Renaming the opetion ops-flag and ops-flag-mask

The option are renamed to be more coherent with their meaning as:
- op-flags
- op-flags-mask

.github/workflows/ca-hsm-operation-test.yml

@@ -84,7 +84,7 @@ jobs:
               -D pki_audit_signing_token=HSM \
               -D pki_subsystem_token=HSM \
               -D pki_sslserver_token=internal \
-              -D pki_ca_signing_opsFlagMask=sign \
+              -D pki_ca_signing_opFlagsMask=sign \
               -v
         continue-on-error: true
         id: hsm_no_sign
@@ -108,8 +108,8 @@ jobs:
               -D pki_audit_signing_token=HSM \
               -D pki_subsystem_token=HSM \
               -D pki_sslserver_token=internal \
-              -D pki_ca_signing_opsFlag=sign \
-              -D pki_ca_signing_opsFlagMask=sign \
+              -D pki_ca_signing_opFlags=sign \
+              -D pki_ca_signing_opFlagsMask=sign \
               -v
 
       - name: Gather artifacts

base/common/python/pki/nssdb.py

@@ -646,8 +646,8 @@ def create_key(
             key_wrap=False,
             curve=None,
             ssl_ecdh=False,
-            ops_flag=None,
-            ops_flag_mask=None):
+            op_flags=None,
+            op_flags_mask=None):
 
         cmd = [
             'pki',
@@ -688,11 +688,11 @@ def create_key(
         if ssl_ecdh:
             cmd.append('--ssl-ecdh')
 
-        if ops_flag:
-            cmd.extend(['--ops-flag', ops_flag])
+        if op_flags:
+            cmd.extend(['--op-flags', op_flags])
 
-        if ops_flag_mask:
-            cmd.extend(['--ops-flag-mask', ops_flag_mask])
+        if op_flags_mask:
+            cmd.extend(['--op-flags-mask', op_flags_mask])
 
         if logger.isEnabledFor(logging.DEBUG):
             cmd.append('--debug')

base/server/etc/default.cfg

@@ -56,8 +56,8 @@ pki_audit_signing_key_size=2048
 pki_audit_signing_key_type=rsa
 pki_audit_signing_signing_algorithm=SHA256withRSA
 pki_audit_signing_token=
-pki_audit_signing_opsFlag=
-pki_audit_signing_opsFlagMask=
+pki_audit_signing_opFlags=
+pki_audit_signing_opFlagsMask=
 
 pki_backup_keys=False
 pki_backup_file=
@@ -125,8 +125,8 @@ pki_sslserver_key_type=%(pki_ssl_server_key_type)s
 pki_sslserver_nickname=%(pki_ssl_server_nickname)s
 pki_sslserver_subject_dn=%(pki_ssl_server_subject_dn)s
 pki_sslserver_token=%(pki_ssl_server_token)s
-pki_sslserver_opsFlag=
-pki_sslserver_opsFlagMask=
+pki_sslserver_opFlags=
+pki_sslserver_opFlagsMask=
 
 pki_self_signed_nickname=temp %(pki_sslserver_nickname)s
 pki_self_signed_token=
@@ -138,8 +138,8 @@ pki_subsystem_key_type=rsa
 pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
 pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_subsystem_token=
-pki_subsystem_opsFlag=
-pki_subsystem_opsFlagMask=
+pki_subsystem_opFlags=
+pki_subsystem_opFlagsMask=
 
 #Set this if we want to use PSS signing when RSA is specified
 pki_use_pss_rsa_signing_algorithm=False
@@ -276,8 +276,8 @@ pki_ca_signing_serial_number=1
 pki_ca_signing_signing_algorithm=SHA256withRSA
 pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ca_signing_token=
-pki_ca_signing_opsFlag=
-pki_ca_signing_opsFlagMask=
+pki_ca_signing_opFlags=
+pki_ca_signing_opFlagsMask=
 
 # DEPRECATED: Use 'pki_ca_signing_csr_path' instead.
 pki_external_csr_path=
@@ -313,8 +313,8 @@ pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
 pki_ocsp_signing_signing_algorithm=SHA256withRSA
 pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ocsp_signing_token=
-pki_ocsp_signing_opsFlag=
-pki_ocsp_signing_opsFlagMask=
+pki_ocsp_signing_opFlags=
+pki_ocsp_signing_opFlagsMask=
 
 pki_profiles_in_ldap=False
 pki_random_serial_numbers_enable=False
@@ -421,8 +421,8 @@ pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
 pki_storage_signing_algorithm=SHA256withRSA
 pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_storage_token=
-pki_storage_opsFlag=
-pki_storage_opsFlagMask=
+pki_storage_opFlags=
+pki_storage_opFlagsMask=
 
 pki_transport_key_algorithm=SHA256withRSA
 pki_transport_key_size=2048
@@ -431,8 +431,8 @@ pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
 pki_transport_signing_algorithm=SHA256withRSA
 pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_transport_token=
-pki_transport_opsFlag=
-pki_transport_opsFlagMask=
+pki_transport_opFlags=
+pki_transport_opFlagsMask=
 
 pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
 pki_admin_name=%(pki_admin_uid)s
@@ -518,8 +518,8 @@ pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
 pki_ocsp_signing_signing_algorithm=SHA256withRSA
 pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
 pki_ocsp_signing_token=
-pki_ocsp_signing_opsFlag=
-pki_ocsp_signing_opsFlagMask=
+pki_ocsp_signing_opFlags=
+pki_ocsp_signing_opFlagsMask=
 
 pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
 pki_admin_name=%(pki_admin_uid)s

base/server/python/pki/server/deployment/__init__.py

@@ -2839,8 +2839,8 @@ def create_system_cert_info(self, subsystem, tag):
         system_cert.nickname = self.mdict['pki_%s_nickname' % cert_id]
         system_cert.subjectDN = self.mdict['pki_%s_subject_dn' % cert_id]
         system_cert.token = self.mdict['pki_%s_token' % cert_id]
-        system_cert.ops_flag = self.mdict['pki_%s_opsFlag' % cert_id]
-        system_cert.ops_flag_mask = self.mdict['pki_%s_opsFlagMask' % cert_id]
+        system_cert.op_flags = self.mdict['pki_%s_opFlags' % cert_id]
+        system_cert.op_flags_mask = self.mdict['pki_%s_opFlagsMask' % cert_id]
 
         if not system_cert.token:
             if config.str2bool(self.mdict['pki_hsm_enable']):
@@ -2973,8 +2973,8 @@ def create_cert_key(self, tag, request):
 
         token = request.systemCert.token
         key_type = request.systemCert.keyType
-        ops_flag = request.systemCert.ops_flag
-        ops_flag_mask = request.systemCert.ops_flag_mask
+        op_flags = request.systemCert.op_flags
+        op_flags_mask = request.systemCert.op_flags_mask
         key_size = None
         key_wrap = False
         curve = None
@@ -3000,8 +3000,8 @@ def create_cert_key(self, tag, request):
                 key_wrap=key_wrap,
                 curve=curve,
                 ssl_ecdh=ssl_ecdh,
-                ops_flag=ops_flag,
-                ops_flag_mask=ops_flag_mask)
+                op_flags=op_flags,
+                op_flags_mask=op_flags_mask)
         finally:
             nssdb.close()
 

base/tools/src/main/java/com/netscape/cmstools/nss/NSSKeyCreateCLI.java

@@ -86,11 +86,11 @@ public void createOptions() {
         option.setArgName("boolean");
         options.addOption(option);
 
-        option = new Option(null, "ops-flag", true, "Custom flags for key usage (empty for HSM default)");
+        option = new Option(null, "op-flags", true, "Custom flags for key usage");
         option.setArgName("usage list");
         options.addOption(option);
 
-        option = new Option(null, "ops-flag-mask", true, "Custom flags mask for key usage (empty for HSM default)");
+        option = new Option(null, "op-flags-mask", true, "Custom flags mask for key usage");
         option.setArgName("usage list");
         options.addOption(option);
 
@@ -137,8 +137,8 @@ public void execute(CommandLine cmd) throws Exception {
             extractable = Boolean.valueOf(extractableStr);
         }
 
-        String opsFlag = cmd.getOptionValue("ops-flag");
-        String opsFlagMask = cmd.getOptionValue("ops-flag-mask");
+        String opFlags = cmd.getOptionValue("op-flags");
+        String opFlagsMask = cmd.getOptionValue("op-flags-mask");
 
         MainCLI mainCLI = (MainCLI) getRoot();
         mainCLI.init();
@@ -157,13 +157,13 @@ public void execute(CommandLine cmd) throws Exception {
 
         if ("RSA".equalsIgnoreCase(keyType)) {
             if (keySize == null) keySize = "2048";
-            if (opsFlag != null && !opsFlag.isEmpty()) {
-                usages = CryptoUtil.generateUsage(opsFlag);
+            if (opFlags != null && !opFlags.isEmpty()) {
+                usages = CryptoUtil.generateUsage(opFlags);
             } else {
                 usages = keyWrap ? CryptoUtil.RSA_KEYPAIR_USAGES : null;
             }
-            if (opsFlagMask != null && !opsFlagMask.isEmpty()) {
-                usagesMask = CryptoUtil.generateUsage(opsFlagMask);
+            if (opFlagsMask != null && !opFlagsMask.isEmpty()) {
+                usagesMask = CryptoUtil.generateUsage(opFlagsMask);
             } else {
                 usagesMask = keyWrap ? CryptoUtil.RSA_KEYPAIR_USAGES_MASK : null;
             }
@@ -185,11 +185,11 @@ public void execute(CommandLine cmd) throws Exception {
             keyInfo.setAlgorithm(privateKey.getAlgorithm());
 
         } else if ("EC".equalsIgnoreCase(keyType)) {
-            if (opsFlag != null && !opsFlag.isEmpty()) {
-                usages = CryptoUtil.generateUsage(opsFlagMask);
+            if (opFlags != null && !opFlags.isEmpty()) {
+                usages = CryptoUtil.generateUsage(opFlagsMask);
             }
-            if (opsFlagMask != null && !opsFlagMask.isEmpty()) {
-                usagesMask = CryptoUtil.generateUsage(opsFlagMask);
+            if (opFlagsMask != null && !opFlagsMask.isEmpty()) {
+                usagesMask = CryptoUtil.generateUsage(opFlagsMask);
             } else {
                 usagesMask = sslECDH ? CryptoUtil.ECDH_USAGES_MASK : CryptoUtil.ECDHE_USAGES_MASK;
             }

docs/changes/v11.5.0/Server-Changes.adoc

@@ -56,11 +56,11 @@ To install a new KRA with the legacy sequential serial numbers specify the follo
 * `pki_request_id_generator=legacy`
 
 
-== Add pki_<cert_id>_opsFlag and pki_<cert_id>_opsFlagMask parameters ==
+== Add pki_<cert_id>_opFlags and pki_<cert_id>_opFlagsMask parameters ==
 
 Two new parameters are added to pkispawn configuration for setting the key flags in HSM.
 The new parameters are available for all certificates created during the subsystem installation
-and their value is a comma separated list of the following flags: encrypt, decrypt, sign,
-sign_recover, verify, verify_recover, wrap, unwrap and derive. The first parameter add flags to
-the list identified by underneath module while the second remove them.
+and their value is a comma separated list of the following flags: `encrypt`, `decrypt`, `sign`,
+`sign_recover`, `verify`, `verify_recover`, `wrap`, `unwrap` and `derive`. The first parameter add
+flags to the list identified by underneath module while the second remove them.
 Default values are empty lists to get the HSM default key flags.

docs/changes/v11.5.0/Tools-Changes.adoc

@@ -59,7 +59,7 @@ The `pki-server status` command has been updated to no longer show
 whether a subsystem is a new subsystem or a clone since there is no
 distinction between them.
 
-== New ops-flag and ops-flag-mask options for pki nss-key-create CLI ==
+== New op-flags and op-flags-mask options for pki nss-key-create CLI ==
 
-The `pki nss-key-create` command has been modified to support the option `--ops-flag` and `--ops-flag-mask`
+The `pki nss-key-create` command has been modified to support the option `--op-flags` and `--op-flags-mask`
 to specify a list of flags or masks to set for the new key.