Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued
Steps to Reproduce:
TPS CS.cfg has the following op.enroll.userKey.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastC redential=false op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeExpiredCerts=false op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast 2. Mark an enrolled token physically damaged, the signing cert is revoked and encryption cert is active 3. Enroll a token for the same user
Actual results:
New encryption and signing certificates are issued for the new token
Expected results:
Encryption cert should be recovered from the old token
Additional info:
Attachment has the debug log during enrollment of the new token Created attachment 1205264 TPS debug log during enrollment of new token
Per PKI Bug Council of 10/18/2016: 10.3
Closing due to the patch for this fix:
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com Date: Tue Oct 18 15:08:44 2016 -0700
Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Fixes this bug #1381375. The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using the "by cert" method. Also this bug addresses: Bug 1379379 - Unable to read an encrypted email using renewed tokens The URL encoding problem was affecting the proper verification of this bug. and Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued The URI encoding was also making this bug appear to fail more than it should have. There is also a minor fix to the feature that makes sure it works. This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared.
Metadata Update from @rpattath: - Issue set to the milestone: 10.3.8
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2606
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.