This ticket can be treated as one aspect of the general effort to allow the user to override our fairly rigid recovery policy. The external db record driven procedure to be implemented will only adhere to what the db record tells us to do. CFU and I will make sure this specific requirement will be taken care of as well. Will work more closely on this when cfu has the high level support for the procedure discussed in the other ticket.

This ticket is specific to the "Framework" and "Prototype" part of the TPS Revocation Enhancement work.

https://bugzilla.redhat.com/show_bug.cgi?id=927312#c10
The above checkin provides the following Framework and prototype:

Framework - per Base External Registration Design:
http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS#Base_External_Registration_Design

• TPS: The ExternalRegAttrs class and its sub-classes which provide content structures and manipulation functions for attributes retrieved from each the registration user record during authentication. Such structure is attached to the RA_Session to be carried around for use.
• TPS: shared authentication-related functions for the following operations: Format, Enroll, and Pin-reset.
• DRM: interface and the underlying functionality to allow key recovery by key id
• TPS: function to call to DRM's new interface to do key recovery by key id
• TPS: function to call to CA to do revocation by serial number
• TPS: function to call to CA to retrieve a certificate by serial number and the parsing of which

Prototype -

• TPS: For ease of development without having to fabricate registration user record content on ldap, prototype code within LDAP authentication to retrieve and parse info from CS.cfg which mimics the info that would be gotten from the registration db.

What the prototype will NOT do: the actual key injection or deletion from the token.
Because of this, the prototype currently only works for tpsclient. The new key recovery and revocation processing functions always returns true after successful recovery of keys/certs and revocation.

In Phase 2 of this task, the following main feature/issues will be addressed:

• Delegation (http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS#Delegation_Design)
• Renewal

And some "loose ends" will be addressed, such as (not limited to):

• add auditing
• log tokendb activities
• "userid" required by RecoverKey()
• revocation reasons control
• more error handling for the framework code
• etc.

https://bugzilla.redhat.com/show_bug.cgi?id=927312#c17 The above checkin provides the following feature and its prototype:

Feature - Delegation Feature per design on http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS#Delegation_Design

CA new profiles:

• caTokenUserAuthKeyRenewal
• caTokenUserDelegateAuthKeyEnrollment
• caTokenUserDelegateSigningKeyEnrollment

TPS new profiles:

• delegateISEtoken - for ID(auth), Signing, and Encryption
• delegateIEtoken - for ID(auth), and Encryption
• externalRegAddToToken - for adding(recovering) certs/keys to token

Provides:

• delegation feature
• renewal for externalRegistration mode
• token CUID comparision if supplied on user reg record
• delete cert entry from tokendb upon deletion from token if so specified
• avoid formatting tokens at places (e.g. failure)
• other misc. cleanup

What is not (yet) covered:

• temporary token TPS profiles for externalReg profiles
• Auditing still missing in new code at some places
• tokendb activities may be missing at some places in new code
• some error handling may still be missing in new code

WE have provided this fix to QA and the customer as a beta. Closing

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1145

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.