Re: [Pki-devel] Certificate Transparency SCT signature verification?

> Fraser > > On Thu, Jun 11, 2020 at 05:08:25PM -0700, Christina Fu wrote: > > HI Fraser, > > verifySCT still fails. I still think the fact the rfc does not require > the > > signed object to accompany the signature presents undue challenge to the > > par

Re: [Pki-devel] Certificate Transparency SCT signature verification?

CT returns success for now just so people could still play with CT. Much appreciated! Christina On Tue, Jun 2, 2020 at 3:05 PM Christina Fu wrote: > Hi Fraser, > Thanks for the response! > Regarding the poison extension, yes I was aware that it needed to be > removed so the code

Re: [Pki-devel] Certificate Transparency SCT signature verification?

. Finally, nice catch with the missing data length!! I'll add that and go from there. thanks again! Christina On Mon, Jun 1, 2020 at 7:31 PM Fraser Tweedale wrote: > Hi Christina, > > Adding pki-devel@ for wider audience. Comments below. > > On Mon, Jun 01, 2020 at 06:28:42PM -070

Re: [Pki-devel] KRA Admin certificate

After running pkispawn to install KRA, you should see an "Installation Summary" displayed where it shows where to locate the PKCS #12 file. the p12 file is a package consisted of the your admin cert and its keys. Password is what you specified in your pkispawn config file. For more detail, check

[Pki-devel] [PATCH] Ticket-2757-CMC-enrollment-profiles-for-system-certi.patch (First Part - non-TMS)

here: http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29 The 2nd part (TMS) will be submitted soon. thanks, Christina From e471035822a5447fddc67c8abf8a1a0ffb9a5bcf Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: M

Re: [Pki-devel] [pki-devel][PATCH] 0098-SCP03-support-fix-Key-Changeover-with-HSM-RHCS.patch

looks good. ACK. Christina On 06/29/2017 03:43 PM, John Magne wrote: [PATCH] SCP03 support: fix Key Changeover with HSM (RHCS) Ticket #2764. This relatively simple fix involves making sure the correct crypto token is being used to search for the master key int the case of symmetric key

Re: [Pki-devel] [PATCH] Ticket-2616-CMC-replace-id-cmc-statusInfo-with-id-cm.patch

and here is the patch... On 06/21/2017 05:29 PM, Christina Fu wrote: This patch addresses: https://pagure.io/dogtagpki/issue/2616 CMC: replace id-cmc-statusInfo with id-cmc-statusInfoV2 See patch comment for detail. thanks, Christina

[Pki-devel] [PATCH] Ticket-2616-CMC-replace-id-cmc-statusInfo-with-id-cm.patch

This patch addresses: https://pagure.io/dogtagpki/issue/2616 CMC: replace id-cmc-statusInfo with id-cmc-statusInfoV2 See patch comment for detail. thanks, Christina ___ Pki-devel mailing list Pki-devel@redhat.com

[Pki-devel] [PATCH] Ticket-2619-Allow-CA-to-process-user-signed-CMC-revo.patch

00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Tue, 30 May 2017 14:12:06 -0700 Subject: [PATCH] Ticket #2619 Allow CA to process user-signed CMC revocation requests First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the

Re: [Pki-devel] [PATCH] Ticket-2617-part2-add-revocation-check-to-signing-ce.patch

Received verbal ack from jmagne. pushed to master: commit 380f7fda040cc5d394e34eead45ebb921532cc07 thanks, Christina On 06/05/2017 09:03 AM, Christina Fu wrote: This patch adds the missing revocation check (and possibly validity check) to https://pagure.io/dogtagpki/issue/2617 Allow CA

[Pki-devel] [PATCH] Ticket-2617-part2-add-revocation-check-to-signing-ce.patch

for revocation status when I used a revoked cert to sign the cmc request. I am adding revocation and validity checks to make sure that the check is more complete. thanks, Christina >From 380f7fda040cc5d394e34eead45ebb921532cc07 Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com>

Re: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

: "Christina Fu" <c...@redhat.com> To: pki-devel@redhat.com Sent: Friday, May 19, 2017 5:31:37 PM Subject: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process pre-signed

[Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true. Thanks, Christina >From 63af93d4b7ba2bdda405bb585ed1e4c096e7ceb2 Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Fri, 19 Ma

Re: [Pki-devel] [PATCH] Bug-1447145-CMC-cmc.popLinkWitnessRequired-false-wou.patch

pushed to master: commit c95cff5899e2975b16db61b811b626742e5e7114 thanks! Christina On 05/02/2017 11:43 AM, John Magne wrote: Makes sense. ACK if tested to work. - Original Message - From: "Christina Fu" <c...@redhat.com> To: pki-devel@redhat.com Sent: Monday, May

Re: [Pki-devel] [PATCH] #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation

, identified with - Original Message - From: "Christina Fu" <c...@redhat.com> To: pki-devel@redhat.com Sent: Thursday, April 13, 2017 5:03:06 PM Subject: [Pki-devel] [PATCH] #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation Please review. th

[Pki-devel] [PATCH] #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation

Please review. thanks! Christina >From 23f532da661f2528c47df67c8663a0f4f96401ea Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Thu, 13 Apr 2017 16:53:58 -0700 Subject: [PATCH] Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation This patch provides th

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

Thank you. Please see review comments: https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6 I will review PKCS12Util later. Christina On 04/10/2017 11:30 PM, Fraser Tweedale wrote: On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote: Hi Fraser, Could you please do

Re: [Pki-devel] [pki-devel][PATCH] 0091-SCP03 support for g 7 card.patch

looks fine. ack. Christina On 03/29/2017 11:22 AM, John Magne wrote: [PATCH] SCP03 support for g sc 7 card. Ticket: https://pagure.io/dogtagpki/issue/1663 Add SCP03 support This allows the use of the g 7 card. This will require the following: 1. An out of band method is needed to

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

Hi Fraser, Could you please do the following first? 1. file a Mozilla bugzilla bug for this against Product JSS Release 4.4.1, then assign to yourself: https://bugzilla.mozilla.org/ 2. After making sure your patch compiles well with the 4.4.1 base, attach the patch to that ticket, and mark

[Pki-devel] [PATCH] Bug-2615-CMC-cleanup-code-for-Encrypted-Decrypted-PO.patch

: Christina Fu <c...@redhat.com> Date: Sun, 26 Mar 2017 17:34:51 -0400 Subject: [PATCH] Bug #2615 CMC: cleanup code for Encrypted Decrypted POP This patch adds more error checking and debugging --- .../netscape/cms/profile/common/EnrollProfile.java | 190 - .../cms/servlet/

[Pki-devel] [PATCH] Issuance Protection Cert establishment and convenience crypto routines

materializes. thanks, Christina >From db2a9326ed3c93e0463444900875021d269f27ae Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Fri, 17 Mar 2017 11:49:41 -0700 Subject: [PATCH] pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1) This patch provide

[Pki-devel] [PATCH] Issuance Protection Cert establishment and convenience encrypt/decrypt/hash routines

rom db2a9326ed3c93e0463444900875021d269f27ae Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Fri, 17 Mar 2017 11:49:41 -0700 Subject: [PATCH] pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1) This patch provides methods that can be shared between the CA and the ISharedToken pl

Re: [Pki-devel] [PATCH] 957 Added access banner for PKI UI.

I only have time to play with it. So this review is not based on code reading. I was able to trigger a session timeout and the banner appears again as expected. So from that point of view, as long as the patches don't break existing banner-ignorant clients, ack. And again, please make sure

Re: [Pki-devel] [PATCH] 957 Added access banner for PKI UI.

On 02/22/2017 04:51 PM, Christina Fu wrote: First, as discussed over irc, the banner should be re-displayed when an ssl session ends. Sounds like sessonStorage might not do what is expected. correction. I meant to say "the banner should be re-displayed when an ssl session

Re: [Pki-devel] [PATCH] 957 Added access banner for PKI UI.

First, as discussed over irc, the banner should be re-displayed when an ssl session ends. Sounds like sessonStorage might not do what is expected. Please also make sure the resulting code works with IE. thanks! Christina On 02/22/2017 11:57 AM, Endi Sukma Dewata wrote: The PKI UI main

Re: [Pki-devel] [PATCH] 918 Replaced CryptoManager.getTokenByName().

A lot of areas (both on server and on various tools) have been touched, although the changes are simple in nature and are all similar. Please make sure everything that's touched by this patch are still working. ACK if all tested to work. thanks, Christina On 01/25/2017 06:41 AM, Endi

Re: [Pki-devel] [PATCH] 916 Updated CryptoUtil.

looks good. Only requesting to have comment for isInternalToken() to explain why if name is empty its considered true. conditional ACK if tested to work. thanks, Christina On 01/25/2017 06:41 AM, Endi Sukma Dewata wrote: The CryptoUtil has been modified to provide separate methods to

[Pki-devel] [PATCH] pki-cfu-0159-Ticket-1741-ECDSA-certs-Alg-IDs-contian-parameter-fi.patch

rom 5e914a3855d95a0bbca5fc565757fea5e40f16a1 Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@dhcp-16-189.sjc.redhat.com> Date: Fri, 20 Jan 2017 16:01:17 -0800 Subject: [PATCH] Ticket #1741 ECDSA certs Alg IDs contian parameter field Per rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA2

Re: [Pki-devel] [pki-devel][PATCH] 0086-Ticket-2569-Token-memory-not-wiped-after-key-deletio.patch

Overall, it looks good. Just some minor suggestions, mostly for clarification purposes. * SecureChannel.java : clearAppletKeySlotData - would appreciate comments describing the content and format expected in the input "data" - maybe a positive debug message after the successful cleanup

Re: [Pki-devel] [PATCH] pki-cfu-0157-Ticket-2534-additional-reset-cert-status-after-succe.patch

Thanks! pushed to master: commit c1656bd16dfca8bb5eef4436ee64b95daaac70c8 Christina On 01/04/2017 11:50 AM, John Magne wrote: Looks good. Looks like we are now updating the proper entry each time when unrevoking. If tested to work, ACK - Original Message - From: "Christi

[Pki-devel] [PATCH] pki-cfu-0157-Ticket-2534-additional-reset-cert-status-after-succe.patch

successfully on the CA. thanks, Christina >From c1656bd16dfca8bb5eef4436ee64b95daaac70c8 Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@dhcp-16-189.sjc.redhat.com> Date: Wed, 4 Jan 2017 11:20:06 -0800 Subject: [PATCH] Ticket #2534 (additional) - reset cert status after successful

[Pki-devel] [PATCH] pki-cfu-0156-Ticket-2534-Automatic-recovery-of-encryption-cert-CA.patch

tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed. thanks, Christina >From d81e2a31181c7d8487171fd7fb7c64bc87296c39 Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@dhcp-

Re: [Pki-devel] [pki-devel][PATCH]

I compared this patch with the original C patch. There was a check in C that does not exist in your Java patch: 1019 if(data.size() != 3){ 1020 lifecycle = 0xf0; 1021 RA::Error(LL_PER_PDU, "RA_Processor::GetLifecycle", "apdu response is the wrong size, the

Re: [Pki-devel] [PATCH] 866 Fixed problem installing subordinate CA with HSM in FIPS mode.

looks good. if tested to work, ack. Christina On 11/15/2016 01:57 PM, Endi Sukma Dewata wrote: Due to certutil issue (bug #1393668) the installation code has been modified to import certificates into the NSS database in two steps. This workaround is needed to install subordinate CA with HSM

[Pki-devel] simple TPS debug messages added

qualifies for "simple checkin that does not affect code". commit 443dcb1914f010ce8fc7c737dd8163e05a3d71db Author: Christina Fu <c...@dhcp-16-189.sjc.redhat.com> Date: Mon Oct 24 09:59:42 2016 -0700 a few simple debugging messages in TPS that will make debugging eas

Re: [Pki-devel] [pki-devel][PATCH] 0084-TPS-token-enrollment-fails-to-setupSecureChannel-whe.patch

Just a minor suggestion. Endi added in CryptalUtil.java lately to fix similar FIPS related issue: isInternalToken(). You might want to take advantage of that instead as it does ignore case. It's up to you. ACK. Christina On 10/20/2016 03:24 PM, John Magne wrote: TPS token enrollment

Re: [Pki-devel] [pki-devel][PATCH] 0083-PIN_RESET-policy-is-not-giving-expected-results-when.patch

code looks fine. If tested to work, ACK. Christina On 10/18/2016 07:02 PM, John Magne wrote: PIN_RESET policy is not giving expected results when set on a token. Simple fix to actually honor the PIN_RESET=or policy for a given token. Minor logging improvements added as well for

Re: [Pki-devel] [pki-devel][PATCH] 0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch

If tested to work for all cases, ACK. Christina On 10/18/2016 03:22 PM, John Magne wrote: Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Fixes this bug #1381375. The portion this patch fixes involves URL encoding glitch we

Re: [Pki-devel] [PATCH] 844 Fixed CryptoUtil.getTokenName().

Code looks good. ACK if tested to work in both FIPS and non-FIPS, with or without HSM. Might be a future exercise to find out where the string "Internal Key Storage Token" comes from. Christina On 10/13/2016 06:57 PM, Endi Sukma Dewata wrote: The CryptoUtil.getTokenName() has been

Re: [Pki-devel] Fwd: [pli-devel][PATCH] 0081-Fix-for-Add-ability-to-disallow-TPS-to-enroll-a-sing.patch

Code looks good. One suggestion. Since we have to appease to the current NSS way of looking up certs, how about making the default true so that it will keep the old encryption certs by default? Of course we are taking up more space now on the token when it's true, so we should plan to

Re: [Pki-devel] [PATCH] pki-cfu-0153-Ticket-2496-Cert-Key-recovery-is-successful-when-the.patch

s a small chance of impact to certain external reg features, such as retention, it might make sense to recommend a quick sanity test of the external reg feature after this. In the future we might want to more strongly discourage the keyid pathway. - Original Message - From: &

Re: [Pki-devel] [PATCH] pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch

pushed to master: commit 1195ee9d6e45783d238edc1799363c21590febce thanks, Christina On 08/31/2016 03:29 PM, Endi Sukma Dewata wrote: ACK. -- Endi S. Dewata - Original Message - Patch for https://fedorahosted.org/pki/ticket/2446 pkispawn: make subject_dn defaults unique per

[Pki-devel] [PATCH] pki-cfu-0151-Ticket-2446-pkispawn-make-subject_dn-defaults-unique.patch

Patch for https://fedorahosted.org/pki/ticket/2446 pkispawn: make subject_dn defaults unique per instance name (for shared HSM) Please review. thanks, Christina >From 1195ee9d6e45783d238edc1799363c21590febce Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@dhcp-16-189.sjc.redhat.com

Re: [Pki-devel] JSS/NSS

On 08/09/2016 05:34 PM, Christina Fu wrote: On 08/07/2016 06:17 PM, Fraser Tweedale wrote: On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote: Are there any plans on the dogtag roadmap to ever migrate away from using JSS/NSS? Hi George, I dont't think there are any such plans

[Pki-devel] [PATCH] pki-cfu-0150-Ticket-2428-broken-request-links-for-CA-s-system-cer.patch

Attached please find the patch that fixes the broken link from cert->request or just simply visiting request records from agent page on CA's system certs. thanks, Christina >From 4f4e08db5034daa63519fa68d766f6d5b37651d6 Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@dh

Re: [Pki-devel] [PATCH] Bug 1203407 - tomcatjss: missing ciphers

got verbal ack from Jack. Pushed to master (the dogtag patch): commit f0ad71e8a4fbae665a6b4875cce5b82895ad74f0 tomcatjss will be built in the next few days. Christina On 06/30/2016 03:04 PM, Christina Fu wrote: The tomcatjss patch address: *Bug 1203407* <https://bugzilla.redhat.

[Pki-devel] [PATCH] Bug 1203407 - tomcatjss: missing ciphers

} catch (Exception e) { +System.err.println("SSLSocket.setCipherPreferenceDefault exception:" +e); if (eccCipherMap.containsKey(cipherid)) { System.err .println("Warning:

Re: [Pki-devel] [PATCH] pki-cfu-0144-Ticket-1306-config-params-Add-granularity-to-token-t.patch

got verbal ack from Jack. Pushed to master: commit 63a58cf51ef2982e8a35eff1f98dd42453e5681e thanks, Christina On 06/30/2016 02:11 PM, Christina Fu wrote: This patch is for https://fedorahosted.org/pki/ticket/1306 [RFE] Add granularity to token termination in TPS It 1. adds the missing

[Pki-devel] [PATCH] pki-cfu-0144-Ticket-1306-config-params-Add-granularity-to-token-t.patch

This patch is for https://fedorahosted.org/pki/ticket/1306 [RFE] Add granularity to token termination in TPS It 1. adds the missing parameters 2. adds a table for revocation code thanks, Christina >From 63a58cf51ef2982e8a35eff1f98dd42453e5681e Mon Sep 17 00:00:00 2001 From: Christina Fu

Re: [Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch

Just a few minor ones. * configuration parameters referencing token existence in tokendb should use names begin with "tokendb". e.g. tokendb.allowMultiActiveTokensPerUser.externalReg=false tokendb.allowMultiActiveTokensPerUser.nonExternalReg=false * boolean allowMultiCerts -- I

Re: [Pki-devel] [PATCH] 779 Fixed problem reading HSM password from password file.

Looks like might do it. If tested to work (borrow a vm from QE if you don't have one), ack. Christina On 06/24/2016 03:45 PM, Endi Sukma Dewata wrote: A new method get_token_password() has been added into PKIInstance Python class in order to read the token password correctly from

[Pki-devel] [PATCH] pki-cfu-0139-Ticket-2298-Part3-trim-down-debug-log-in-non-TMS-crm.patch

patch, CS.cfg is introduced a new profile, which accidentally got copied in a hard coded path, which is fixed too. thanks, Christina >From 62d8908d91e74320db647b939c0d9900c09d0608 Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Fri, 17 Jun 2016 14:48:17 -0700 Subjec

Re: [Pki-devel] [PATCH] pki-cfu-0131-Ticket-2335-Missing-activity-logs-when-formatting-en.patch

) thanks, Christina On 06/06/2016 09:14 AM, Christina Fu wrote: Hi Endi, first, thanks for the review! Please see my response in-line below. thanks, Christina On 06/05/2016 01:39 PM, Endi Sukma Dewata wrote: On 6/3/2016 7:29 PM, Christina Fu wrote: https://fedorahosted.org/pki/ticket/2335 Ticket

[Pki-devel] [PATCH] pki-cfu-0131-Ticket-2335-Missing-activity-logs-when-formatting-en.patch

001 From: Christina Fu <c...@redhat.com> Date: Fri, 3 Jun 2016 17:26:47 -0700 Subject: [PATCH] Ticket #2335 Missing activity logs when formatting/enrolling unknown token This patch adds activity logs for adding unknown token during format or enrollment --- base/tps/src/org/dogtagpki/s

Re: [Pki-devel] [pki-devel][PATCH] 0069-Show-KeyOwner-info-when-viewing-recovery-requests.patch

while the patch works, I think the original code logic is somehow flawed in a way that it uses the "profile" attribute to determine whether the request was non-TMS archival requests, and if null it treats it as TMS. It would make better sense if we add a separate case instead of lumping the

Re: [Pki-devel] [PATCH] pki-cfu-0129-Ticket-2352-TMS-missing-netkeyKeyRecovery-requests-o.patch

er can explore the new options provided for TMS related requests if they so choose. - Original Message - From: "Christina Fu" <c...@redhat.com> To: "pki-devel" <pki-devel@redhat.com> Sent: Friday, June 3, 2016 10:22:07 AM Subject: [Pki-devel] [PATCH] p

[Pki-devel] [PATCH] pki-cfu-0123-Ticket-1665-Cert-Revocation-Reasons-not-being-update.patch

:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Mon, 23 May 2016 16:22:54 -0700 Subject: [PATCH] Ticket 1665 - Cert Revocation Reasons not being updated when on-hold This patch fixes the following areas: * In the CA, when revokeCert is called, make it possible to move from on_hold

[Pki-devel] Karma Request for JSS 4.2.6-39 on Fedora 24

The following candidate builds of JSS 4.2.6-39 for Fedora 24 (final) consist of the following: jss-4.2.6-39.fc24 Please provide Karma for these builds in Bodhi located at:

Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch

to cfu for careful review. Also enclosed responses to comments ,for convenience. - Original Message - From: "Christina Fu" <c...@redhat.com> To: pki-devel@redhat.com Sent: Friday, May 13, 2016 11:34:17 AM Subject: Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-sy

Re: [Pki-devel] [PATCH] pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-connector-co.patch

, TPSStatus.STATUS_ERROR_CONTACT_ADMIN - Original Message - From: "Christina Fu" <c...@redhat.com> To: "pki-devel" <pki-devel@redhat.com> Sent: Tuesday, May 17, 2016 6:13:01 PM Subject: [Pki-devel] [PATCH] pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-

[Pki-devel] [PATCH] pki-cfu-0122-Ticket-1527-reopened-retrieved-wrong-ca-connector-co.patch

t Tested to work. thanks, Christina >From 81a475e7a8fe0ff086047bf3295abea253a7e394 Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Tue, 17 May 2016 17:57:11 -0700 Subject: [PATCH] Ticket #1527 (reopened) retrieved wrong ca connector config parameter This ticket was

Re: [Pki-devel] [pki-devel][PATCH] 0064-Port-symkey-JNI-to-Java-classes.patch

Hi, First of all, I have to say that Jack did a wonderful job on such daunting task. The sheer amount of code and complexity does make the review more challenging, but I dug through them with my teeth and claws regardless ;-). We discussed and think we should postpone the checkin to next

[Pki-devel] 0119-Ticket-2303-Key-recovery-fails-with-KRA-on-lunaSA.patch

; isExtractable = PR_TRUE; } >From faadd5d9635fcf2c5ab2e02cc09a3f1caca1e0ad Mon Sep 17 00:00:00 2001 From: Christina Fu <c...@redhat.com> Date: Fri, 6 May 2016 10:40:55 -0700 Subject: [PATCH] =?UTF-8?q?Ticket=20#2303=20Key=20recovery=20fails=20with?= =?UTF-8?q?=20KRA=20on=20lunaSA=20=20Thi

Re: [Pki-devel] [pki-devel][PATCH] 0066-TPS-auth-special-characters-fix.patch

ACK On 04/27/2016 01:59 PM, John Magne wrote: TPS auth special characters fix. Ticket #1636. Smartcard token enroll/format fails when the ldap user has special characters in userid or password Tested with both esc and tpsclient. The problem was when using a real

Re: [Pki-devel] Dogtags Website Down (Help!)

Also, Mike, it might be a good idea to subscribe to the mailing lists. Christina On 04/12/2016 09:30 AM, Christina Fu wrote: Hi Mike, It appears that they are still working on it. Is there anything specific that you are looking for? About whether there are any other resources, I just

Re: [Pki-devel] Dogtags Website Down (Help!)

Hi Mike, It appears that they are still working on it. Is there anything specific that you are looking for? About whether there are any other resources, I just googled and found some Youtube on how to install a Dogtag CA And here is some guy's link:

Re: [Pki-devel] Trouble enrolling with SSCEP

pr 8, 2016 at 9:58 PM, Christina Fu <c...@redhat.com <mailto:c...@redhat.com>> wrote: Hi Hayg, I am running Fedora 22 so I'm not sure if there is any difference at all. I would like to understand your issue(s) better. When you said th

Re: [Pki-devel] Trouble enrolling with SSCEP

Hi Hayg, I am running Fedora 22 so I'm not sure if there is any difference at all. I would like to understand your issue(s) better. When you said that your request failed because it was "getting deferred", does that mean you have it in the enrollment profile for manual approval? In other

Re: [Pki-devel] [PATCH] pki-cfu-0117-Ticket-1519-token-format-should-delete-certs-from-to.patch

pushed to master commit ca8febca42bdb278d5fbfc641333c4bd1fe7a9be thanks, Christina On 04/05/2016 06:05 PM, John Magne wrote: ACK: Just maybe make a method out of that in case we might need it elsewhere. - Original Message - From: "Christina Fu" <c...@redhat.com> To:

[Pki-devel] [PATCH] pki-cfu-0116-Ticket-1006-Audit-logging-for-TPS-REST-operations.patch

From: Christina Fu <c...@redhat.com> Date: Thu, 24 Mar 2016 16:23:05 -0700 Subject: [PATCH] Ticket #1006 Audit logging for TPS REST operations --- .../src/com/netscape/certsrv/logging/IAuditor.java | 3 +- .../com/netscape/cms/servlet/base/PKIService.java | 15 ++ .../org/dogtagpki/serve

Re: [Pki-devel] [PATCH] pki-cfu-0115-Ticket-1007-TPS-audit.patch

. - Original Message - From: "Christina Fu" <c...@redhat.com> To: "pki-devel" <pki-devel@redhat.com> Sent: Friday, 12 February, 2016 2:31:07 PM Subject: [Pki-devel] [PATCH] pki-cfu-0115-Ticket-1007-TPS-audit.patch This patch is for https://fedorahosted.org/pki/tic

Re: [Pki-devel] [PATCH] 678 Fixed token modify operation.

Looks fine. If tested to work, ACK. Christina On 02/05/2016 04:08 PM, Endi Sukma Dewata wrote: The TPS UI and CLI have been modified to accept only user ID and policy attributes when modifying a token. https://fedorahosted.org/pki/ticket/1687 ___

Re: [Pki-devel] [PATCH] 676 Fixed LDAP error handling in TokenService.

looks fine. If tested to work, ACK. Christina On 02/03/2016 08:34 PM, Endi Sukma Dewata wrote: The DBSSession has been modified to attach the LDAPException to the EDBException. The TokenService will catch the EDBException and obtain the orignal LDAPException. This way the TokenService can

Re: [Pki-devel] [PATCH] 674 Fixed error handling in TokenService.

looks fine. If tested to work, ACK. Christina On 02/03/2016 08:43 AM, Endi Sukma Dewata wrote: The TokenService has been modified to re-throw the original PKIException. This way on invalid token state transition the client will receive the original BadRequestException. Other types of

Re: [Pki-devel] [pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch

I think I will be more conservative and give conditional ACK to this patch pending on tests on servers running on both LunaSA and nethsm. Although the code in the patch might very well work for both, those two HSM's are known to require different sets of pk11AtrFlags and often one set would