Bug 669804

Summary: on active token re-enroll, TPS does not revoke and remove existing certs
Product: [Retired] Dogtag Certificate System Reporter: Ade Lee <alee>
Component: TPSAssignee: Jack Magne <jmagne>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 9.0CC: aakkiang, alee, benl, cfu, jmagne
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-04 20:22:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 445047    
Attachments:
Description Flags
Patch to address this issue cfu: review+

Description Ade Lee 2011-01-14 20:36:56 UTC 
Description of problem:

It is now possible to re-enroll an active token. When this occurs, the certs on the active token should be revoked and the cert entries removed from the tokendb.  This is exactly what would occur if the user were forced to first format and then re-enroll.
 
How reproducible:

You can simulate this by enrolling twice using tpsclient.  Or by clicking the "Enroll" button twice on the ESC.  The result is a token that shows 4 certs in the tokendb, where none of the certs have been revoked.
Comment 1 Jack Magne 2011-01-28 18:07:31 UTC 
Created attachment 475842 [details]
Patch to address this issue
Comment 2 Jack Magne 2011-02-01 01:17:30 UTC 
Checkins:

Branch:
svn commit -m "Bugzilla Bug 669804 - on active token re-enroll, TPS does not revoke and remove existing certs."

Sending        tps/src/processor/RA_Enroll_Processor.cpp
Sending        tps/src/processor/RA_Processor.cpp
Transmitting file data ..
Committed revision 1804.




Trunk:

svn commit -m "Bugzilla Bug 669804 - on active token re-enroll, TPS does not revoke and remove existing certs."

Sending        tps/src/processor/RA_Enroll_Processor.cpp
Sending        tps/src/processor/RA_Processor.cpp
Transmitting file data ..
Committed revision 1803.
Comment 3 Jack Magne 2011-02-01 01:19:23 UTC 
Test:

1. Enroll a basic two cert smart card.
2. Make sure that the policy for re-enrollment is enabled.

3. Re-enroll the same token with the client.
4. Take a look at the token db interface and make sure that only the new two certs are listed in the UI and that the previous two certificates have been revoked.

5. Test the basic Format operation to make sure the certs are being revoked properly.
Comment 4 Asha Akkiangady 2011-02-21 19:32:40 UTC 
Tested smart card Re-enrollment:
 - Enroll and loaded two certs
 - Enable re-enroll policy and re-enroll the token
 - the old certificates on the token has been removed
 - new certs loaded on the token
 - TPS UI shows only new certs
 - CA agent show old certificates as revoked.
 - Format operation on this token revokes the certificates.

Marking the bug verified.