Description of problem: The pkisilent script has an option to save the CA certs and keys as a PKCS#12 file. This file is created as /tmp/tmp-ca.p12 and is mode 644. Since it contains the CA keys it should at least be created as mode 600. Might be better to create it in the /root as well. Version-Release number of selected component (if applicable): dogtag SVN revision 322 Steps to Reproduce: 1. pkisilent ConfigureCA ... -save_p12 true ... 2. ls -l /tmp/tmp-ca.p12 -rw-r--r-- 1 root root 10852 2009-04-01 12:02 /tmp/tmp-ca.p12
Created attachment 341643 [details] patch to fix Added optional flag to specify file location and name defaults to /root Also provides correct permissions. awnuk, please review
attachment (id=341643) +awnuk
[builder@dhcp231-124 dogtag-src]$ svn ci -m "Bugzilla BZ 493418: silent install -save_p12 option creates file mode 644" pki/base/silent/ pki/dogtag/silent/ Sending pki/base/silent/src/ca/ConfigureCA.java Sending pki/dogtag/silent/pki-silent.spec Transmitting file data .. Committed revision 418.
save_p12 set to true for CA - p12 created in root's home directory with permissions of 600, however all other p12s are created in /tmp still with permissions of 644. I think this fix is incomplete. What is the flag to change the location? /root may not exist on Solaris.
Jenny, A couple of questions: 1. what other p12 files? There is only one pk12 file created 2. Use -backup_fname foo to change the location
1. tmp-kra.p12, tmp-tks.p12, tmp-ocsp.p12 .... 2. Thank you - I will try that.
Attachments id=375817 id=375819 jmagne+ With caveat of checking for an empty string in the function: checkRequireArgs.
Checked in as part of fixes to 504030: Checked into tip: [builder@dhcp231-70 silent]$ svn ci -m "fixes for BZ 510774,531162,504030, 493418" Sending silent/scripts/pkisilent Sending silent/src/argparser/ArgParser.java Sending silent/src/ca/ConfigureCA.java Sending silent/src/common/ComCrypto.java Sending silent/src/drm/ConfigureDRM.java Sending silent/src/ocsp/ConfigureOCSP.java Sending silent/src/subca/ConfigureSubCA.java Sending silent/src/tks/ConfigureTKS.java Sending silent/src/tps/ConfigureTPS.java Transmitting file data ......... Committed revision 877. Checked into 8.1 [builder@oliver silent]$ svn ci -m "fixes for BZ 510774,531162, 504030, 493418" Sending silent/scripts/pkisilent Sending silent/src/argparser/ArgParser.java Sending silent/src/ca/ConfigureCA.java Sending silent/src/drm/ConfigureDRM.java Sending silent/src/ocsp/ConfigureOCSP.java Sending silent/src/subca/ConfigureSubCA.java Sending silent/src/tks/ConfigureTKS.java Sending silent/src/tps/ConfigureTPS.java Transmitting file data ........ Committed revision 878.
QE/ docs: This was fixed before for the CA only. It has now been fixed for the other subsystems. Note: it does not apply to the TPS Note: it has not been added to the subCA. Currently, the code in the subCA does not save the certs in a pk12 file. I didn't change it - if someone really wants it, they can ask for it.
The SaveP12Panel failure mentioned in comment #12 is due to the pkisilent ocsp and tks configuration problem. pkisilent for CA, DRM, OCSP and TKS with -backup_fname option creates p12 file with permissions of 600. Marking this bug Verified.