {
DN dn = new DN(subjectDN);
--
2.5.5
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [PATCH] 928 Cleaned up error handling in client and PKCS12 CLIs.
The client and PKCS12 CLIs have been modified to use Exceptions instead of System.exit() such that errors can be handled consistently. Pushed to master under trivial rule. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN
Discussion for devs: once this is merged should I updated all the included service-oriented profiles (e.g. caCAcert; not user or CA cert profiles) to add this profile component? IMO we should do it, but we should not automatically update existing installations. Instead, we (I) can produce a KBase article about using the new component. Let me know what you think. Cheers, Fraser On Thu, Feb 02, 2017 at 12:46:30PM -0700, Matthew Harmsen wrote: > On 02/01/2017 12:25 AM, Fraser Tweedale wrote: > > Hi all, > > > > The attached patches implement the long-desired feature to copy CN > > to SubjectAltName (https://fedorahosted.org/pki/ticket/1710). > > > > I've also pushed the branch to my GitHub repo; feel free to review > > the patches there: > > https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san > > > > Thanks, > > Fraser > > > > > > ___ > > Pki-devel mailing list > > Pki-devel@redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > Fraser, > > In order to review this patch, I am going to apply it and make a scratch > build of Dogtag 10.2.6 on RHEL 7.2 so that Red Hat IT can test it out for > us. > > If they give us their approval, you can consider yourself granted an ACK on > this patch and check it into master so that I can cherry-pick it into the > 10.3 branches. > > -- Matt > > P. S. - FYI, the following conversation took place on #cs today: > > dminnich,walrus: ftweedal has released a patch for >https://fedorahosted.org/pki/ticket/1710 - Add profile component >that copies CN to SAN -- if I applied that patch to a 10.3.3 >pki-core for RHEL 7.3, could you guys test it out, or in order to >test it out, do you need a scratch build of Dogtag 10.2.6 on RHEL >7.2 like last time? > mharmsen: having a scratch build of 7.2 would be quickest > we are just now planning the 7.3 upgrade, which will take >some time to get into dev > walrus: okay, I can try to see if I can do that, but >remember that we will not deliver an official RHEL 7.2 build of RHCS 9.1 > yeah we should be on 7.3 in a month or so... a lot of >things to test on a lot of servers :) > csnell|wfh: ^^^ > walrus: completely understood! LOL > mharmsen: that will be a very welcome patch > mharmsen: do you happen to know if ACLs work against SANs? > dminnich: not off the top of my head > edewata, cfu, jmagne: ^^^? > that is something on our to investigate list as well > dminnich: I am going to drop an email to ftweedal, and I >will ask that question > mharmsen: no idea about SAN > mharmsen, don't know > dminnich, mharmsen , what does that mean? > cfu: right now we allow only people in LDAP group X to >issue certs for domains that meet Y regex. but we don't check >SANs. so somebody could CN=blah.devlab.com and get approved but add >a SAN for www.redhat.com and we don't deny it > dminnich: where is X & Y defined? > > > https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/templates/ca/profiles/ca/caDirServerCert-pnt-devops-domains.cfg#n12 > > https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/templates/ca/profiles/ca/caDirServerCert-pnt-devops-domains.cfg#n26 > edewata: ^ some of that might be added by puppet later.but > thats the gist > dminnich: ok, it's in profile, not ACL > authz.acl=group and constraints > dminnich, dminnich ah, I see. so it's like a pattern >constraint just like what we have for subject name now in the >profile. Yeah, you can write a constraint plugin for that > dminnich, anyway, feel free to file a ticket for it. > cfu: will do > ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
