Bug 499292 - TPS - Enrollments where keys are recovered need to do both GenerateNewKey and RecoverLast operation for encryption key
TPS - Enrollments where keys are recovered need to do both GenerateNewKey and...
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: TPS (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
:
Depends On:
Blocks: 445047
  Show dependency treegraph
 
Reported: 2009-05-05 20:09 EDT by Chandrasekar Kannan
Modified: 2015-01-04 18:38 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-04 16:06:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to address this issue. (15.54 KB, patch)
2010-07-21 17:33 EDT, Jack Magne
no flags Details | Diff
Revised patch for this issue. (15.54 KB, patch)
2010-07-23 11:29 EDT, Jack Magne
no flags Details | Diff

  None (edit)
Description Chandrasekar Kannan 2009-05-05 20:09:36 EDT
currently during enrollment that involves key recovery operations, the only
choices we get are to either Generate a new key (encryption) or Recover the
last encryption key(RecoverLast).

Kevin has requested that TPS should have capability to do both at the
same time so that the smart card will have the old encryption key (last used)
and also a new encryption key
Comment 3 Jack Magne 2010-07-21 17:33:06 EDT
Created attachment 433518 [details]
Patch to address this issue.

This patch gives us the ability described int he bug. cfu please review.
Comment 4 Jack Magne 2010-07-23 11:29:16 EDT
Created attachment 433985 [details]
Revised patch for this issue.

New patch based on very latest code. cfu please review.
Comment 5 Christina Fu 2010-07-23 12:37:08 EDT
(In reply to comment #4)
> Created an attachment (id=433985) [details]

cfu+
Comment 6 Jack Magne 2010-07-23 13:04:22 EDT
 svn commit -m "Bug 499292 - TPS - Enrollments where keys are recovered need to do both GenerateNewKey and RecoverLast operation for encryption key."
Sending        tps/doc/CS.cfg
Sending        tps/src/processor/RA_Enroll_Processor.cpp
Transmitting file data ..
Committed revision 1133.
Comment 7 Jack Magne 2010-08-05 13:24:03 EDT
How to test:

1. Enroll a simple token with the basic list of encryption cert and signing cert.

2. Configure the TPS to allow the testing of the new scheme supported by this bug like follows:

op.enroll.userKey.keyGen.encryption.publicKeyNumber=5
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=GenerateNewKeyandRecoverLast


This scenario configures the new scheme of "GenerateNewKeyandRecoverLast" for a token that has been placed in the "destroyed" state.

3. Restart tps.

4. Go into the TPS UI for this token and mark it as "This token has been physically damaged."

5. Obtain a new blank or formatted token and attempt an Enrollment operation with ESC.

6. The resulting token should have a new encryption cert, a recovered old encryption cert from the original token, and a new signing cert.
Comment 11 Asha Akkiangady 2010-08-10 16:42:14 EDT
Tested using Gemalto 64K smart card with CS 8.1 installed on Rhel 5 32 and 64 bit (with the fix to bug 622535) machines. When an enrolled token is destroyed, having encryption key recovery 'destroyed' scheme as 'GenerateNewKeyandRecover' and enrolling a new token loads a new encryption cert, a recovered old encryption cert from the original token, and a new signing cert on the token.

Steps followed:

1. Enroll a token with the basic list of encryption cert and signing
cert.

2. Configure scheme "GenerateNewKeyandRecoverLast" for a token that has been placed in the "destroyed" state:

op.enroll.userKey.keyGen.encryption.publicKeyNumber=5
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=GenerateNewKeyandRecoverLast
 
3. Restart tps.

4. In tps UI mark the enrolled token as "This token has been
physically damaged."

5. Enroll a new blank token  for the same user.

6. The resulting token has a new encryption cert, a recovered old
encryption cert from the original token, and a new signing cert. 

Marking the bug verified.

Note You need to log in before you can comment on or make changes to this bug.