SecurityTests/clxutils/dotMacTool/README

   1 dotMacTool notes May 4 2004
   2
   3 -- for now you need this in /etc/hosts:
   4
   5 # for INT2
   6 17.207.20.182 int-cert certmgmt.mac.com certinfo.mac.com
   7
   8 # or, for INT1
   9 17.207.43.109 qa-cert certmgmt.mac.com certinfo.mac.com
  10
  11 -- A good way to run tcpdump to show HTTP traffic on port 2150:
  12
  13    tcpdump -i en0 -s 0 -A -q tcp port 2150
  14
  15 -- renew cert for existing account doug1 with password 123456:
  16
  17 tower.local:dotMacTool> dotMacTool g -g -u doug1 -Z 123456 -k foobar -r -o /tmp/c2.pem
  18 <<<snip away debug logging>>>
  19 ...cert acquisition complete
  20 ...2496 bytes of Cert written to /tmp/c2.pem
  21
  22 ==============================================
  23
  24 -- demo queued response and retrieval
  25    -- set FORCE_SUCCESS_QUEUED to 1 in dotMacTpRpcGlue.cpp, this turns a full
  26       success RPC into a successQueued RPC
  27
  28 tower.local:dotMacTool> dotMacTool g -g -u doug1 -Z 123456 -k foobar -r -o /tmp/refid.pem
  29 <<<snip away debug logging>>>
  30 ...Forcing REQ_QUEUED status
  31 ...cert acquisition complete
  32 ...105 bytes of Cert written to /tmp/refid.pem
  33
  34 ...then lookup....
  35
  36 tower.local:dotMacTool> dotMacTool l -f /tmp/refid.pem -o /tmp/cert.pem
  37 <<<snip away debug logging>>>
  38 ...cert retrieval complete
  39 ...10010 bytes of cert data written to /tmp/cert.pem
  40
  41 ==============================================
  42
  43 TO DO
  44 -----
  45
  46 -- DOT_MAC_LOOKUP_ID_PATH* consts in dotMacTp.h will change to allow loopkup of one
  47    specific cert
  48 -- DOT_MAC_SIGN_HOST_NAME and DOT_MAC_LOOKUP_HOST will change to avoid the port 2150
  49
  50 ..........
  51
  52 Aug 10 testing
  53
  54 -- use INT1 environment
  55
  56 Ê  # in /etc/hosts:
  57    17.207.20.58    int1-idiskng      certmgmt.mac.com certinfo.mac.com
  58
  59    -- lookup via  http://certinfo.mac.com:2150/lookup
  60    -- request via certmgmt.mac.com
  61
  62 -- provision http://17.207.20.58:2150/_provision/Public/account
  63    -- account dmitch4 pwd password
  64       -- signed up for IDEN
  65
  66    # note no more @mac.com for user name
  67    % dotMacTool g -g -u dmitch4 -Z password -k foobar -o /tmp/refid -H certmgmt.mac.com:2150
  68 ...Forcing REQ_QUEUED status
  69 ...Cert request QUEUED
  70 ...77 bytes of RefId written to /tmp/refid
  71
  72    # note we can't specify alternate host for lookup, have to use !NDEBUG config of .mac TP
  73    % dotMacTool l -f /tmp/refid -k foobar
  74
  75    -- account dmitch5 pwd password
  76       -- signed up for EMAIL SIGN
  77
  78         % dotMacRequest s -u dmitch5 -Z password -k foobar -H certmgmt.mac.com:2150 -a
  79         -- request had method sign.email
  80         -- response had FailedNotSupportedForAccount
  81
  82         # try again with ID cert, it works
  83         % dotMacRequest i -u dmitch5 -Z password -k foobar -H certmgmt.mac.com:2150 -a
  84
  85     # get result, nothing in prefs - yep, OK, we ran async
  86
  87
  88   -- dmitch6 password, async, OK
  89   -- dmitch7, password
  90   ...
  91   dmitch10 pwd password
  92
  93   % dotMacRequest i -u dmitch10 -Z password -k foobar -H certmgmt.mac.com:2150
  94   ...works!
  95
  96   dmitch11 password
  97
  98 1/10/05
  99
 100 name dmitch_int2 pwd "password"
 101
 102 % dotMacTool g -g -u dmitch_int2 -Z password -k newDotMac.keychain -o /tmp/refid
 103 ...worked
 104
 105 name dmitch_new pwd password, got a cert
 106 name dmitch_new2 pwd password
 107