Re: [Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token
On Wed, Apr 26, 2017 at 06:40:59PM +1000, Fraser Tweedale wrote: > On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote: > > The attached patch fixes a regression (I think?) where recovered > > keys accumulate in the key storage token. > > > > Thanks, > > Fraser > > Gerrit review: https://review.gerrithub.io/#/c/358632/ > ACKed by Ade. Pushed to master (da624993c302a81a11f37f984d75c37a467dc5e5) Cheers, Fraser ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH]
CA in the certificate profiles the startTime parameter is not working as
expected.
This simple fix addresses an overflow in the "startTime" paramenter in 4
places in the code. I felt that honing in only on the startTime value was the
best way to go. In some of the files other than ValidityDefault.java, there
were possibly some values that could be changed from int to long. Due to the
complexity of some of the calculations involved in some of those cases, it is
best to fix the exact issue at hand instead of introducing some other possible
side effects.
Tested with a simple enrollment in the caUserCert profile by setting the
startTime constraint to the offending value listed in the ticket/bug. The
correct start time 30 days in the future was calculated and made part of the
cert.
Issue:
https://pagure.io/dogtagpki/issue/2520From 91d7f82be94532a691768021a0661efd6a93e093 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Wed, 26 Apr 2017 15:21:39 -0700
Subject: [PATCH] CA in the certificate profiles the startTime parameter is not
working as expected.
This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects.
---
.../src/com/netscape/cms/profile/def/CAValidityDefault.java | 12 ++--
.../cms/profile/def/PrivateKeyUsagePeriodExtDefault.java | 4 ++--
.../netscape/cms/profile/def/RandomizedValidityDefault.java | 2 +-
.../src/com/netscape/cms/profile/def/ValidityDefault.java| 10 +-
4 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
index 2df256e..2ecd484 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
@@ -24,6 +24,11 @@ import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.ca.ICertificateAuthority;
@@ -34,11 +39,6 @@ import com.netscape.certsrv.property.EPropertyException;
import com.netscape.certsrv.property.IDescriptor;
import com.netscape.certsrv.request.IRequest;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.PKIXExtensions;
-import netscape.security.x509.X509CertInfo;
-
/**
* This class implements a CA signing cert enrollment default policy
* that populates a server-side configurable validity
@@ -348,7 +348,7 @@ public class CAValidityDefault extends EnrollDefault {
if (startTimeStr == null || startTimeStr.equals("")) {
startTimeStr = "60";
}
-int startTime = Integer.parseInt(startTimeStr);
+long startTime = Long.parseLong(startTimeStr);
Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
CMS.debug("CAValidityDefault: not before: " + notBefore);
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
index 6532a13..2f05f32 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
@@ -296,13 +296,13 @@ public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault {
if (startTimeStr == null || startTimeStr.equals("")) {
startTimeStr = "60";
}
-int startTime = Integer.parseInt(startTimeStr);
+long startTime = Long.parseLong(startTimeStr);
Date notBefore = new Date(CMS.getCurrentDate().getTime() +
(1000 * startTime));
long notAfterVal = 0;
notAfterVal = notBefore.getTime() +
-(mDefault * Integer.parseInt(getConfig(CONFIG_DURATION)));
+(mDefault * Long.parseLong(getConfig(CONFIG_DURATION)));
Date notAfter = new Date(notAfterVal);
ext = new PrivateKeyUsageExtension(notBefore, notAfter);
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java b/base/server/c
Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption
On Tue, Apr 11, 2017 at 03:23:18PM -0700, Christina Fu wrote:
> Thank you. Please see review comments:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6
>
> I will review PKCS12Util later.
>
> Christina
>
Updated patch jss-0002 and also created
https://bugzilla.mozilla.org/show_bug.cgi?id=1359731 with some
other JSS patches.
Created Gerrit review branch for Dogtag patches:
https://review.gerrithub.io/#/c/358634/. This includes patch
pki-0178 and also a new patch to change KRA PKCS #12 recovery to use
AES, which depends on the new JSS patches linked above.
Thanks,
Fraser
>
> On 04/10/2017 11:30 PM, Fraser Tweedale wrote:
> > On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote:
> > > Hi Fraser,
> > >
> > > Could you please do the following first?
> > >
> > > 1. file a Mozilla bugzilla bug for this against Product JSS Release
> > > 4.4.1,
> > > then assign to yourself:
> > > https://bugzilla.mozilla.org/
> > > 2. After making sure your patch compiles well with the 4.4.1 base, attach
> > > the patch to that ticket, and mark reviewers
> > >
> > > thanks!
> > >
> > > Christina
> > >
> > Thanks Christina, I filed
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1355358
> >
> > I was unable to assign myself to the bug ('Assignee' field is not
> > active when I go to Edit Bug.
> >
> > Also not sure how to "mark reviewers". I added you and Elio to Cc
> > though.
> >
> > Thanks,
> > Fraser
> >
> > > On 04/04/2017 02:56 AM, Fraser Tweedale wrote:
> > > > Hi team,
> > > >
> > > > Please review attached patches for JSS and Dogtag that:
> > > >
> > > > - add some new EncryptedPrivateKeyInfo export and import functions
> > > > to JSS
> > > >
> > > > - update Dogtag's `pki pkcs12' command to use the new functions to
> > > > achieve AES encryption of the key bags, with wrapping/unwrapping
> > > > occurring on the token.
> > > >
> > > > PKCS #12 files produced by current releases continue to import
> > > > properly (of course, this is an important test vector).
> > > >
> > > > These patches do not address the PKCS #12 KRA recovery export; This
> > > > is my next task and separate patches will be produced.
> > > >
> > > > Thanks,
> > > > Fraser
>
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token
On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote: > The attached patch fixes a regression (I think?) where recovered > keys accumulate in the key storage token. > > Thanks, > Fraser Gerrit review: https://review.gerrithub.io/#/c/358632/ ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
