dogtagpki

Clone
Source Code
GIT

#2772 TPS incorrectly assigns "tokenOrigin" and "tokenType" certificate attribute for recovered certificates.
Closed: fixed 7 years ago Opened 8 years ago by mharmsen.

Closed: fixed
Reopen Issue

TPS incorrectly sets "tokenOrigin" and "tokenType" attributes during "recovery to token" events, resulting in orphaned encryption certificates after token termination.

Additional details are in the associated bug.

Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to Community
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1462271
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue priority set to: critical
- Issue set to the milestone: 10.4
8 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5 (was: 10.4)
7 years ago

Metadata Update from @mharmsen:
- Custom field origin adjusted to RHCust (was: Community)
- Issue set to the milestone: 10.4 (was: 10.5)
7 years ago

Metadata Update from @mharmsen:
- Issue assigned to cfu
7 years ago

commit 2bbd017e7f51f429db5188f5e984f41bb9f08e95 (HEAD -> master, origin/master, origin/HEAD, 2772RecoveredTPStokenInfo)
Author: Christina Fu cfu@redhat.com
Date: Mon Aug 28 15:41:19 2017 -0700

Ticket #2772 TPS: correct tokenOrigin and tokenType attrs for recovered externalReg certs

This patch fixes the following issues:
1. The "orphaned certs" resulted in termination of tokens sharing the same certificate --  Investigation shows that the isLastActiveSharedCert() did not work as expected where cert status was checked instead of token status, resulting in the method always returning True so even termination at last cert did not revoke the cert;
2. The "tokenOrigin" was incorrect after externalReg "recovery" --  Investigation shows that recovered certificate was written twice into the tokendb, effectively resulting in the second write overwriting the first one with initialization (incorrect) values.
3. Incorrect sequence in updating the tokendb with cert records;  The sequence was a. remove all certs, b. transform EnrolledCertsInfo into token cert records (in memory), c. adding all token cert records into the empty token record;  That resulted in certs intended for retention deleted and rewritten with initialization (incorrect) values; The fix now does the following: a. remove the certs NOT to be retained, b. transform EnrolledCertsInfo into token cert records, c. add the certs that's NOT already in token record into the token record.

A new TPS profile, externalRegISEtoken, is also added for ease of providing test procedure.

Change-Id: Ic36931fad553d7eb38d07ee4fce7cf374a4b7652

Metadata Update from @cfu:
- Assignee reset
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
7 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.10 (was: 10.4)
7 years ago

Metadata Update from @edewata:
- Issue assigned to cfu
7 years ago

It looks like TPS token enroll operation no longer generates cert records since commit 2bbd017e7f51f429db5188f5e984f41bb9f08e95. Is this a regression?

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4 (was: 10.4.10)
- Issue status updated to: Open (was: Closed)
7 years ago

commit 085ee8b39f529fb4625cd51af83bd2a70bf70230 (HEAD -> master, origin/master, origin/HEAD, 2772RecoveredTPStokenInfo)
Author: Christina Fu cfu@redhat.com
Date: Tue Sep 12 11:07:14 2017 -0700

Ticket 2772 (added patch) ExternalReg tokenOrigin for recovered cert

This patch fixes a regression for non-ExternalReg where it references
an externalReg-specific variable and causes issue;
Some debugging are also added;
One typo change from method name setLifeycleState to setLifecycleState
which only occurs in a few spots.

Change-Id: If23f854e3b4da3a7145c115d55898a0360d4e0f8

Metadata Update from @cfu:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.4.10 (was: 10.4)
- Issue status updated to: Closed (was: Open)
7 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.4.8-6.fc27
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2892

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata
None
None
None
critical
None
None
defect
''
None
None
None
''
RHCust
''
pki-core-10.4.8-6.fc27
None
None
None
''
General
''
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.