#1666 [BUG] Failed externalReg operation removes existing certificates off of card and unable to recover certs back to card.
Closed: Fixed None Opened 9 years ago by dsirrine.

When an externalReg operation is interrupted (network drop, etc.) registration
results in an 'err=7' and all certificates are deleted from the token, leaving
the token useless.

Steps to Reproduce:

1. Enroll certificates on smart card
2. Configure user entry for externalReg to recover certs/keys to token
3. Start externalReg operation
4. Force failure during operation

Actual results:

Certificates are deleted from token

Expected results:

Existing certificates remain on token

Additional info:

This behavior was a part of the agreed upon design (http://pki.fedoraproject.or
g/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS) but may pose issues
in hind-sight.

We should ensure that we attempt to do everything possible that requires remote communication before we remove the existing certificates off of the token. This way, if remote communication fails we can bail out without affecting the token.

Moving to 10.3.2.

I believe I've already taken steps to re-arrange the code in dogtag to reach out for the certs and keys first, and then try to write them all to the token at the end.

Will take this as an action item to take another pass, do some testing to make sure we are doing all we can.

We believe that the window when this problem can happen has been made as small as possible, but at some point when enrolling certificates we have to have to either generate or import keys down into the applet. If after the keys are written and something fails after this, the token can be out of sync since it will have new keys and the old certs on there. Libcoolkey from that point will not know what to do, rightly so, and report nothing on the token.

We have minimized this in the various cert recovery situations,where we make sure all the proper certs and keys are recoverable before hitting the token with keys.

Therefore we can close this. The issue can be revisited later if needed.

Metadata Update from @dsirrine:
- Issue assigned to jmagne
- Issue set to the milestone: 10.3.3

8 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2225

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata