Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status
Steps to Reproduce:
1. Make the following changes to TPS config op.enroll.userKey.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastC redential=false op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeExpiredCerts=false op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=GenerateNewKeyAnd RecoverLast 2. Enroll a token and mark it permanently lost 3. Enroll a new token for the same user
Actual results:
2. Encryption cert on the token is revoked 3. The recovered encryption cert on the token has a status revoked on CA but TPS Web UI shows active
Expected results:
2. Encryption cert on the token should not be revoked 3. CA and TPS Web UI should have the same status for the cert
Additional info:
The logs are attached to the associated bug.
Per PKI Bug Council meeting of 11/03/2016: 10.3
commit c633da8d43894258d9a4b1050a0d16316c17dbd5 Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com Date: Fri Nov 18 12:13:28 2016 -0800
Ticket #2534 Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status This patch fixes the reported issue so now the auto-recovered certificate will reflect the actual status of the certificate. Also, since the externalReg tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed.
Replying to [comment:4 cfu]:
commit c633da8d43894258d9a4b1050a0d16316c17dbd5 Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com Date: Fri Nov 18 12:13:28 2016 -0800 Ticket #2534 Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status This patch fixes the reported issue so now the auto-recovered certificate will reflect the actual status of the certificate. Also, since the externalReg tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed.
Cherry-picked to DOGTAG_10_3_BRANCH:
Addressing issue found by QE:
commit c1656bd16dfca8bb5eef4436ee64b95daaac70c8 Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com Date: Wed Jan 4 11:20:06 2017 -0800
Ticket #2534 (additional) - reset cert status after successful unrevoke
Replying to [comment:8 cfu]:
Addressing issue found by QE: commit c1656bd16dfca8bb5eef4436ee64b95daaac70c8 Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com Date: Wed Jan 4 11:20:06 2017 -0800 Ticket #2534 (additional) - reset cert status after successful unrevoke
Metadata Update from @rpattath: - Issue assigned to cfu - Issue set to the milestone: 10.3.10
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2654
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.