pki.git/base/native-tools, branch master Unnamed repository; edit this file 'description' to name the repository. Minor fix to already fixed issue: 2017-06-06T23:18:45+00:00 Jack Magne jmagne@dhcp-16-206.sjc.redhat.com 2017-06-06T23:16:32+00:00 30fb7bf49ce0f4c726f937b3984a4e27abb39959 The problem was that a tiny piece of the original patch didn't get checked in. This resolves this issue. 
The problem was that a tiny piece of the original patch didn't get checked in. This resolves this issue.
Now the program can create and import shared secret keys while under FIPS mode. 2017-05-24T17:44:03+00:00 Jack Magne jmagne@dhcp-16-206.sjc.redhat.com 2017-04-10T18:27:12+00:00 84f3958dc9c1c5bfab4a8789e621d621a28cbdd6 






Fixed pki-tools build order.
2016-12-18T11:11:36+00:00

Endi S. Dewata
edewata@redhat.com

2016-12-10T18:04:03+00:00

b98ffc3d8bf386687ec53d7a73932dd2e8ff6ff8

To help troubleshooting build issues the pki-tools build targets
have been modified such that they run sequentially. This way error
messages will be easier to find in the build log.

https://fedorahosted.org/pki/ticket/2463





To help troubleshooting build issues the pki-tools build targets
have been modified such that they run sequentially. This way error
messages will be easier to find in the build log.

https://fedorahosted.org/pki/ticket/2463







Added CMake target dependencies.
2016-07-26T19:18:14+00:00

Endi S. Dewata
edewata@redhat.com

2016-07-21T00:26:24+00:00

3f4c9e4e7946f3f330b71cfe36a00ae933de2575

To help troubleshooting build issues, some CMake dependencies have
been added to some targets even though the actual codes do not
require those dependencies. This will ensure the targets are built
sequentially so build failures can be found more easily at the end
of the build log.

https://fedorahosted.org/pki/ticket/2403





To help troubleshooting build issues, some CMake dependencies have
been added to some targets even though the actual codes do not
require those dependencies. This will ensure the targets are built
sequentially so build failures can be found more easily at the end
of the build log.

https://fedorahosted.org/pki/ticket/2403







Fix coverity warnings for 'tkstool'
2016-06-17T21:38:11+00:00

Jack Magne
jmagne@dhcp-16-206.sjc.redhat.com

2016-06-06T23:36:16+00:00

ff1b164d033870ad7c708d13f671587f93c50749

Issues listed in the ticket addressed by this patch.

Ticket #1199 : Fix coverity warnings for 'tkstool'.





Issues listed in the ticket addressed by this patch.

Ticket #1199 : Fix coverity warnings for 'tkstool'.







Enhance tkstool for capabilities and security
2016-05-12T21:54:20+00:00

Jack Magne
jmagne@dhcp-16-206.sjc.redhat.com

2016-05-12T21:46:39+00:00

ce83d2ae2b33cca1e8b035474142fcbe2369ccc4

The key is now generated with the flags needed to keep the data from being displayed
with simple tools such as symkeyutil.

As per cfu's instructions,
I was able to test this with the nethsm only.

I also was able to make the key des3 and everything works fine with the master key.
This will help all the warnings we get about insecure des2 keys.

If there is a problem with luna, we can file another ticket.
Also there could be a built in tool for luna to generate keys such as is present on hsm.





The key is now generated with the flags needed to keep the data from being displayed
with simple tools such as symkeyutil.

As per cfu's instructions,
I was able to test this with the nethsm only.

I also was able to make the key des3 and everything works fine with the master key.
This will help all the warnings we get about insecure des2 keys.

If there is a problem with luna, we can file another ticket.
Also there could be a built in tool for luna to generate keys such as is present on hsm.







sslget must set Host HTTP header
2015-12-15T22:50:26+00:00

Christian Heimes
cheimes@redhat.com

2015-11-25T19:42:17+00:00

73f5e33c945d865a88b47491b73553ba8ecf2f53

The sslget tool sends a TLS SNI header. Apache doesn't like server name
indication without a matching HTTP header. Requests without a Host
header are refused with

HTTP/1.1 400 Bad Request
Hostname example.org provided via SNI, but no hostname provided in HTTP request

sslget now sets a Host HTTP header for all requests.

https://fedorahosted.org/pki/ticket/1704

Signed-off-by: Christian Heimes <cheimes@redhat.com>





The sslget tool sends a TLS SNI header. Apache doesn't like server name
indication without a matching HTTP header. Requests without a Host
header are refused with

HTTP/1.1 400 Bad Request
Hostname example.org provided via SNI, but no hostname provided in HTTP request

sslget now sets a Host HTTP header for all requests.

https://fedorahosted.org/pki/ticket/1704

Signed-off-by: Christian Heimes <cheimes@redhat.com>







Minor fix to "setpin" fix.
2015-08-19T00:06:24+00:00

Jack Magne
jmagne@localhost.localdomain

2015-08-18T23:50:50+00:00

6260a6d20c113343dd04cdbed999865ebc1650c9

The routine that sets the password of the "pinmanager" user was
not working. A very simple one character fix takes care of it.

Ticket # 1546 - Setpin utility doesn't set the pin for users.

Checking in under the one line trivial change rule.





The routine that sets the password of the "pinmanager" user was
not working. A very simple one character fix takes care of it.

Ticket # 1546 - Setpin utility doesn't set the pin for users.

Checking in under the one line trivial change rule.







setpin utility doesn't set the pin for users.
2015-08-13T22:06:51+00:00

Jack Magne
jmagne@localhost.localdomain

2015-08-12T01:26:04+00:00

f60846e025ff5492e8c05ccf525fe8df1b59bba6

There were some things wrong with the setpin utility.

1. There were some syntax violations that had to be dealt with or a DS with syntax checking
would not be pleased.

2. The back end is expecting a byte of hash data at the beginning of the pin.
In our case we are sending NO hash so we want this code at the beginning '-'

3. We also need to prepend the dn in front of the pin so the back end can verify the set pin.

Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin.
Tested to work with actual PinBased Enrollment.

4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash.
The no hash option is supported but puts the pin in the clear.





There were some things wrong with the setpin utility.

1. There were some syntax violations that had to be dealt with or a DS with syntax checking
would not be pleased.

2. The back end is expecting a byte of hash data at the beginning of the pin.
In our case we are sending NO hash so we want this code at the beginning '-'

3. We also need to prepend the dn in front of the pin so the back end can verify the set pin.

Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin.
Tested to work with actual PinBased Enrollment.

4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash.
The no hash option is supported but puts the pin in the clear.







Fixing upstream trac ticket 1150.
2014-10-09T19:03:06+00:00

Abhishek Koneru
akoneru@redhat.com

2014-10-07T18:52:53+00:00

72bad14bb14e16455874fd8c38913a7ccca407e2

In both sslget.c and revoker.c there is an incorrect equality
check which compares the output of a comparision operator with
a constant(SECFailure) which has a value of -1. The fix will print
the correct SECFailure or SECSuccess value for the do_writes method.





In both sslget.c and revoker.c there is an incorrect equality
check which compares the output of a comparision operator with
a constant(SECFailure) which has a value of -1. The fix will print
the correct SECFailure or SECSuccess value for the do_writes method.