git and svn

Hi Martin,

Sorry for hitting this point again, but lastmidnight generator is stuck:

http://www7.openxpki.org/lastmidnight/index.html

For use with lastmidnight generator
I have a working copy of a "git snapshot" which was created with a command:

git clone git://openxpki.git.sourceforge.net/gitroot/openxpki/openxpki

To update this snapshot nightly from a SF repository I used to issue
command:

git svn rebase

which now says:

Unable to determine upstream SVN information from working tree history

What is a methodical way to update my git snapshot?

All the best, Sergei

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

Problems with Umlaut / UTF8

Hi All,

I was trying to issue certificates using german Umlaute and run into 
several problems...

The main issue is, that the Serialization system crashes with 
I18N_OPENXPKI_SERIALIZATION_SIMPLE_READ_HASH_KEY_LENGTH_FORMAT_CORRUPTED 
when you try to transmit umlauts. Remarkably, the message with the 
umlauts is received and properly decoded (as war as I see) , but the 
next following one throws the error.

However, in the database the umlaut chars show up as two characters and 
when you view such information on the frontend again, it gets decoded to 
clumsy boxes. Besides, the database (mysql 5.1) is by default 
initialised in  latin1, but changing it to utf8 does not help either.

I use a debian squeeze with de/en utf8 locale, the webpages are also 
delivered using utf8 as charset, so I dont see anything "outside" to 
create this problems.

Anybody here has positive experience with Umlauts and can help out?

Oliver
--

-- 
Protect your environment -  close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF  8168 CAB7 B0DD 3985 1721

Issues with DBI/SQL abstraction layer

Hi,

I have a (severe?) issue with the SQL abstraction layer. I am using 
mysql as backend and unfortunatly no clue about other rdbms - therefore 
I need some feedback if the issue is mysql only or not.

Problem:
I am searching a certificate by its subject, the subject I am looking 
for contains a backshlash character.

my $issuer_dn = "OU=Trustcenter,O=Snakeoil\, Inc.,C=US";
CTX('dbi_backend')->first(
   TABLE   => 'CERTIFICATE',
   COLUMNS => [ 'IDENTIFIER' ],
   DYNAMIC => {
     'SUBJECT' => $issuer_dn,
     'PKI_REALM' => $pki_realm
});

I get an empty result, which I tracked down to:

According OpenXPKI::Server::DBI::SQL, Line 979 the query uses a "like" 
statement on the condition. In mysql the backslash is an escape 
character when used in like statements:
http://dev.mysql.com/doc/refman/5.0/en/string-comparison-functions.html

Workaround: I ended up now in adding slashes to this special query, 
which does the job, but I expect that can make some headache one day in 
any other query, too. Besides I do not now what happens on other RDBMS.

Continue Workflows with openxpkicmd

Hi Devs,

I extended the openxpkicmd tool to support operations on an existing 
workflow - might be useful in development and debugging.

Comments welcome =)

Oliver
--

-- 
Protect your environment -  close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF  8168 CAB7 B0DD 3985 1721

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
OpenXPKI-devel mailing list
OpenXPKI-devel@...
https://lists.sourceforge.net/lists/listinfo/openxpki-devel

MySQL parameter tuning

Hi Folks,

I ran into performance issues with my OpenXPKI setup, so I've finetuned
some MySQL settings. This is working quite fine so far in my testing
environment, but I'm not sure whether there could develop an incident
with this setting. Could someone recheck these, please?

I've set innodb_buffer_pool_size from 64MB to 300MB to get more caching
size to have more buffer space when cleaning-up old CRLs so there will
be no errors anymore from MySQL within the cron job.

innodb_log_buffer_size from 1MB to 30MB to increase the buffer size of the
innodb_log to clean out corresponding MySQL log files due to optimization.

Greetings,
	-Achim

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Clarification needed: certificateHold Instruction Code and Workflows

Hi,

while working on the new API I stumbled upon the "certificateHold" 
status. The OpenXPKI::Config lists it but marks it as "untested", its 
compagnion "removeFromCRL" is also listet but not useful as it can be 
used only in Delta-CRLs, which are not supported by openssl and not 
implemented by OpenXPKI currently.

My main issue is the definition and necessity of the "Hold Instruction 
Code" - RFC 3280 defines three of them:
* holdInstructionNone
* holdInstructionCallIssuer
* holdInstructionReject
where holdInstructionNone should be avoided.

In RFC5280, which is the follow-up one, the changelog says:
"Section 5.3.2 in RFC 3280, which specified the holdInstructionCode CRL 
entry extension, was removed.", however, the appendix still lists the 
OIDs in its Appendix.

The openssl manual says:
"Although any OID can be used only holdInstructionNone (the use of which 
is discouraged by RFC2459) holdInstructionCallIssuer or
holdInstructionReject will normally be used."

The most "open" possibility would be to grab the list of usable OIDs 
from the configuration, so its easily extendable by the user. I would
suggest to put holdInstructionCallIssuer an holdInstructionReject here 
as default.

namespaces / naming conventions for workflows

Hi All,

I am currently reworking the workflows and as there is currently no 
fixed naming convention, I want to make a proposal on this.

Some newer workflows partially use "I18N_OPENXPKI_WF_TYPE*" (Id of the 
Workflow) and "I18N_OPENXPKI_WF_ACTIVITY*" (Name of the Action) already

I would suggest to use "I18N_OPENXPKI_WF_VAL*"  and 
"I18N_OPENXPKI_WF_COND*" as common prefix for Validators and Conditions. 
For better reading I would also suggest "I18N_OPENXPKI_WF_ACL_*" as 
shortcut for ACL Conditions and to rename the Action prefix to  
I18N_OPENXPKI_WF_ACTION*", so the prefix matches the name of the XML Tag.

For the individual names one should use or at least derive the name from 
the actual package name which provides the default implementation. To 
give some freedom to 3rd parties, we might relax this to just use a 
unique prefix.

The "state" names exist only inside one workflow and therefore do not 
need any unification. For the descriptions of the states and workflows, 
the concept already used in 
workflow_def_certificate_revocation_request.xml looks fine for me:

workflow-type is I18N_OPENXPKI_WF_TYPE_≤workflow name>
state description is I18N_OPENXPKI_WF_STATE_≤workflow name>_<state name>

Workflow name is equal to the name of the xml file. If the state 
description should be reused within similar workflows, it would be wise 
to split the workflow name in a group part and an individual part and 

OpenxPKI Training

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
OpenXPKI-devel mailing list
OpenXPKI-devel@...
https://lists.sourceforge.net/lists/listinfo/openxpki-devel

First Proposal for implementing Offline/Off-Site CA and enhanced Workflow managment

Hi Folks,

please find below a first idea on how to extend the current crypto 
backend and the workflow engine to support asyncronous key operations 
when using offline/offsite CA.

For each kind of such CA, we provide an own set of  
OpenXPKI::Crypto::API and its relateded classes. For most applications 
it would be sufficient to subclass from the present Backend::OpenSSL 
classes and just override the commands which differ from the default model.

If an async operation is started, the main workflow returns into a 
"waiting for async operation" state. To complete the workflow after the 
async operation was done, we need to poll the async process for 
completion and restart/continue the workflow which is not natively 
possible with the current workflow model.
A possible Solution based on the current workflow engine might be to 
fork of a polling process before the main workflow returns to the 
waiting state and reinject the workflow (or a superseeding one) on 
success. For async operations with a long latency or on heavy loaded 
systems this will not scale well as we need to keep one fork alive until 
the async request returns. Besides, a restart of the daemon will 
terminate all polling processes resulting in stale workflows that need 
manual care.

Therefore I suggest a modification of the workflow engine to introduce 
pause/auto-pickup of workflows.
Basic idea: create a workflow status table which records the current 
status of all unfinished workflows. Possible states are:
* running - regularly executed by a running process
* poll - workflow is in a state the needs regular polling
* crashed - no handling process found but not in a regular state

Each workflow registers and removes itself from the table with a running 
state or marks itself for polling. An external entity (thread inside the 
dameon) will check and trigger the requested polls. The "crash" states 
can handle several error situations, each one demanding its own logic:
1) If the daemon is restarted, all unfinished processes can be 
considered dead
2) Regularly check if the process is still alive (requires recording of 
the PID and might be a bit tricky when using forks)
3) In distributed environments (t.b.d!) the unavailybilty of a node is 
equal to 1) - requires the recording of the working node

The approach might also deliver the groundwork for load balancing or 
special purpose nodes in a distributed environment. For example, a 
resource intensive task will register itself as "paused" and discontinue 
if the system load is to high or even if the current node is not suited 
for the requested operation. Obviously, it requires another decission 
system to delegate paused/unsuited jobs to another node.

Comments welcome ;)

Oliver

--

-- 
Protect your environment -  close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF  8168 CAB7 B0DD 3985 1721

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

Init Script not working on Squeeze

Hi,

looks like the SysV init script is not working on squeeze, due to this 
issue http://www.perlmonks.org/?node_id=105674.
Changing the commands as suggested works for me.

Oliver

--

-- 
Protect your environment -  close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF  8168 CAB7 B0DD 3985 1721

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

Moving forward with Git

Hi,

After using Git for the past few years, I have stumbled a few times when dealing with my own workflow. A common
situation has been for me to be working concurrently on multiple features and have them slowly depend on
each other to the point that it was sort of "all or nothing" regarding getting a release ready. This often
resulted in messy branches with lots of conflicts. I realized that my own habits were sometimes counter-productive.

Martin and I have been using a new development workflow model for our work in our internal project and have
been very pleased with it so far. A nicely-illustrated description has been published at
http://nvie.com/posts/a-successful-git-branching-model/ and it seems to be well praised by the community.

We would like to adopt this model for OpenXPKI development in the Git repository on SF. In short, the
following git branches will be visible on SF:

master		Currently corresponds to SVN should produce stable builds

develop		Integration branch for stuff being prepared for next release

The remaining branches described in the model above should only be in your local repository. If, for
example, you are working on a feature and want to share your commits with other developers, you can easily
exchange via github. By doing this, the repository on SF should stay nice and tidy. This also means that a
developer doesn't need write access to SF in order to easily contribute to the project. He or she just
creates a branch with the commits directly off of the HEAD of the develop branch pushes this new branch to
Github and requests another developer to pull the commits and push them to SF.

There is also a nice add-on for Git that supports this workflow model called git-flow. This is available at
https://github.com/nvie/gitflow and there is a spiffy screencast for it from Dave Bock at http://codesherpas.com/screencasts/on_the_path_gitflow.mov.

Martin has asked me to mention an issue regarding the current Git and SVN repositories: he made a mistake
when synchronizing them and we didn't notice the mistake until after the commits were published to SF. The
problem is mostly cosmetic regarding how the branch history appears in Git, but it prevents anyone but
Martin from keeping both Git and SVN automatically synchronized. For his sin, he has been flogged with a
wet WLAN cable.

Until the SVN repository has been retired, Martin has offered to keep the master branch in Git synchronized
with SVN. So there are currently three options for publishing commits:

- Git users: Push your commits to your own repository on github using git and send a pull-request to one of the
developers with write access to Git on SF and familiar with integrating commits (currently Martin or me)

- For master branch only, Git users with write access to Git on SF: Push your commits to both Git and SVN on SF
(you'll want a separate tracking branch for SVN, though). 

- SVN users: Push your commits to SVN on SF and have Martin sync to the master branch in git

As a side effect, the history for the Git master branch and SVN will diverge, but only the Git users that try to
track both Git and SVN repositories would notice. If you switch "cold turkey" to Git, you won't have any problems.

For those still not familiar/comfortable with Git, take a look at Github and the book "Version Control with
Git" from O'Reilly. It may seem daunting at first, but Git will grow on you quickly.

With best regards,

Scott

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1