Ticket: TPS throws "err=6" when attempting to format and e :
https://fedorahosted.org/pki/ticket/2544
Fix tested on standard card, it does what it is supposed to do. It checks first
to make sure the lifecycle
state needs to be changed before attempting to do so. This will prevent any
cards th
CA in the certificate profiles the startTime parameter is not working as
expected.
This simple fix addresses an overflow in the "startTime" paramenter in 4
places in the code. I felt that honing in only on the startTime value was the
best way to go. In some of the files other than Vali
I compared this patch with the original C patch. There was a check in C
that does not exist in your Java patch:
1019
if(data.size() != 3){
1020
lifecycle = 0xf0;
1021
RA::Error(LL_PER_PDU, "RA_Processor::GetLifecycle", "apdu response is the
wrong size, the
shing.
Closed ticket # 2544
- Original Message -
> From: "Christina Fu"
> To: pki-devel@redhat.com
> Sent: Wednesday, November 16, 2016 6:25:49 PM
> Subject: Re: [Pki-devel] [pki-devel][PATCH]
>
>
>
> I compared this patch with the original C patch.
On 04/26/2017 04:29 PM, John Magne wrote:
CA in the certificate profiles the startTime parameter is not working as
expected.
This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way
#2540 Creating symmetric key (sharedSecret) using tkstool is failing when
operating system is in FIPS mode.
From 820b3f16d1cb3f0532a464aee399512725c2a858 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Mon, 10 Apr 2017 11:27:12 -0700
Subject: [PATCH] Tkstool, FIPS Mode fix.
Now the program c
TPS auth special characters fix.
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special
characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card
because the client uri encodes
the authentication
Fix attached.From 3a1ef233ec8e63e5ec34cd0746cd5e94e327c65f Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Mon, 6 Jun 2016 16:36:16 -0700
Subject: [PATCH] Fix coverity warnings for 'tkstool'
Issues listed in the ticket addressed by this patch.
Ticket #1199 : Fix coverity warnings for 'tkstool'.
Revocation failure causes AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST
The fix here is to make sure no archive related audits get issued for doing
things other than key archivals.
Other operations such as revoking and unrevoking cert in the code path
laready
have audit logs issued s
Make starting CRL Number configurable.
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_numbe
[PATCH] Non server keygen issue in SCP03.
Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
We discovered a minor issue when trying to log values that don't exist when
performing the non server side keygen case. For instance , we don't need to
generate a kek session key in t
On 05/22/2017 07:27 PM, John Magne wrote:
#2540 Creating symmetric key (sharedSecret) using tkstool is failing when
operating system is in FIPS mode.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-deve
is failing
when operating system is in FIPS mode.
- Original Message -
> From: "Matthew Harmsen"
> To: "John Magne" , "pki-devel"
> Sent: Tuesday, May 23, 2017 4:44:42 PM
> Subject: Re: [Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-f
Ticket: Resolve #1663 Add SCP03 support .
This particular fix resolves a simple issue when formatting a token in FIPS
mode for SCP03.
From de74c600391473759bec495dc4ccafda787959bd Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Fri, 2 Jun 2017 15:40:52 -0700
Subject: [PATCH] Res
Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge
pki-symkey into jss
What is supported:
1. Everything that is needed to support Secure Channel Protocol 01.
2. Supports the nist sp800 kdf and the original kdf.
3. Supports key unwrapping used by TPS which was formerly in the s
ACK
On 04/27/2016 01:59 PM, John Magne wrote:
TPS auth special characters fix.
Ticket #1636.
Smartcard token enroll/format fails when the ldap user has special
characters in userid or password
Tested with both esc and tpsclient. The problem was when using a real card
ACKED by cfu,
pushed to master.
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Tuesday, May 3, 2016 11:27:59 AM
Subject: Re: [Pki-devel] [pki-devel][PATCH]
0066-TPS-auth-special-characters-fix.patch
ACK
On 04/27/2016 01:59 PM, John Magne wrote:
On 06/06/2016 05:39 PM, John Magne wrote:
Fix attached.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
ACK
Personally, I always prefer the use of enclosing braces "{ . . . }"
after a conditional ev
ACK'd by cfu:
Pushed to master, closing ticket #2340
- Original Message -
From: "John Magne"
To: "pki-devel"
Sent: Tuesday, June 14, 2016 4:07:49 PM
Subject: [pki-devel][PATCH]
0072-Revocation-failure-causes-AUDIT_PRIVATE_KEY_ARCHIVE_.patch
Revocation failure causes AUDIT_PRIVATE_
ACK'ed by mharmsen, pushed to master:
Closing ticket #1199
- Original Message -
From: "John Magne"
To: "pki-devel"
Sent: Monday, June 6, 2016 4:39:43 PM
Subject: [pki-devel][PATCH] 0070-Fix-coverity-warnings-for-tkstool.patch
Fix attached.
_
Verbally acked by edewata thanks! :
pushed to master
Closing ticket: #2406
- Original Message -
> From: "John Magne"
> To: "pki-devel"
> Sent: Wednesday, July 27, 2016 11:53:34 AM
> Subject: [Pki-devel] [pki-devel][PATCH]
> 0077-Make-sta
[PATCH] Authentication Instance Id PinDirEnrollment with authType
value as SslclientAuth is not working.
Ticket #1578
The fixing of this problem required the following:
1. Hook up a java callback that is designed to allow the selection of a
candidate
client auth cert to be sent to Ldap in the
On 05/05/2017 02:12 PM, John Magne wrote:
[PATCH] Non server keygen issue in SCP03.
Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
We discovered a minor issue when trying to log values that don't exist when
performing the non server side keygen case. For instance , we do
On 06/02/2017 04:44 PM, John Magne wrote:
Ticket: Resolve #1663 Add SCP03 support .
This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03.
___
Pki-devel mailing list
Pki-devel@redhat.com
https:/
-
From: "Matthew Harmsen"
To: "John Magne" , "pki-devel"
Sent: Friday, June 2, 2017 4:01:14 PM
Subject: Re: [Pki-devel] [pki-devel][PATCH]
0095-Resolve-1663-Add-SCP03-support.patch
On 06/02/2017 04:44 PM, John Magne wrote:
>
>
>
> Ticket: Resolve #16
I think I will be more conservative and give conditional ACK to this
patch pending on tests on servers running on both LunaSA and nethsm.
Although the code in the patch might very well work for both, those two
HSM's are known to require different sets of pk11AtrFlags and often one
set would wo
Subject: [PATCH] Allow cert and key indexes > 9.
Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index numbers
This patch contains the following:
1. Fixes in TPS to allow the server to set and read muscle object ID's that are
greater than 9.
The id is stored as a single ASCII by
On Fri, Apr 15, 2016 at 10:03:03PM -0400, John Magne wrote:
> Subject: [PATCH] Port symkey JNI to Java classes. Ticket #801 : Merge
> pki-symkey into jss
>
> What is supported:
>
> 1. Everything that is needed to support Secure Channel Protocol 01.
> 2. Supports the nist sp800 kdf and the origin
ginal Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Wednesday, January 27, 2016 10:24:26 AM
Subject: Re: [Pki-devel]
[pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch
I think I will be more conservative and give conditional ACK to this patch
p
Hi,
First of all, I have to say that Jack did a wonderful job on such
daunting task. The sheer amount of code and complexity does make the
review more challenging, but I dug through them with my teeth and claws
regardless ;-).
We discussed and think we should postpone the checkin to next rel
vised patches:
Thanks to cfu for careful review.
Also enclosed responses to comments ,for convenience.
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Friday, May 13, 2016 11:34:17 AM
Subject: Re: [Pki-devel] [pki-devel][PATCH]
0064-Port-symkey-JNI-
revised patches:
Thanks to cfu for careful review.
Also enclosed responses to comments ,for convenience.
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Friday, May 13, 2016 11:34:17 AM
Subject: Re: [Pki-devel] [pki-devel][PATCH]
0064-Port-symkey
. SCP03 support can be added later.
New ticket created for future refinements:
https://fedorahosted.org/pki/ticket/2337
Closing #801
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Monday, May 23, 2016 8:56:40 AM
Subject: Re: [Pki-devel] [pki-devel][PA
Show KeyOwner info when viewing recovery requests.
This simple fix will grab the subject info out of the cert
associated with either pending or complete recovery requests being
viewed in the KRA UI.
For example:
KeyOwner: UID=jmagne, O=Token Key User
Wil
UdnPwdDirAuth authentication plugin instance is not working.
Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working.
Since this class no longer works, we felt it best to just remove it from
the server.
This patch removes the references and files
[MAN] Apply 'generateCRMFRequest() removed from Firefox'
workarounds to appropriate 'pki' man page
Ticket #1285
This fix will involve the following changes to the source tree.
1. Fixes to the CS.cfg to add two new cert profiles.
2. Make the caDualCert.cfg profile invisible since it has little
Verbal cond ACK from CFU:
Minor issue taken care of:
commit e5ef4374eae5219a8b5e9a216c1c2ed77fb3e709
Author: Jack Magne
Date: Tue Aug 16 16:58:49 2016 -0700
Authentication Instance Id PinDirEnrollment with authType value as
SslclientAuth is not working.
Pushed to master, closing ticket
TPS token enrollment fails to setupSecureChannel when TPS and TKS security db
is on fips mode.
Ticket #2513.
Simple fix allows the TPS and TKS the ability to obtain the proper internal
token, even in FiPS mode.
From 00bba5092fa32b956d646b4711411b8c57bd8f75 Mon Sep 17 00:00:00 2
[PATCH] SCP03 support for g&d sc 7 card.
Ticket:
https://pagure.io/dogtagpki/issue/1663 Add SCP03 support
This allows the use of the g&d 7 card.
This will require the following:
1. An out of band method is needed to generate an AES based master key.
We do not as of yet have support with tkstoo
the code looks good.
I applied the patch and upgraded my libcoolkey and played with it. I was
able to enroll for 2 certs and "recover" 5 (makes a total of 7), and
then continued to run externalReg enrollment again to delete one cert
and recover another.
ACK,
Christina
On 02/02/2016 06:46 PM,
February 5, 2016 4:22:40 PM
Subject: Re: [Pki-devel] [pki-devel][PATCH]
0062-Allow-cert-and-key-indexes-9.patch
the code looks good.
I applied the patch and upgraded my libcoolkey and played with it. I was able
to enroll for 2 certs and "recover" 5 (makes a total of 7), and then continued
while the patch works, I think the original code logic is somehow flawed
in a way that it uses the "profile" attribute to determine whether the
request was non-TMS archival requests, and if null it treats it as TMS.
It would make better sense if we add a separate case instead of lumping
the ha
gt; From: "Christina Fu"
> To: pki-devel@redhat.com
> Sent: Friday, June 3, 2016 2:46:28 PM
> Subject: Re: [Pki-devel] [pki-devel][PATCH]
> 0069-Show-KeyOwner-info-when-viewing-recovery-requests.patch
>
> while the patch works, I think the original code logic is someho
Looks good. If compiles, installs, and runs, ACK.
Christina
On 06/08/2016 10:58 AM, John Magne wrote:
UdnPwdDirAuth authentication plugin instance is not working.
Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working.
Since this class no longer w
[PATCH] Separated TPS does not automatically receive shared secret
from remote TKS.
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to
the TPS.
2. Have the TKS securely return the shared secret back to the TPS during t
Generting Symmetric key fails with key-generate when --usages verify is passed
Ticket #1114
Minor adjustment to the man page for the key management commands to say
which usages are appropriate for sym keys and those appropriate for asym
keys.
From a211222ee4b30ad390228ad
Conditionally ACKED by cfu.
She wanted me to test the new ECC signing cert only profile I added:
Test was a success.
Pushed to master
Closing ticket #1285
Also release note bug on how to use the new profiles here:
https://bugzilla.redhat.com/show_bug.cgi?id=1355849
- Original Message -
PIN_RESET policy is not giving expected results when set on a token.
Simple fix to actually honor the PIN_RESET=or policy for a given
token.
Minor logging improvements added as well for this error condition.
Ticket #2510.
From 09dba122f01881b93d32a03a51d0be37c247cb30 Mon Sep 17
Just a minor suggestion. Endi added in CryptalUtil.java lately to fix
similar FIPS related issue:
isInternalToken().
You might want to take advantage of that instead as it does ignore case.
It's up to you.
ACK.
Christina
On 10/20/2016 03:24 PM, John Magne wrote:
TPS token enrollment fail
looks fine.
ack.
Christina
On 03/29/2017 11:22 AM, John Magne wrote:
[PATCH] SCP03 support for g&d sc 7 card.
Ticket:
https://pagure.io/dogtagpki/issue/1663 Add SCP03 support
This allows the use of the g&d 7 card.
This will require the following:
1. An out of band method is needed to gen
[PATCH] SCP03 support: fix Key Changeover with HSM (RHCS)
Ticket #2764.
This relatively simple fix involves making sure the correct crypto token is
being used to search for the master key int the case of symmetric key changover
where the master key resides on an HSM.
From e992fcdfbb6805e5f9310f
Hi All,
Please review this patch.
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
--
Thanks,
Abhijeet Kasurde
IRC: akasurde
http://akasurde.github.io
From ebda787c714e950e682ef42177a18927b8398c1f Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde
Date: Thu, 30 Jun 2016 15:1
On 06/24/2016 06:23 PM, John Magne wrote:
Generting Symmetric key fails with key-generate when --usages verify is passed
Ticket #1114
Minor adjustment to the man page for the key management commands to say
which usages are appropriate for sym keys and those appropriate
the man page for the key management commands to say
which usages are appropriate for sym keys and those appropriate for asym
keys.
- Original Message -
From: "Matthew Harmsen"
To: "John Magne" , "pki-devel"
Sent: Thursday, June 30, 2016 2:54:29 PM
ACKED verbally by cfu, with some very minor changes.
Pushed to master:
commit 0f056221d096a30307834265ecd1c527087bb0f7
Author: Jack Magne
Date: Mon Jun 13 11:27:59 2016 -0700
Separated TPS does not automatically receive shared secret from remote TKS.
Closing ticket # 2349
Cert/Key recovery is successful when the cert serial number and key id on the
ldap user mismatches
Fixes this bug #1381375.
The portion this patch fixes involves URL encoding glitch we encountered
when recovering keys using
the "by cert" method.
Also this bug addresses:
code looks fine. If tested to work, ACK.
Christina
On 10/18/2016 07:02 PM, John Magne wrote:
PIN_RESET policy is not giving expected results when set on a token.
Simple fix to actually honor the PIN_RESET=or policy for a given token.
Minor logging improvements added as well for th
Simple patch will provide a fix to this issue.From e7821b4061d22d23013f7d00c066fc6e59d83167 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Thu, 8 Dec 2016 16:35:20 -0800
Subject: [PATCH] Resolve: pkispawn does not change default ecc key size from
nistp256 when nistp384 is specified in spawn con
Author: Jack Magne
Date: Fri Dec 16 16:25:48 2016 -0800
Ticket #2569: Token memory not wiped after key deletion
This is the dogtag upstream side of the TPS portion of this ticket.
This fix also involves an applet fix, handled in another bug.
From 08fa0ff96d7dd6ed6c3b11527251e60
looks good. ACK.
Christina
On 06/29/2017 03:43 PM, John Magne wrote:
[PATCH] SCP03 support: fix Key Changeover with HSM (RHCS)
Ticket #2764.
This relatively simple fix involves making sure the correct crypto token is
being used to search for the master key int the case of symmetric key chan
Hi All,
Please review the patch.
--
Thanks,
Abhijeet Kasurde
IRC: akasurde
http://akasurde.github.io
From 04cdf13525636add733e8c10525c0b48a4ef3c66 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde
Date: Wed, 29 Jun 2016 14:44:45 +0530
Subject: [PATCH] Added condition to verify instance id in db
On 6/30/2016 5:09 AM, Abhijeet Kasurde wrote:
Hi All,
Please review this patch.
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
--
Thanks,
Abhijeet Kasurde
Thanks! Pushed to master with some changes:
1. The original code was supposed to normalize the token name, so if
If tested to work for all cases, ACK.
Christina
On 10/18/2016 03:22 PM, John Magne wrote:
Cert/Key recovery is successful when the cert serial number and key id on the
ldap user mismatches
Fixes this bug #1381375.
The portion this patch fixes involves URL encoding glitch we
that makes sure it works.
This small fix is in TPSEngine.java where the constant for
GenerateNewAndRecoverLast scheme is declared.
- Original Message -
From: "Christina Fu"
To: pki-devel@redhat.com
Sent: Tuesday, October 18, 2016 4:24:08 PM
Subject: Re: [Pki-devel] [pki
On 12/08/2016 05:42 PM, John Magne wrote:
Simple patch will provide a fix to this issue.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Tested original code to confirm incorrect ECC signing curve; t
rmsen"
> To: "John Magne" , "pki-devel"
> Sent: Thursday, December 8, 2016 5:36:24 PM
> Subject: Re: [Pki-devel] [pki-devel][PATCH]
> 0086-Resolve-pkispawn-does-not-change-default-ecc-key-siz.patch
>
>
Overall, it looks good. Just some minor suggestions, mostly for
clarification purposes.
* SecureChannel.java : clearAppletKeySlotData
- would appreciate comments describing the content and format
expected in the input "data"
- maybe a positive debug message after the successful cleanup
Add ability to disallow TPS to enroll a single user on multiple tokens.
This patch will install a check during the early portion of the enrollment
process check a configurable policy whether or not a user should be allowed
to have more that one active token.
This check wi
Hi All,
Please review the patch.
--
Thanks,
Abhijeet Kasurde
IRC: akasurde
http://akasurde.github.io
From cbceb43b39249f4455c232a01aed7aa5c9cc701f Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde
Date: Wed, 29 Jun 2016 18:06:12 +0530
Subject: [PATCH] Added fix for checking ldapmodify return co
On 6/29/2016 4:20 AM, Abhijeet Kasurde wrote:
Hi All,
Please review the patch.
--
Thanks,
Abhijeet Kasurde
Thanks! Pushed to master.
--
Endi S. Dewata
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-dev
dhat.com
Sent: Thursday, January 14, 2016 5:25:54 PM
Subject: Re: [Pki-devel] [pki-devel][PATCH]
0060-Make-sure-the-ESC-auth-dialog-displays-the-User-Id-f.patch
The patch made sure that the UID is displayed first. I tested out the patch to
work.
ACK.
Christina
On 01/13/2016 02:32 PM, Joh
Just a few minor ones.
* configuration parameters referencing token existence in tokendb should
use names begin with "tokendb". e.g.
tokendb.allowMultiActiveTokensPerUser.externalReg=false
tokendb.allowMultiActiveTokensPerUser.nonExternalReg=false
* boolean allowMultiCerts -- I think
Addressed cfu's concerns and pushed to master for cond ACK.
commit e326cd2f06bd651cdd87646eea94622e18cec28d
Closing tiecket #1664
- Original Message -
> From: "Christina Fu"
> To: pki-devel@redhat.com
> Sent: Monday, June 27, 2016 2:25:33 PM
> Subject:
On 6/29/2016 7:43 AM, Abhijeet Kasurde wrote:
Hi All,
Please review the patch.
--
Thanks,
Abhijeet Kasurde
Thanks! Pushed to master with some changes to handle all LDAP errors
instead of some specific ones.
--
Endi S. Dewata
___
Pki-devel mailin
74 matches
Mail list logo