After discussion in CS meeting:
Policy now set to "rebase if necessary".
Ade
On Mon, 2017-10-09 at 12:38 -0400, Ade Lee wrote:
> Can you describe a bit the ramifications of this change and why it is
> needed?
>
> I notice that most of the Openstack projects
ACK
On Wed, 2017-02-22 at 12:12 +1000, Fraser Tweedale wrote:
> The following patches add the revocation reason to the REST cert
> data (i.e. GET /ca/rest/certs/{id}).
>
> Patches 0163 and 0164 were pushed under trivial rule.
>
> Please review 0165.
>
> Thanks,
> Fraser
>
review,
AdeFrom 56dd82d41c4d8dbf8678cbc6dfc7c1c05978f874 Mon Sep 17 00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Fri, 20 Jan 2017 11:01:41 -0500
Subject: [PATCH] Add option to remove signing cert entry
In the migration case, it is useful to delete the initially
created signing certi
Acked by Endi.
Pushed to Master.
On Mon, 2016-11-21 at 18:33 -0500, Ade Lee wrote:
> Patch 340:
> commit 0e1c6e0634f5d3b3d4b8a3d7293b23f1953cf542
> Author: Ade Lee <a...@redhat.com>
> Date: Mon Nov 21 17:42:11 2016 -0500
>
> Fix bug in getting secre
Patch 340:
commit 0e1c6e0634f5d3b3d4b8a3d7293b23f1953cf542
Author: Ade Lee <a...@redhat.com>
Date: Mon Nov 21 17:42:11 2016 -0500
Fix bug in getting secrets from approved request
When request was approved and retrieved through the rest
interface, the corresponding vo
Thanks for reviews (Endi and Jack). Pushed to master with a few minor
changes to auditing.
Ade
On Wed, 2016-11-09 at 10:59 -0500, Ade Lee wrote:
> Based on feedback by Endi, I have reworked the patches.
> As Endi pointed out, it makes little sense for the client to
> determine
ACK
On Fri, 2016-11-04 at 17:54 -0500, Endi Sukma Dewata wrote:
> To discourage the use of policy framework, the framework classes
> have been moved into org.dogtagpki.legacy.
>
> https://fedorahosted.org/pki/ticket/6
>
> ___
> Pki-devel mailing list
ACK
On Fri, 2016-11-04 at 17:43 -0500, Endi Sukma Dewata wrote:
> The list of source and class files in some CMake files have been
> generalized to allow renaming Java packages without changing the
> CMake files again.
>
> https://fedorahosted.org/pki/ticket/6
>
> I've verified that the new
ACK
On Thu, 2016-11-03 at 23:14 -0500, Endi Sukma Dewata wrote:
> To reduce Eclipse warnings, classes and methods related to policy
> framework have been undeprecated. In the future the policy
> framework may be removed since it has already been replaced with
> the profile framework.
>
>
ACK
On Thu, 2016-11-03 at 18:25 -0500, Endi Sukma Dewata wrote:
> The deprecated DefaultHttpClient in SubsystemClient, CRMFPopClient,
> and OCSPProcessor has been replaced with HttpClientBuilder.
>
> https://fedorahosted.org/pki/ticket/2531
>
> Pushed to master under trivial/one-liner rule.
>
ACK
On Thu, 2016-09-22 at 12:13 +1000, Fraser Tweedale wrote:
> Hi team,
>
> Please review the attached patch which fixes a regression in
> two-step externally-signed CA installation. It is destined for 10.3
> branch as well as master.
>
> https://fedorahosted.org/pki/ticket/2466
>
> Cheers,
pushed to master
On Tue, 2016-09-06 at 17:17 -0400, Ade Lee wrote:
> We still dont know how this state happened, but .. ack.
>
> Ade
> On Wed, 2016-08-24 at 15:36 +1000, Fraser Tweedale wrote:
> > The attached patches address a couple of issues related to handling
> >
ack
On Wed, 2016-08-24 at 15:34 +1000, Fraser Tweedale wrote:
> Hi,
>
> Attached patch fixes https://fedorahosted.org/pki/ticket/2443.
>
> Thanks,
> Fraser
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
>
We still dont know how this state happened, but .. ack.
Ade
On Wed, 2016-08-24 at 15:36 +1000, Fraser Tweedale wrote:
> The attached patches address a couple of issues related to handling
> entryUSN attribute when reading lightweight CA entries.
>
> https://fedorahosted.org/pki/ticket/2444
>
>
Pushed to master on basis of trivial rule.
Ade
On Fri, 2016-09-02 at 16:14 -0400, Ade Lee wrote:
>Fix CertRequestInfo URLs
>
> The URLs were generated by a UriBuilder that referred to the
> resource's
> annotated path. This top-level path chang
ACK
On Wed, 2016-07-27 at 11:32 +1000, Fraser Tweedale wrote:
> Hi team,
>
> The attached patch fixes https://fedorahosted.org/pki/ticket/2420.
>
> Thanks,
> Fraser
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
>
Add pkispawn option to disable Master CRL.
This is useful in the migration case.
Please review,
Ade
From fe1e82ff8f0e89c0c359064cfb749ae475125c2a Mon Sep 17 00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Wed, 3 Aug 2016 23:55:53 -0400
Subject: [PATCH] Add pkispawn option to disable
Fix client-cert-import to set provided trust bits
Ticket 2412
From 0fd441eee679001a0c137193e32759a1068e839e Mon Sep 17 00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Fri, 29 Jul 2016 14:42:35 +0100
Subject: [PATCH] Fix client-cert-import to set provided trust bits
Ticke
Small mod on wording (from legal) to allow v3+, and modify spec file to
include the new license file.
Ade
On Thu, 2016-07-28 at 19:18 +0100, Ade Lee wrote:
> In order to keep the Dogtag plugin in the Openstack Barbican source
> tree, it is necessarily to re-license the Python clien
Addresses Ticket 2418 -
Some template substitution didn't happen during installation
(specifically SERVER_KEYGEN)
Please review,
Ade
From 27ffc1eb92232cba7816bdd50e8e8da288e6efad Mon Sep 17 00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Fri, 29 Jul 2016 12:23:39 +0100
Subject: [PAT
makes the relevant changes. Please review.
Thanks,
AdeFrom 4b260467e28d62c17fddec5877a5c9c0bc91bf19 Mon Sep 17 00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Thu, 28 Jul 2016 10:36:50 +0100
Subject: [PATCH] Re-license the python client files to LGPLv3
---
base/common/LICENSE.
Hi all,
In CS 9.1, there are a number of mechanisms that have been added to
allow administrators to migrate from RHCS8 -> CS 9.1. These have been
detailed here: http://pki.fedoraproject.org/wiki/Migrating_a_CA_using_e
xisting_CA_mechanism
In CS 9.0, many of the same mechanisms do not exist. I
Hi all,
In a followup to my widely popular previous post on migrating a top
level CA from RHCS 8 -> 9 (http://pki.fedoraproject.org/wiki/Migrating_
a_ca_with_hsm_using_existing_ca_mechanism), I've added a non-HSM based
version which does the migration using a PKCS #12 file to migrate the
signing
With patch this time:
On Fri, 2016-06-03 at 08:59 -0400, Ade Lee wrote:
> commit 9450b5f7695cc827cced6e86281694daa1e5c2c8
> Author: Ade Lee <a...@redhat.com>
> Date: Thu Jun 2 09:41:35 2016 -0400
>
> Add commands to db-server to help with DB related changes
>
commit 9450b5f7695cc827cced6e86281694daa1e5c2c8
Author: Ade Lee <a...@redhat.com>
Date: Thu Jun 2 09:41:35 2016 -0400
Add commands to db-server to help with DB related changes
Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex
Added pki-server db-schema-u
Patches 303, 305 and 306 have been modified as discussed and checked
in.
Patch 304 has been revised as discussed on IRC. Please review.
Ade
On Fri, 2016-05-20 at 17:00 -0500, Endi Sukma Dewata wrote:
> On 5/20/2016 2:20 PM, Ade Lee wrote:
> > Please review:
> >
> > Patc
Please review:
Patches listed in reverse order (306 -> 303)
Ade
commit e3d47aabee97773832d2f8ac7ff138314b44f646
Author: Ade Lee <a...@redhat.com>
Date: Thu May 19 11:56:26 2016 -0400
Add revocation information to pki CLI output.
The date on which the certificate i
Acked by Endi. Pushed to master.
On Wed, 2016-05-11 at 23:11 -0400, Ade Lee wrote:
> commit 5efd691e71f32b350737d95fe08f470164e60192
> Author: Ade Lee <a...@redhat.com>
> Date: Thu May 12 00:35:41 2016 +0200
>
> Fix existing ca setup to work with HSM
>
>
ACK.
Is the new search parameter added to the CLI (either python or Java?)
or displayed in cert info results from the CLI?
How are these changes tested?
Ade
On Tue, 2016-05-10 at 13:49 +1000, Fraser Tweedale wrote:
> Hi team,
>
> The attached patches add a search parameter for issuer DN, and
Thanks. Fixed as below. Pushed to master.
On Mon, 2016-05-09 at 17:51 -0500, Endi Sukma Dewata wrote:
> On 5/9/2016 2:18 PM, Ade Lee wrote:
> > Patch descriptions .. in reverse order.
> >
> > Note that the CA setup for authz is further documented at
> >
Migration script to add entries for new constraints and defaults
for authz realm changes.
Please review,
Thanks,
Ade
From 8dd438fe42060e29cbe4d6d55f81ff1c1b31d9b4 Mon Sep 17 00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Mon, 9 May 2016 17:24:29 -0400
Subject: [PATCH] Add migration
Isn't all this predicated on a schema change that adds the issuer as an
optional field for the certRecord?
Ade
On Mon, 2016-05-09 at 17:15 +1000, Fraser Tweedale wrote:
> Hi all,
>
> The following patch adds a pki-server subcommand for updating
> certificate records to add the issuerName
ommit ad1fcecc2f36cc1ebc1f13efe3df9d1e138224b7
Author: Ade Lee <a...@redhat.com>
Date: Mon May 9 15:00:20 2016 -0400
Add authz realm check for cert enrollment
Ticket 2041
commit b5232ce101083409ed9a86e9057620cca7288f62
Author: Ade Lee <a...@redhat.com>
Date: Sat May 7 00:06:08 20
On Fri, 2016-04-22 at 16:37 -0500, Endi Sukma Dewata wrote:
> On 4/22/2016 2:37 PM, Ade Lee wrote:
> > commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f
> > Author: Ade Lee <a...@redhat.com>
> > Date: Fri Apr 22 15:31:43 2016 -0400
> >
> > Add val
Thanks,
Pushed to master.
On Wed, 2016-04-20 at 15:23 -0500, Endi Sukma Dewata wrote:
> On 4/19/2016 9:47 PM, Ade Lee wrote:
> > Some comments inline, although most of this was discussed on #irc.
> >
> > I have added two additional patches which are to be applied
commit 0fe7bf5ff989bbc24875dce30cec8f32e89c0a8f
Author: Ade Lee <a...@redhat.com>
Date: Fri Apr 22 15:31:43 2016 -0400
Add validity check for the signing certificate in pkispawn
When either an existing CA or external CA installation is
performed, use the pki-serve
ACK on latest 96 and 99.
I will ask cfu or jmagne to look at the KeyRetrieveRunner logic today.
Ade
On Thu, 2016-04-21 at 14:58 +1000, Fraser Tweedale wrote:
> Thanks Ade. Updated patch 0096 attached. Comments inline.
>
> On Wed, Apr 20, 2016 at 11:30:52AM -0400, Ade Lee wrote:
>
can import it into NSS? Say it ain't so ..
> > >
> > > With custodia, we have a secure mechanism of transferring the
> > > keys from
> > > one server to another. It makes more sense to me to have the
> > > server
> > > kick off the custodia transfer and t
ACK
On Mon, 2016-04-18 at 11:38 -0500, Endi Sukma Dewata wrote:
> The CLIs for exporting PKCS #12 file have been modified to accept
> options to export without trust flags, keys, and/or certificate
> chain.
>
> https://fedorahosted.org/pki/ticket/1736
>
>
As promised, wiki documentation for this feature provided below:
http://pki.fedoraproject.org/wiki/Kra_authz_realm
Ade
On Sat, 2016-04-16 at 17:24 -0400, Ade Lee wrote:
> This is the main series of patches that implements fine grained
> authorization in the KRA as described in :
>
Acked by Endi through IRC.
Pushed to master:
To ssh://vakw...@git.fedorahosted.org/git/pki.git
88e963d..0c5fb1e master -> master
On Fri, 2016-04-15 at 14:44 -0400, Ade Lee wrote:
> Author: Ade Lee <a...@redhat.com>
> Date: Fri Apr 15 14:36:00 2016 -0400
>
> Add
. The server would then need to await status from the
custodia/retriever process - and then initialize the signing unit from
the NSS DB. Or am I completely confused?
Ade
On Thu, 2016-04-14 at 16:35 -0400, Ade Lee wrote:
> Still reviewing .. ACK on 87-95 (inclusive).
>
> On Thu, 2
isfy these requirements automatically on install or upgrade
> but if you want to test this patch LMK and I'll provide detailed
> instructions.
>
> [1] https://www.redhat.com/archives/freeipa-devel/2016-April/msg000
> 55.html
>
> Other comments inline.
>
> Ch
inline.
>
> Cheers,
> Fraser
>
> On Fri, Apr 08, 2016 at 11:16:19AM -0400, Ade Lee wrote:
> >
> > 0087
> >
> > 1. In SigningUnit.java -- you catch an ObjectNotFound exception and
> > rethrow that as a CAMissingKey exception. Is that the only wa
A few comments.
1. One of the first things that struck me as odd was making
CertificateAuthority implement Runnable. I think it would be cleaner
to have a static inner class called AuthorityMonitor or similar to
which we pass in the CertificateAuthority.
2. I do like the fact that the caMap
ACK
On Mon, 2016-03-21 at 11:55 -0500, Endi Sukma Dewata wrote:
> To help troubleshooting the EnrollProfile has been modified to
> log the stack trace and chain the exception.
>
> https://fedorahosted.org/pki/ticket/1654
>
> ___
> Pki-devel mailing
ack
On Fri, 2016-03-18 at 11:31 -0500, Endi Sukma Dewata wrote:
> The installation code has been modified such that it imports all
> CA certificates from the PKCS #12 file for cloning before the
> server is started using certutil. The user certificates will
> continue to be imported using the
ACK
On Wed, 2016-03-02 at 19:47 +0100, Christian Heimes wrote:
> Hi,
>
> here a three patch that I like to push upstream before I finalize my
> Python 3 branch.
>
> The first patch addresses an incompatibility with python-sphinx 1.1
> that
> I introduced last week. The chance is required to
Thanks. Fixed. pushed to master.
To ssh://vakw...@git.fedorahosted.org/git/pki.git
11f8fbb..49e4fff master -> master
On Tue, 2016-03-01 at 12:44 +0100, Christian Heimes wrote:
> On 2016-03-01 06:53, Ade Lee wrote:
> > In this patch, I move all java components (and requirements)
00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Sat, 27 Feb 2016 02:32:14 -0500
Subject: [PATCH] Handle import and export of external certs
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to
acked by Endi. Pushed to master.
On Tue, 2016-02-23 at 14:43 -0500, Ade Lee wrote:
> Add precheck option to pkispawn. This runs various tests
> without actually doing any installation to ensure that the
> pkipawn parameters are sane.
>
> https://fedorahosted.org/pki/ticket/2
ACK - Looks like our integration framework isn't there yet, and no
reason to hold this up till it is.
On Fri, 2015-10-02 at 14:35 -0400, Ade Lee wrote:
> Conditional ACK.
>
> The patch itself is fine. However, its time we got into the habit of
> adding functional tests for f
Thanks for the check Endi. Lets try this again.
This time, we default instead to the hostname, instead of exiting.
Ade
On Tue, 2016-02-09 at 11:38 -0600, Endi Sukma Dewata wrote:
> On 2/9/2016 10:53 AM, Ade Lee wrote:
> > This check is unnecessary and is breaking continuous in
53 matches
Mail list logo
