dogtagpki

Clone
Source Code
GIT

#2496 Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches
Closed: Fixed None Opened 7 years ago by rpattath.

Closed: Fixed
Reopen Issue

Cert/Key recovery is successful when the cert serial number and key id on the
ldap user mismatches

Steps to Reproduce:

1. Enroll a userKey token using tpsclient
2. Create a ldap user of externalRegAddToToken tokentype with the serial number
of the signing cert and the Key ID of the encryption cert
3. Enable externalReg on TPS CS.cfg and enroll a token using the above user
using tpsclient

Actual results:

Enrollment was successful and the cert is recovered on the token

Expected results:

Enrollment should fail and cert/key should not be recovered

Per PKI Bug Council Meeting of 10/04/2016: needs more investigation

pushed to master.

commit e00a28fcdc3e8fea920c85563a3ab26b123dda2d
Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com
Date: Wed Oct 5 16:09:24 2016 -0700

Ticket #2496 Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches
Problem: There are two ways to recover the keys with
a. by cert
b. by keyId
When recovering by cert, KRA checks if cert and key matches before returning; However, in case of recovering by keyId, KRA has no way of checking.  TPS also has no way of checking because the recovered private keys are warpped.
This patch adds a control parameter externalReg.recovery.byKeyID to determine if TPS should recover keys by keyIDs. By default, it is false, so certs are used to search for key record and recover.

Code summary for externalReg key recovery:
 config default: externalReg.recover.byKeyID=false
Recover either by keyID or by cert
 When recovering by keyid: externalReg.recover.byKeyID=true
- keyid in record indicates actual recovery;
- missing of which means retention;
 When recovering by cert: externalReg.recover.byKeyID=false
- keyid field needs to be present
     but the value is not relevant and will be ignored (a "0" would be fine)
- missing of keyid still means retention;

(In hindsight, recovery by keyid is probably more accident-prone and should be discouraged)

jmagne discovered a potential side-effect with the current solution.

Fix for the uri encoding problem we discovered:

commit 9090451aa9f1a2dfcef8b852bb1e1d13d270098d
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Tue Oct 18 15:08:44 2016 -0700

 Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches


The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using
the "by cert" method.

Metadata Update from @rpattath:
- Issue assigned to cfu
- Issue set to the milestone: 10.3.7
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2616

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
major
None
None
defect
None
None
None
None
None
QE
None
None
None
None
None
None
TPS
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.