The build of the openxpki core fails on debian/ubuntu packaging due to a problem with MakeMaker.
MakeMaker 6.5 which is installed by default und squeeze and Ubuntu 12.04 works fine but for building the "Connector" package you need MM 6.7.
If you build OXI core after pulling MM 6.7 from cpan, you get a deb package without the core files in it.

Steps to reproduce:

• pull MM from cpan, make sure MM 6.7 is in the path
• open package/debian/Makefile.inc - remove "make package" from the default target
• run make core
• go to /tmp/OpenXPKI-xxx
• run (as root) dpkg-buildpackage

The problematic line seems to be at the end of "debian/rules":
$(MAKE) install PREFIX=$(CURDIR)/debian/libopenxpki-perl/usr

That should install the files from blib into the packages root but the target stays empty.

Dummy comment, only used to complete the milestone.

The datavault certificates should not be exposed when quering the SCEP serive

The code in the pkcs7_get_chain method of the default token is broken. It tries do build the chain using the issuer subject string. This fails for multivalued CNs as pkcs7 and openssl use different formats on stringified subjects.

CN=Oliver Welter/UID=oliwel,DC=OpenXPKI,DC=org vs.
UID=oliwel+CN=Oliver Welter,DC=OpenXPKI,DC=org

As this also can lead to ambigouty, suggested fix is to use AIA info as in certnanny to construct the chain https://github.com/certnanny/CertNanny/blob/master/agent/lib/perl/CertNanny/Keystore.pm#L1342

A continous formatting needs to be defined and implemented with respect to other issues and as a fallback.

Modules which are preloaded during the init (e.g notification) are not reinitialised and therefore do not use the new configuration

If the daemon dies after the watchdog was forked away, the watchdog keeps running. This happens e.g when the database is not working.

In core/server/OpenXPKI/Server/Workflow/Activity/Tools/RevokeCertificate.pm, the auto_revoke parameter defaults to 'no', but we'd like to use '0|1' for the boolean values in the future. The certificate revoke workflow sends '0|1', but other users of RevokeCertificate need to be checked.

Anonymous login on Web UI has severeal problems:

• unable to logout
• unable to search for or see any certificates
  Looks like no realm is set on anonymous login

Connector suffers the problem that you can not have keys with dots.
We will fix that by stop recursive parsing of arrayref style paths so we need to refactor the code where it uses this feature.

As the system internally uses the database without any crypto when building a chain, we need to make sure that the certificates in the database are checked when they are imported. This applies mainly on the openxpkiadm import feature but might also become a problem when delegating issuance to external CAs.

The control cli tools init the server and the default logger and try to write to the main logfile. This operation fails if the current user is not allowed to write to the logs.

The x509 authentication handler does not check the revocation status of a certificate (neither internal nor external ones).

The inheritance key handling assumes that the keys are files on the disk, for e.g. nCipher the key is just a symbolic name which failes the filesystem tests.

Fix: Introduce a new param "keytype" for different behaviour (file, directory + alias expansion, named)

Current token discovery checks for exisitance of local openssl files. HSM might use "filenames" which are not real files.

Conenctor syntax needs to be defined and implemented in OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateEligibility.

eligible check is used in approval calculation, workflow needs to be changed as actually it fails when eligible check fails.

The current code has no clear and consistent concept of how database transactions should be handled. We need to address and partly rework this.

API functions should not implicitly commit data (which is currently partly done) unless explicitly requested by the caller.
This means that the caller should be able to request "auto-commit" when calling an API function. If this is not the case, the API call should use the same database transaction as the caller.
Typically a transaction will close after completion of a workflow activity, either successful, implying a commit or unsuccessful, which means a transaction rollback. All data manipulated in API functions should also be rolled back.

Caveats:

• log messages and audit trails shall NOT be rolled back, even in case of a failure on application level
• when allowing longer running transactions care must be taken not to introduce deadlocks between server instances both trying to access the same table (this has been observed in the past with accesses to the SECRET table, for example, and was addressed with commit 9b853b6 - the downside being that now there may be junk left in the database resulting from unwanted commits in case of a later failure in the same logical transaction.

The debian build files can be used on Ubuntu 12.04 but there are some issues.

1. make for connector builds a working packaging but ends with an error
2. The ${perl:Depends} Makro seems to be unsupported
3. There is a problem with a renamed CPAN module Digest::SHA1 -> Digest::SHA. Current Hotfix: package and distribute the old module

Add command to start or stop the watchdog using the control interface

Complete the inheritance code for the token configuration, so we can drop the individual aliases from the config file (autodiscovery based on group and defaul name)

The crypto backend command issue_cert assumes that the whole cert chain (including CA certificate) has been written to the tmp directory during server startup.
This means that a CA certificate might be unavailable later during operation (e. g. due to a tmp directory cleanup).

Immediately before running the issue_cert function the system should export the required CA cert entries to the tmp file and clean up afterwards.

Openssl based and PKCS7 (openca-sv) based commands use different formats to display multivalued subjects.

While openssl subject returns:
CN=Oliver Welter/UID=oliwel,DC=OpenXPKI,DC=org

The pkcs7 get_subject results in
UID=oliwel+CN=Oliver Welter,DC=OpenXPKI,DC=org

See also #30

We have two x509 based handlers, where both reuse the "certificate role" from the database for the authorization role. We already discussed that we do not want to continue with this feature, but we need to find another way to assign a role when using x509 authentication.

Config::Merge which is used by our config layer fails to handle path names containing spaces, proposed patch below, already send to maintainer.

--- /usr/share/perl5/Config/Merge.pm    2011-05-04 21:47:19.000000000 +0200
+++ ./Merge.pm  2013-08-19 15:32:21.717641248 +0200
@@ -634,8 +634,11 @@
     my $config = {};

     my @local;
+    
+    my $pattern = File::Spec->catfile( $dir, '*' );    
+    $pattern =~ s/\s/\\ /g;    
     my $config_files = $self->{sort}
-        ->( $self, [ glob( File::Spec->catfile( $dir, '*' ) ) ] );
+        ->( $self, [ glob( $pattern ) ] );

     my $is_local = $self->{is_local};
     $self->debug( '', "Entering dir: $dir", '-' x ( length($dir) + 14 ) );

The watchdog uses mysql datatime for reap and wakeup timestamps which is not portable to other db systems. The timestmap columns need to be replaced by epoch.

UPDATE 2: This error occurs because we are still working on the new SMTP notification code. The current workaround is to just disable notifications by doing the following:

mv /etc/openxpki/config.d/realm/ca-one/notification.yaml /etc/openxpki/config.d/realm/ca-one/notification.yaml.sav
openxpkiadm loadcfg
/etc/init.d/openxpkid restart

When requesting a certificate, the workflow instance creation fails.

The version tested is a fresh quickstart install:

Packaging information: OpenXPKI version 0.11.1 Git commit hash:
d828649 Git description: v0.11.0.0-73-gd828649

The error text is:

I18N_OPENXPKI_SERVER_API_CREATE_WORKFLOW_INSTANCE_CREATE_FAILED_EVAL_ERROR; ERROR => Attribute (transport) does not pass the type constraint because: Validation failed for 'Object' with value undef at /usr/lib/perl5/OpenXPKI/Server/Notification/SMTP.pm line 385 OpenXPKI::Server::Notification::SMTP::_send_plain('OpenXPKI::Server::Notification::SMTP=HASH(0x59d0020)', 'HASH(0x63fc098)', 'HASH(0x5f82690)') called at /usr/lib/perl5/OpenXPKI/Server/Notification/SMTP.pm line 312 OpenXPKI::Server::Notification::SMTP::notify('OpenXPKI::Server::Notification::SMTP=HASH(0x59d0020)', 'HASH(0x6401710)') called at /usr/lib/perl5/OpenXPKI/Server/Notification/Handler.pm line 149 OpenXPKI::Server::Notification::Handler::notify('OpenXPKI::Server::Notification::Handler=HASH(0x549e210)', 'HASH(0x63fc590)') called at /usr/lib/perl5/OpenXPKI/Server/Workflow/Activity/Tools/Notify.pm line 75 OpenXPKI::Server::Workflow::Activity::Tools::Notify::execute('OpenXPKI::Server::Workflow::Activity::Tools::Notify=HASH(0x64...', 'OpenXPKI::Server::Workflow=HASH(0x61c4178)') called at /usr/share/perl5/Workflow.pm line 83 eval {...} called at /usr/share/perl5/Workflow.pm line 80 Workflow::execute_action('OpenXPKI::Server::Workflow=HASH(0x61c4178)', 'I18N_OPENXPKI_WF_ACTION_NOTIFY_USER_OF_CREATION', 1) called at /usr/lib/perl5/OpenXPKI/Server/Workflow.pm line 133 eval {...} called at /usr/lib/perl5/OpenXPKI/Server/Workflow.pm line 132 eval {...} called at /usr/lib/perl5/OpenXPKI/Server/Workflow.pm line 131 OpenXPKI::Server::Workflow::execute_action('OpenXPKI::Server::Workflow=HASH(0x61c4178)', 'I18N_OPENXPKI_WF_ACTION_NOTIFY_USER_OF_CREATION', 1) called at /usr/share/perl5/Workflow.pm line 344 Workflow::_auto_execute_state('OpenXPKI::Server::Workflow=HASH(0x61c4178)', 'Workflow::State=HASH(0x5c0d138)') called at /usr/share/perl5/Workflow.pm line 148 Workflow::execute_action('OpenXPKI::Server::Workflow=HASH(0x61c4178)', 'I18N_OPENXPKI_WF_ACTION_RENDER_SUBJECT', 1) called at /usr/lib/perl5/OpenXPKI/Server/Workflow.pm line 133 eval {...} called at /usr/lib/perl5/OpenXPKI/Server/Workflow.pm line 132 eval {...} called at /usr/lib/perl5/OpenXPKI/Server/Workflow.pm line 131 OpenXPKI::Server::Workflow::execute_action('OpenXPKI::Server::Workflow=HASH(0x61c4178)', 'I18N_OPENXPKI_WF_ACTION_RENDER_SUBJECT', 1) called at /usr/share/perl5/Workflow.pm line 344 Workflow::_auto_execute_state('OpenXPKI::Server::Workflow=HASH(0x61c4178)', 'Workflow::State=HASH(0x5c0d300)') called at /usr/share/perl5/Workflow.pm line 148 Workflow::execute_action('OpenXPKI::Server::Workflow=HASH(0x61c4178)', 'create_csr', undef) called at /usr/lib/perl5/OpenXPKI/Server/Workflow.pm line 133 eval {...} called at /usr/lib/perl5/OpenXPKI/Server/Workflow.pm line 132 eval {...} called at /usr/lib/perl5/OpenXPKI/Server/Workflow.pm line 131 OpenXPKI::Server::Workflow::execute_action('OpenXPKI::Server::Workflow=HASH(0x61c4178)', 'create_csr') called at /usr/lib/perl5/OpenXPKI/Server/API/Workflow.pm line 608 eval {...} called at /usr/lib/perl5/OpenXPKI/Server/API/Workflow.pm line 559 OpenXPKI::Server::API::Workflow::create_workflow_instance('OpenXPKI::Server::API::Workflow', 'HASH(0x61c65a8)') called at /usr/lib/perl5/OpenXPKI/Server/API.pm line 1304 OpenXPKI::Server::API::ANON('OpenXPKI::Server::API=SCALAR(0x6160ee0)', 'HASH(0x61c65a8)') called at /usr/lib/perl5/OpenXPKI/Service/Default/Command.pm line 132 OpenXPKI::Service::Default::Command::execute('OpenXPKI::Service::Default::Command=SCALAR(0x61c1f90)') called at /usr/lib/perl5/OpenXPKI/Service/Default.pm line 628 eval {...} called at /usr/lib/perl5/OpenXPKI/Service/Default.pm line 627 OpenXPKI::Service::Default::__handle_COMMAND('OpenXPKI::Service::Default=SCALAR(0x304ec78)', 'HASH(0x6159540)') called at /usr/lib/perl5/OpenXPKI/Service/Default.pm line 166 eval {...} called at /usr/lib/perl5/OpenXPKI/Service/Default.pm line 164 OpenXPKI::Service::Default::__handle_message('OpenXPKI::Service::Default=SCALAR(0x304ec78)', 'HASH(0x616efa8)') called at /usr/lib/perl5/OpenXPKI/Service/Default.pm line 801 eval {...} called at /usr/lib/perl5/OpenXPKI/Service/Default.pm line 800 OpenXPKI::Service::Default::run('OpenXPKI::Service::Default=SCALAR(0x304ec78)') called at /usr/lib/perl5/OpenXPKI/Server.pm line 633 OpenXPKI::Server::do_process_request('OpenXPKI::Server=HASH(0x300e5f0)') called at /usr/lib/perl5/OpenXPKI/Server.pm line 406 eval {...} called at /usr/lib/perl5/OpenXPKI/Server.pm line 405 OpenXPKI::Server::process_request('OpenXPKI::Server=HASH(0x300e5f0)') called at /usr/share/perl5/Net/Server.pm line 141 Net::Server::run_client_connection('OpenXPKI::Server=HASH(0x300e5f0)') called at /usr/share/perl5/Net/Server/Fork.pm line 234 Net::Server::Fork::run_client_connection('OpenXPKI::Server=HASH(0x300e5f0)') called at /usr/share/perl5/Net/Server/Fork.pm line 170 Net::Server::Fork::loop('OpenXPKI::Server=HASH(0x300e5f0)') called at /usr/share/perl5/Net/Server.pm line 116 Net::Server::run('OpenXPKI::Server=HASH(0x300e5f0)', 'proto', 'unix', 'background', 1, 'port', '/var/openxpki/openxpki.socket|unix', 'no_client_stdout', 1, 'process_group', 106, 'pid_file', '/var/run/openxpkid.pid', 'socketfile', '/var/openxpki/openxpki.socket', 'alias', 'main', 'server_type', 'Fork', 'process_owner', 105, ...) called at /usr/share/perl5/Net/Server/MultiType.pm line 108 Net::Server::MultiType::run('OpenXPKI::Server=HASH(0x300e5f0)', 'proto', 'unix', 'background', 1, 'port', '/var/openxpki/openxpki.socket|unix', 'no_client_stdout', 1, 'process_group', 106, 'pid_file', '/var/run/openxpkid.pid', 'socketfile', '/var/openxpki/openxpki.socket', 'alias', 'main', 'server_type', 'Fork', 'process_owner', 105, ...) called at /usr/lib/perl5/OpenXPKI/Server.pm line 138 OpenXPKI::Server::new('OpenXPKI::Server', 'SILENT', 1) called at /usr/lib/perl5/OpenXPKI/Control.pm line 219 eval {...} called at /usr/lib/perl5/OpenXPKI/Control.pm line 215 OpenXPKI::Control::start('HASH(0xcb8d48)') called at /usr/bin/openxpkictl line 100 at /usr/lib/perl5/OpenXPKI/Server/API/Workflow.pm line 608 at /usr/lib/perl5/OpenXPKI/Server/API/Workflow.pm line 608 at /usr/lib/perl5/OpenXPKI/Server/API/Workflow.pm line 608 at /usr/lib/perl5/OpenXPKI/Server/API/Workflow.pm line 608 at /usr/lib/perl5/OpenXPKI/Server/API/Workflow.pm line 608 at /usr/lib/perl5/OpenXPKI/Server/API/Workflow.pm line 608 at /usr/lib/perl5/OpenXPKI/Server/API/Workflow.pm line 608

Rewrite Wrapping Class OpenXPKI::Server::Workflow and old Factory pattern to use the new functionality from the patches submitted to the Workflow Modul.

Define and implement

Customers ask frequently why we rejected a certificate request. Therefore I suggest to add a comment field to enter the reason for rejection which is then included in the email informing the user about the reject. Not as a required field, just for optional comments.

The Datapool API supports encrypted storage of data in the datapool. Although this works fine it would be nice to provide a transparent encryption mechanism to the core system that could replace both VolatileVault and the dedicated Datapool encryption.

Sample implementation of base class at https://github.com/mbartosch/TransparentEncryption

Possible start for adding this to the server context (untested):

diff --git a/trunk/perl-modules/core/trunk/OpenXPKI/Server/Context.pm b/trunk/perl-modules/core/trunk/OpenXPKI/Server/Context.pm
index d15ad8a..1999918 100644
--- a/trunk/perl-modules/core/trunk/OpenXPKI/Server/Context.pm
+++ b/trunk/perl-modules/core/trunk/OpenXPKI/Server/Context.pm
@@ -29,6 +29,7 @@ my $context = {
    pki_realm        => undef,
     pki_realm_by_cfg => undef,
    volatile_vault   => undef,
+   transparent_encryption  => undef,
    log              => undef,
    dbi_backend      => undef,
    dbi_workflow     => undef,
@@ -231,6 +232,8 @@ by calling CTX('...') once create() has been called:

 =item * volatile_vault

+=item * transparent_encryption
+
 =item * log

 =item * dbi_backend
diff --git a/trunk/perl-modules/core/trunk/OpenXPKI/Server/Init.pm b/trunk/perl-modules/core/trunk/OpenXPKI/Server/Init.pm
index 3619e57..9425f59 100644
--- a/trunk/perl-modules/core/trunk/OpenXPKI/Server/Init.pm
+++ b/trunk/perl-modules/core/trunk/OpenXPKI/Server/Init.pm
@@ -67,6 +67,7 @@ my @init_tasks = qw(
   crypto_layer
   pki_realm
   volatile_vault
+  transparent_encryption
   acl
   api
   pki_realm_by_cfg
@@ -402,6 +403,214 @@ sub __do_init_volatile_vault {
    });
 }

+sub __do_init_transparent_encryption {
+    ##! 1: "init transparent encryption"
+
+    # FIXME: get rekeying policy from configuration?
+    my $key_management_policy = 'CERT';
+    my $tenc = OpenXPKI::Crypto::KeyManagement::TransparentEncryption->new(
+   {
+       KEYMANAGEMENT => $key_management_policy,
+       NAMEPACE_KEY_STORAGE => 'sys.datapool.keys',
+       NAMEPACE_KEY_MAPPING => 'sys.datapool.pwsafe',
+   });
+
+    # delegate implementations for accessing the datapool and for asymmetric
+    # encryption
+    $tenc->delegate(
+   {
+       GET_CURRENT_ASYMMETRIC_KEY_ID => {
+       ##! 1: 'start'
+       my $realm = CTX('session')->get_pki_realm();
+       my $cfg_id = CTX('api')->get_current_config_id();
+       
+       my @possible_safes = ();
+       my $pki_realm_cfg = CTX('pki_realm_by_cfg')->{$cfg_id}->{$realm}->{'password_safe'}->{'id'};
+       if (! defined $pki_realm_cfg || ref $pki_realm_cfg ne 'HASH') {
+           OpenXPKI::Exception->throw(
+           message => 'I18N_OPENXPKI_SERVER_API_OBJECT_GET_CURRENT_SAFE_ID_MISSING_PKI_REALM_CONFIG',
+           params  => {
+               CONFIG_ID => $cfg_id,
+               REALM     => $realm,
+           },
+           log => {
+               logger => CTX('log'),
+               priority => 'error',
+               facility => [ 'system', ],
+           },
+           );
+       }
+       
+       foreach my $key (keys %{ $pki_realm_cfg }) {
+           ##! 64: 'key: ' . $key
+           push @possible_safes, {
+           'id'        => $key,
+           'notbefore' => $pki_realm_cfg->{$key}->{notbefore},
+           'notafter'  => $pki_realm_cfg->{$key}->{notafter},
+           };
+       }
+       ##! 16: 'possible safes: ' . Dumper \@possible_safes
+       # sort safes by notbefore date (latest earliest)
+       my @sorted_safes = sort { DateTime->compare($b->{notbefore}, $a->{notbefore}) } @possible_safes;
+       ##! 16: 'sorted safes: ' . Dumper \@sorted_safes
+       
+       # find the topmost one that is available /now/
+       my $now = DateTime->now();
+       
+       ##! 16: 'now: ' . Dumper $now
+       my $current_safe = first
+       {  DateTime->compare($now, $_->{notbefore}) >= 0
+              && DateTime->compare($_->{notafter}, $now) > 0 } @sorted_safes;
+       if (! defined $current_safe) {
+           OpenXPKI::Exception->throw(
+           message => 'I18N_OPENXPKI_SERVER_INIT_CALLBACK_GET_CURRENT_SAFE_ID_NO_SAFE_AVAILABLE',
+           log => {
+               logger => CTX('log'),
+               priority => 'error',
+               facility => [ 'system', ],
+           },
+           );
+       }
+       ##! 16: 'current safe: ' . Dumper $current_safe
+       
+       return $current_safe->{id};
+       },
+
+       ENCRYPT_ASYMMETRICALLY => {
+       my $arg_ref = shift;
+       
+       my $keyid = $arg_ref->{KEYID};
+       my $data  = $arg_ref->{DATA};
+
+       my $cfg_id = CTX('api')->get_current_config_id();
+       my $realm = CTX('session')->get_pki_realm();
+
+       my $cert = CTX('pki_realm_by_cfg')->{$cfg_id}->{$realm}->{password_safe}->{id}->{$keyid}->{certificate};
+       
+       ##! 16: 'cert: ' . $cert
+       if (! defined $cert) {
+           OpenXPKI::Exception->throw(
+           message => 'I18N_OPENXPKI_SERVER_INIT_CALLBACK_ENCRYPT_ASYMMETRICALLY_CERT_NOT_AVAILABLE',
+           params  => {
+               PKI_REALM  => $realm,
+               KEY_ID     => $key,
+               CONFIG_ID  => $cfg_id,
+           },
+           log => {
+               logger => CTX('log'),
+               priority => 'error',
+               facility => [ 'system', ],
+           },
+           );
+       }
+       
+       ##! 16: 'asymmetric encryption via passwordsafe ' . $current_password_safe
+       my $token  = CTX('pki_realm_by_cfg')->{$cfg_id}->{$realm}->{crypto}->{default};
+       $value = $token->command(
+           {
+           COMMAND => 'pkcs7_encrypt',
+           CERT    => $cert,
+           CONTENT => $data,
+           });
+       return $value;
+       },
+
+       DECRYPT_ASYMMETRICALLY => {
+       my $arg_ref = shift;
+       
+       my $keyid = $arg_ref->{KEYID};
+       my $data  = $arg_ref->{DATA};
+
+       my $cfg_id = CTX('api')->get_current_config_id();
+       my $realm = CTX('session')->get_pki_realm();
+
+       my $safe_token = CTX('pki_realm_by_cfg')->{$cfg_id}->{$realm}->{password_safe}->{id}->{$keyid}->{crypto};
+       if (! defined $safe_token) {
+           OpenXPKI::Exception->throw(
+           message => 'I18N_OPENXPKI_SERVER_INIT_CALLBACK_DECRYPT_ASYMMETRICALLY_TOKEN_NOT_AVAILABLE',
+           params  => {
+               PKI_REALM  => $realm,
+               KEY_ID     => $keyid,
+               CONFIG_ID  => $cfg_id,
+           },
+           log => {
+               logger => CTX('log'),
+               priority => 'error',
+               facility => [ 'system', ],
+           },
+           );
+       }
+       ##! 16: 'asymmetric decryption via passwordsafe ' . $safe_id
+       eval {
+           $value = $safe_token->command(
+           {
+               COMMAND => 'pkcs7_decrypt',
+               PKCS7   => $value,
+           });
+       };
+       if (my $exc = OpenXPKI::Exception->caught()) {
+           if ($exc->message()
+           eq 'I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED') {
+           
+           OpenXPKI::Exception->throw(
+               message => 'I18N_OPENXPKI_SERVER_INIT_CALLBACK_DECRYPT_ASYMMETRICALLY_ENCRYPTION_KEY_UNAVAILABLE',
+               params  => {
+               PKI_REALM  => $realm,
+               KEY_ID     => $keyid,
+               CONFIG_ID  => $cfg_id,
+               },
+               log => {
+               logger => CTX('log'),
+               priority => 'error',
+               facility => [ 'system', ],
+               },
+               );
+           }
+           
+           $exc->rethrow();
+       }
+       return $value;
+       },
+       STORE_TUPLE => {
+       my $arg_ref = shift;
+
+       my $namespace = $arg_ref->{NAMESPACE};
+       my $key       = $arg_ref->{KEY};
+       my $data      = $arg_ref->{VALUE};
+
+       my $realm = CTX('session')->get_pki_realm();
+       return CTX('api')->set_data_pool_entry(
+           {
+           PKI_REALM => $realm,
+           NAMESPACE => $namespace,
+           KEY       => $key,
+           VALUE     => $data,
+           });
+       },
+       RETRIEVE_TUPLE => {
+       my $arg_ref = shift;
+
+       my $namespace = $arg_ref->{NAMESPACE};
+       my $key       = $arg_ref->{KEY};
+
+       my $realm = CTX('session')->get_pki_realm();
+       my $result = CTX('api')->get_data_pool_entry(
+           {
+           PKI_REALM => $realm,
+           NAMESPACE => $namespace,
+           KEY       => $key,
+           });
+       return unless defined $result;
+       return $result->{VALUE};
+       },
+   });
+    
+    OpenXPKI::Server::Context::setcontext(
+   {
+       transparent_encryption => $tenc,
+   });
+}
+
 sub __do_init_dbi_backend {
     ### init backend dbi...
     my $dbi = get_dbi(

DBI code does not check for errors during reading the results from a select statement. If an error occurs, only a subset of the whole result is returned.

When following quickstart instructions on Ubuntu 12.10, the post-installation script for libopenxpki-perl fails:

Setting up libopenxpki-perl (20130227) ...
dpkg: error processing libopenxpki-perl (--configure):
subprocess installed post-installation script returned error exit status 127
Processing triggers for ureadahead ...
Errors were encountered while processing:
libopenxpki-perl
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install. Trying to recover:
Setting up libopenxpki-perl (20130227) ...

Steps taken to duplicate error:

vagrant box add ubuntu-12-10-amd64 http://goo.gl/wxdwM
vagrant init ubuntu-12-10-amd64
vagrant up
vagrant ssh

following commands are executed in VM guest instance...

sudo su -
echo "deb http://packages.openxpki.org/ubuntu/ precise/binary/" >
/etc/apt/sources.list.d/openxpki.list
aptitude update
aptitude install mysql-server
aptitude install libopenxpki-perl

It is currently possible to raise (and even approve) a revocation requests for certificates for certificates not issued by the CAs responsible for the current realm.

However, the CRL generation code does "the right thing" - only certificates below the current CA are put on the CRL.

Analyze function does not detect if the card contains unexpected certificates (and hence SCPers does not delete such certificates).

If the server has an internal problem when handling the mason login, you get stuck in a "session init" as the client tries to init a session that already exists:

I18N_OPENXPKI_CLIENT_INIT_SESSION_FAILED; MESSAGE_FROM_SERVER => $VAR1 = { 'LIST' => [ { 'LABEL' => 'I18N_OPENXPKI_SERVER_CONTEXT_SETCONTEXT_ALREADY_DEFINED', 'PARAMS' => { 'NAME' => 'session' } } ], 'SERVICE_MSG' => 'ERROR' };

It should be possible to configure the handling of communication errors when using the notify backend.

pidfile has 660 and is owned by root/root, should be 644 to allow non root users to use the "reload" feature of openxpkictl

Create server side key and try to download:

Can't call method "send_receive_command_msg" on an undefined value at /var/www/openxpki/binary/get_privkey.html line 41.\t\tStack: [/var/www/openxpki/binary/get_privkey.html:41], [/var/www/openxpki/binary/autohandler:1], [/var/www/openxpki/syshandler:4]\n, referer: http://192.168.168.103/openxpki/service/api/get_privkey_password.html?identifier=mSjPIti7SiduPIgTpEzpw9UPbvY;format=PKCS12;__menu_level=0;__menu_action=;__role=User

The mysql driver sets "mysql_bind_type_guessing => 1"

There was a bug http://bugs.mysql.com/bug.php?id=46786 which should be fixed, but inside OXI the bug is still effective. A standalone script does NOT trigger the bug.

The problem raised when I tried to update a datapool entry with a dp_key of "e4711":
update datapool set datapool_value = ?, encryption_key = ?, last_update = ? where datapool_key = ? and namespace = ? and pki_realm = ?'

When re-fetching an exisiting workflow from a former config state, the acl rules are evaluated before the config is switched to the original state.
Should this be changed (use the acl which was active when creating the workflow)?

The quickstart howto creates three individual self-signed certs with CA flags set for Signer, Vault and SCEP.
Quickstart should include a config file to create at least non-ca certs for the services.

SCPers workflow uses the datapool to monitor if a user changes his name or email.

The sc_analyze function internally sets the flag $employee_data_has_changed if a change occured but does not react on the flag while checking the certificates.
Expceted behaviour: assume certificates that do not match the new info as invalid and create new ones.

Get rid of the trunk directories sprinkled in the code tree and reorganize the directory structure.

Suggestion:

git mv trunk/.VERSION* .
git mv trunk/LICENSE .
git mv trunk/clients .
mkdir -p core/server
git mv trunk/i18n/ core/
git mv trunk/package/ .
git mv trunk/deployment/ core/
git mv trunk/perl-modules/core/trunk/* core/server/
git mv trunk/create_javakeystore/ tools/
git mv trunk/qatest/ .
git mv trunk/docs/architecture/whitepapers/OpenXPKI-Architecture-Overview.pdf doc/attic/

and finally:
rm -rf trunk/

(finally review package build scripts and adapt paths if necessary)

Needs definition and implementation, should follow #64
Fix in OpenXPKI::Server::Workflow::Activity::SCEPv2::EvaluateChallenge

Sometimes, when reloading the config and sending a SIGHUP to the server, the main process crashes with error message of "Can't cd to /root: Permission denied" (in stderr).

It should be possible to specify more than one encryption target for the certificate export workflow (e. g. either scalar or list).

imho the user list should not be inside the realm config but pulled in by a simple connector.
A tool (openxpkiadm?) to create the salted sha1 hashes might be useful.

Write documentation, mostly on the new configuation layer, describing the available configuration settings.

When passing a workflow parameter using the --param option of openxpkicmd, the value must not contain a comma because this is the delimiter for multiple key/value pairs. An example:

openxpkicmd --param issuer="emailAddress=openxpki.openxpki.org,CN=test.openxpki.org" ...

If support for this is desired, we need to come up with either an encoding for the input params (e.g. json) or have a flag that disables splitting the input values.