Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches
Steps to Reproduce:
1. Enroll a userKey token using tpsclient 2. Create a ldap user of externalRegAddToToken tokentype with the serial number of the signing cert and the Key ID of the encryption cert 3. Enable externalReg on TPS CS.cfg and enroll a token using the above user using tpsclient
Actual results:
Enrollment was successful and the cert is recovered on the token
Expected results:
Enrollment should fail and cert/key should not be recovered
Per PKI Bug Council Meeting of 10/04/2016: needs more investigation
pushed to master.
commit e00a28fcdc3e8fea920c85563a3ab26b123dda2d Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com Date: Wed Oct 5 16:09:24 2016 -0700
Ticket #2496 Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Problem: There are two ways to recover the keys with a. by cert b. by keyId When recovering by cert, KRA checks if cert and key matches before returning; However, in case of recovering by keyId, KRA has no way of checking. TPS also has no way of checking because the recovered private keys are warpped. This patch adds a control parameter externalReg.recovery.byKeyID to determine if TPS should recover keys by keyIDs. By default, it is false, so certs are used to search for key record and recover. Code summary for externalReg key recovery: config default: externalReg.recover.byKeyID=false Recover either by keyID or by cert When recovering by keyid: externalReg.recover.byKeyID=true - keyid in record indicates actual recovery; - missing of which means retention; When recovering by cert: externalReg.recover.byKeyID=false - keyid field needs to be present but the value is not relevant and will be ignored (a "0" would be fine) - missing of keyid still means retention; (In hindsight, recovery by keyid is probably more accident-prone and should be discouraged)
jmagne discovered a potential side-effect with the current solution.
Fix for the uri encoding problem we discovered:
commit 9090451aa9f1a2dfcef8b852bb1e1d13d270098d Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com Date: Tue Oct 18 15:08:44 2016 -0700
Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using the "by cert" method.
Metadata Update from @rpattath: - Issue assigned to cfu - Issue set to the milestone: 10.3.7
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2616
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.