#42 Hide PIN in getcert output
Closed: Fixed None Opened 4 years ago by jcholast.

The PIN is sensitive information and should not be shown in plain like this:

Request ID '20150511122924':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='791848156812'
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
    subject: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
    expires: 2035-05-11 12:28:33 UTC
    key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
    pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
    post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes

Are you suggesting only suppressing it from the output in "getcert list", or disabling the API for fetching it and/or removing the property as well?

In default configuration you must be root to access certmonger's DBus inteface (https://git.fedorahosted.org/cgit/certmonger.git/tree/dbus/certmonger.conf.in). Is there a reason to hide the pin from root?

Rob pointed out that a lot of people at freeipa-users forget to remove their PINs when posting getcert output, and I think it's generally a good practice not to show sensitive information by default.

I wasn't able to locate the offending line because nalin has fixed the code yesterday. The code has't changed in the last two years. Therefore backport is trivial.


Metadata Update from @dkupka:
- Issue set to the milestone: 0.77.4

3 years ago

Login to comment on this ticket.