Bug 499292
| Summary: | TPS - Enrollments where keys are recovered need to do both GenerateNewKey and RecoverLast operation for encryption key | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Chandrasekar Kannan <ckannan> | ||||||
| Component: | TPS | Assignee: | Jack Magne <jmagne> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | unspecified | CC: | aakkiang, alee, benl, cfu, jmagne | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-06-04 20:06:14 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 445047 | ||||||||
| Attachments: |
|
||||||||
|
Description
Chandrasekar Kannan
2009-05-06 00:09:36 UTC
Created attachment 433518 [details]
Patch to address this issue.
This patch gives us the ability described int he bug. cfu please review.
Created attachment 433985 [details]
Revised patch for this issue.
New patch based on very latest code. cfu please review.
(In reply to comment #4) > Created an attachment (id=433985) [details] cfu+ svn commit -m "Bug 499292 - TPS - Enrollments where keys are recovered need to do both GenerateNewKey and RecoverLast operation for encryption key." Sending tps/doc/CS.cfg Sending tps/src/processor/RA_Enroll_Processor.cpp Transmitting file data .. Committed revision 1133. How to test: 1. Enroll a simple token with the basic list of encryption cert and signing cert. 2. Configure the TPS to allow the testing of the new scheme supported by this bug like follows: op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=GenerateNewKeyandRecoverLast This scenario configures the new scheme of "GenerateNewKeyandRecoverLast" for a token that has been placed in the "destroyed" state. 3. Restart tps. 4. Go into the TPS UI for this token and mark it as "This token has been physically damaged." 5. Obtain a new blank or formatted token and attempt an Enrollment operation with ESC. 6. The resulting token should have a new encryption cert, a recovered old encryption cert from the original token, and a new signing cert. Tested using Gemalto 64K smart card with CS 8.1 installed on Rhel 5 32 and 64 bit (with the fix to bug 622535) machines. When an enrolled token is destroyed, having encryption key recovery 'destroyed' scheme as 'GenerateNewKeyandRecover' and enrolling a new token loads a new encryption cert, a recovered old encryption cert from the original token, and a new signing cert on the token. Steps followed: 1. Enroll a token with the basic list of encryption cert and signing cert. 2. Configure scheme "GenerateNewKeyandRecoverLast" for a token that has been placed in the "destroyed" state: op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=GenerateNewKeyandRecoverLast 3. Restart tps. 4. In tps UI mark the enrolled token as "This token has been physically damaged." 5. Enroll a new blank token for the same user. 6. The resulting token has a new encryption cert, a recovered old encryption cert from the original token, and a new signing cert. Marking the bug verified. |