#2534 Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status
Closed: Fixed None Opened 4 years ago by rpattath.

Automatic recovery of encryption cert - CA and TPS tokendb shows different
certificate status

Steps to Reproduce:

1. Make the following changes to TPS config
op.enroll.userKey.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastC
redential=false
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeExpiredCerts=false
op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=GenerateNewKeyAnd
RecoverLast
2. Enroll a token and mark it permanently lost
3. Enroll a new token for the same user

Actual results:

2. Encryption cert on the token is revoked
3. The recovered encryption cert on the token has a status revoked on CA but
TPS Web UI shows active

Expected results:

2. Encryption cert on the token should not be revoked
3. CA and TPS Web UI should have the same status for the cert

Additional info:

The logs are attached to the associated bug.

Per PKI Bug Council meeting of 11/03/2016: 10.3

commit c633da8d43894258d9a4b1050a0d16316c17dbd5
Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com
Date: Fri Nov 18 12:13:28 2016 -0800

Ticket #2534 Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status
This patch fixes the reported issue so now the auto-recovered certificate will reflect the actual status of the certificate.  Also, since the externalReg tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed.

Replying to [comment:4 cfu]:

commit c633da8d43894258d9a4b1050a0d16316c17dbd5
Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com
Date: Fri Nov 18 12:13:28 2016 -0800

Ticket #2534 Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status
This patch fixes the reported issue so now the auto-recovered certificate will reflect the actual status of the certificate.  Also, since the externalReg tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed.

Cherry-picked to DOGTAG_10_3_BRANCH:

  • 423e3c7835917d34dff9674a9a374d1cde5dbaae

Addressing issue found by QE:

commit c1656bd16dfca8bb5eef4436ee64b95daaac70c8
Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com
Date: Wed Jan 4 11:20:06 2017 -0800

Ticket #2534 (additional) - reset cert status after successful unrevoke

Replying to [comment:8 cfu]:

Addressing issue found by QE:

commit c1656bd16dfca8bb5eef4436ee64b95daaac70c8
Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com
Date: Wed Jan 4 11:20:06 2017 -0800

Ticket #2534 (additional) - reset cert status after successful unrevoke

Cherry-picked to DOGTAG_10_3_BRANCH:

  • 10b07027a8ff4bf60e4d3b7a0d6a47e8eccab19c

Metadata Update from @rpattath:
- Issue assigned to cfu
- Issue set to the milestone: 10.3.10

4 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2654

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata