When an externalReg operation is interrupted (network drop, etc.) registration results in an 'err=7' and all certificates are deleted from the token, leaving the token useless.
Steps to Reproduce:
1. Enroll certificates on smart card 2. Configure user entry for externalReg to recover certs/keys to token 3. Start externalReg operation 4. Force failure during operation
Actual results:
Certificates are deleted from token
Expected results:
Existing certificates remain on token
Additional info:
This behavior was a part of the agreed upon design (http://pki.fedoraproject.or g/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS) but may pose issues in hind-sight.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1262411 (Red Hat Certificate System)
We should ensure that we attempt to do everything possible that requires remote communication before we remove the existing certificates off of the token. This way, if remote communication fails we can bail out without affecting the token.
Moving to 10.3.2.
I believe I've already taken steps to re-arrange the code in dogtag to reach out for the certs and keys first, and then try to write them all to the token at the end.
Will take this as an action item to take another pass, do some testing to make sure we are doing all we can.
We believe that the window when this problem can happen has been made as small as possible, but at some point when enrolling certificates we have to have to either generate or import keys down into the applet. If after the keys are written and something fails after this, the token can be out of sync since it will have new keys and the old certs on there. Libcoolkey from that point will not know what to do, rightly so, and report nothing on the token.
We have minimized this in the various cert recovery situations,where we make sure all the proper certs and keys are recoverable before hitting the token with keys.
Therefore we can close this. The issue can be revisited later if needed.
Metadata Update from @dsirrine: - Issue assigned to jmagne - Issue set to the milestone: 10.3.3
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2225
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.