when a userKey Token is marked as "Temporary Lost" , The certs are revoked with reason "On Hold", when this Lost token's Encryption Cert is recovered using delegateISEtoken, i see that encryption Cert of revoked Cert suddenly becomes "active" instead of still showing "on Hold".
Version-Release number of selected component (if applicable):
[root@pkiserver ~]# rpm -qi pki-ca Name : pki-ca Relocations: (not relocatable) Version : 8.1.6 Vendor: Red Hat, Inc. Release : 1.el5pki Build Date: Fri 15 Nov 2013 03:12:34 PM EST Install Date: Sat 14 Dec 2013 01:24:42 PM EST Build Host: x86-028.build.eng.bos.redhat.com
[root@pkiserver ~]# rpm -qi pki-common Name : pki-common Relocations: (not relocatable) Version : 8.1.12 Vendor: Red Hat, Inc. Release : 1.el5pki Build Date: Fri 15 Nov 2013 03:12:55 PM EST Install Date: Sat 14 Dec 2013 01:24:41 PM EST Build Host: x86-023.build.eng.bos.redhat.com
[root@pkiserver ~]# rpm -qi pki-kra Name : pki-kra Relocations: (not relocatable) Version : 8.1.4 Vendor: Red Hat, Inc. Release : 1.el5pki Build Date: Fri 09 Aug 2013 03:48:47 PM EDT Install Date: Sat 14 Dec 2013 01:25:27 PM EST Build Host: x86-022.build.eng.bos.redhat.com
[root@pkiserver ~]# rpm -qi pki-tks Name : pki-tks Relocations: (not relocatable) Version : 8.1.1 Vendor: Red Hat, Inc. Release : 1.el5pki Build Date: Mon 10 Sep 2012 10:53:26 PM EDT Install Date: Sat 14 Dec 2013 12:30:52 PM EST Build Host: x86-007.build.bos.redhat.com Group : System Environment/Daemons Source RPM: pki-tks-8.1.1-1.el5pki.src.rpm
[root@pkiserver ~]# rpm -qi pki-tps Name : pki-tps Relocations: (not relocatable) Version : 8.1.13 Vendor: Red Hat, Inc. Release : 1.el5pki Build Date: Fri 15 Nov 2013 03:11:20 PM EST Install Date: Sat 14 Dec 2013 01:25:26 PM EST Build Host: x86-001.build.bos.redhat.com Group : System Environment/Daemons Source RPM: pki-tps-8.1.13-1.el5pki.src.rpm Size : 1702784 License: LGPLv2 with exceptions
How reproducible:
Detailed Steps:
I am trying to Recover a executive's Encryption Cert using delegate Token using delegateISEtoken tokenType.
dn: uid=exec1,dc=gsslab,dc=pnq,dc=redhat,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: top objectClass: extensibleobject cn: exec1 sn: exec1 uid: exec1 givenName: exec1 mail: exec1@example.org tokenType: userKey firstname: exec1 userPassword: redhat
op=var_set name=ra_host value=pkiserver.gsslab.pnq.redhat.com op=var_set name=ra_port value=7888 op=var_set name=ra_uri value=/nk_service op=token_set cuid=60000000000000000001 msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 op=token_set auth_key=404142434445464748494a4b4c4d4e4f op=token_set mac_key=404142434445464748494a4b4c4d4e4f op=token_set kek_key=404142434445464748494a4b4c4d4e4f op=ra_enroll uid=exec1 pwd=redhat new_pin=Secret123 num_threads=1 op=exit
Exec1 Signing Cert: 0xa5, Encryption Cert: 0xa6
Mark the exec1 token to "Temporary Lost" & I see that exec1's Signing & Encryption Cert both go "On Hold status" and token goes to "on Hold" Status, From the CA Agent I see that exec1's Signing & Encryption Cert are revoked with reason "On Hold".
From the TPS Agent when i click on "Show Certificates" of exec1 i see below:
ID Serial Number Subject Token ID Key Type Last Status User ID Last Modified At a5.20131216173054 0xa5 UID=exec1,O=Token Key User 60000000000000000001 signing revoked_on_hold exec1 2013/12/16 18:05:33 a6.20131216173054 0xa6 UID=exec1,O=Token Key User 60000000000000000001 encryption revoked_on_hold exec1 2013/12/16 18:05:33
dn: uid=delegate1,dc=gsslab,dc=pnq,dc=redhat,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: top objectClass: extensibleobject cn: delegate1 sn: delegate1 uid: delegate1 givenName: delegate1 mail: johndoe@EXAMPLE.ORG firstname: John lastname: Doe memberid: 7654321 catcode: AC edipi: 123456789 edipi: 999999999 pcc: AA exec-memberid: 1234567 exec-catcode: AC exec-mail: exec1@EXAMPLE.ORG tokenType: delegateISEtoken certstoadd: 166,ca1,64,drm1
Enroll smartcard using delegate1, , Token gets enrolled successfully and exec1's Encryption Cert is recovered successfully.
Go to TPS Agent and again Click on "Show Certificates" to exec1's token.
ID Serial Number Subject Token ID Key Type Last Status User ID Last Modified At a5.20131216173054 0xa5 UID=exec1,O=Token Key User 60000000000000000001 signing revoked_on_hold exec1 2013/12/16 18:05:33 a6.20131216173054 0xa6 UID=exec1,O=Token Key User 60000000000000000001 encryption active exec1 2013/12/16 18:07:59
I see that exec1's Encryption Cert is showing as "active", instead of showing "revoked_on_hold".
CA Agent still shows both the exec1's Certs (Signing & Encryption Cert) as still revoked.
What this change does that, it only un-revokes Signing Cert but Encryption Cert is still in revoked State.
Audit logs:
[2013-12-16 18:11:59] b79f4b8 [AuditEvent=CONFIG_TOKEN][SubjectID=admin][Role=Agent][Outcome=Success][Object= token_id;;60000000000000000001][ParamNameValPairs=tokenStatus;;active+tokenReas on;;null] lost token marked found [2013-12-16 18:12:01] b79f4b8 [AuditEvent=AUTH_SUCCESS][SubjectID=admin][AuthID=admin][Outcome=Success] authentication success [2013-12-16 18:12:01] b79f4b8 [AuditEvent=ROLE_ASSUME][SubjectID=admin][Role=Tokendb Admin][Outcome=Success] assume privileged role [2013-12-16 18:12:01] b79f4b8 [AuditEvent=ROLE_ASSUME][SubjectID=admin][Role=Tokendb Agent][Outcome=Success] assume privileged role [2013-12-16 18:12:01] b79f4b8 [AuditEvent=ROLE_ASSUME][SubjectID=admin][Role=Tokendb Operator][Outcome=Success] assume privileged role [2013-12-16 18:12:01] b79f4b8 [AuditEvent=AUTHZ_SUCCESS][SubjectID=admin][op=index][Outcome=Success] Tokendb user authorization
Actual results:
Temp Lost token when changed to Found , Encryption Cert is not un-revoked
Expected results: Temp Lost token when changed to Found , Encryption Cert should be un-revoked
Since TPS is rewritten, and this ticket is relating to externalReg, I'm moving this to same bucket as https://fedorahosted.org/pki/ticket/1028 TPS rewrite: provide externalReg functionality
Proposed Milestone: 10.2.2 (per CS Meeting of 09/17/2014)
External Reg
Per 10.2.2 Triage meeting of 02/24/2015: 10.2.3
(related to PKI TRAC Ticket #824 - Encryption Profile used by delegateISEtoken should be changed from caTokenUserAuthenticationKeyEnrollment to caTokenUserDelegateAuthKeyEnrollment)
Moving to 10.2.4 per CS team meeting.
Per Dogtag 10.2.x TRIAGE meeting of 04/28/2015: (external reg)
I have verified with the latest 10.2.5 tree. I think the rewritten Java TPS ExternalReg feature already got this working correctly.
I'm closing this ticket as WorksForMe.
Metadata Update from @nkinder: - Issue assigned to cfu - Issue set to the milestone: 10.2.5
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1390
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.