pki-bot
commented
3 years ago Comment from mharmsen (@mharmsen) at 2015-06-29 20:55:44
Per CS/DS Meeting of 6/29/2015: 10.2.6 (should allow enabled profiles to work, even if not visible)
Closed pki-bot closed 3 years ago
pki-bot
commented
3 years ago Comment from mharmsen (@mharmsen) at 2015-06-29 20:55:44
Per CS/DS Meeting of 6/29/2015: 10.2.6 (should allow enabled profiles to work, even if not visible)
pki-bot
commented
3 years ago Comment from jmagne (@jmagne) at 2015-06-30 02:49:08
Having looked at this I have found the following:
In the "Dual Use Certificate" form, the javascript code uses the crypto.generateCRMFRequest call even for the dual use case that does NOT use archival. This of course only shows up when the user HAS the cryto object. When the user does not have the crypto object, it defaults to a bare bones RSA method using the basic "keygen" tag.
I have done some experimenting and it appears the keygen tag can handle ECC, and I was able to hard code an example with ECC and nistp256, and the dogtag server accepted it and used it just fine.
The next step is to figure out how to have the user select the key type either ECC or RSA with the keygen tag. I suspect that the the choices of curves will be bare bones because keygen only supports "medium strength" and "high strength" in the mozilla version. That is to be determined though. I now have to figure out how to pipe the result of the keytype dropdown INTO the keygen tag.
pki-bot
commented
3 years ago Comment from jmagne (@jmagne) at 2015-07-01 02:46:58
Ooops, previous comment was for another ticket, disregard.
pki-bot
commented
3 years ago Comment from jmagne (@jmagne) at 2015-07-02 01:10:39
Patch ACKd and pushed:
commit b253cad196f57e79a5aede53aceffede1c9edfbe Author: Jack Magne jmagne@localhost.localdomain Date: Wed Jul 1 15:01:45 2015 -0700
Ability to toggle profile usablity in Web vs CLI tools.
Ticket 1442.
This fix gives the command line enrollment commands the ability to enroll a cert against a profile
that has been marked as not visible but "enabled".
With the simple fix the following scenarios tested to work:
The "caUserCert" Profile was marked as not visible, but enabled.
1. pki -c Secret123 client-cert-request --profile caUserCert uid=jmagne
This is the simplest form of user cert enrollment.
2. pki ca-cert-request-profile-show caUserCert --output testuser.xml
pki ca-cert-request-submit testuser.xml
The first command gives us the profile's xml file, which after modification is used to enroll.
3. pki -d ~/.dogtag/pki -c "" -n "PKI Administrator for localdomain" ca-profile-show caUserCert
This one shows that we can view the contents of a non visible profile. Listing is not allowed.
We felt this appropiate to allow a command line user to get the details of a non visible profile that
they know aobut and want to use.Comment from dminnich (@dminnich) at 2017-02-27 14:07:34
Metadata Update from @dminnich:
This issue was migrated from Pagure Issue #1442. Originally filed by dminnich (@dminnich) on 2015-06-23 21:39:24:
This enhancement is needed because of https://fedorahosted.org/pki/ticket/1074. We will be running a KRA and we don't want people to get encryption certs if their private key can't be escrowed.
Since mozilla removed needed functionality for browsers to do this and the current solution is to use the CLI tools we would like to be able to hide the profile in the browser but let CLI tools use it, since the former won't be escrowed and the later will.
FWIW, I tried pki against a visible=false enable=true profile because that approximates the functionlaty we'd like to see and it bombed with "Profile not marked as visible".