[Pki-devel] [pki-devel][PATCH] 0083-PIN_RESET-policy-is-not-giving-expected-results-when.patch
PIN_RESET policy is not giving expected results when set on a token.
Simple fix to actually honor the PIN_RESET=or policy for a given
token.
Minor logging improvements added as well for this error condition.
Ticket #2510.
From 09dba122f01881b93d32a03a51d0be37c247cb30 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Tue, 18 Oct 2016 18:58:21 -0700
Subject: [PATCH] PIN_RESET policy is not giving expected results when set on a
token.
Simple fix to actually honor the PIN_RESET=or policy for a given token.
Ticket #2510.
---
.../server/tps/processor/TPSPinResetProcessor.java | 34 --
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
index 9d0625a..fe3f801 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
@@ -21,6 +21,7 @@ import java.io.IOException;
import org.dogtagpki.server.tps.TPSSession;
import org.dogtagpki.server.tps.TPSSubsystem;
+import org.dogtagpki.server.tps.TPSTokenPolicy;
import org.dogtagpki.server.tps.channel.SecureChannel;
import org.dogtagpki.server.tps.dbs.ActivityDatabase;
import org.dogtagpki.server.tps.dbs.TokenRecord;
@@ -98,15 +99,7 @@ public class TPSPinResetProcessor extends TPSProcessor {
TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
}
-TokenStatus status = tokenRecord.getTokenStatus();
-
-CMS.debug(method + ": Token status: " + status);
-
-if (!status.equals(TokenStatus.ACTIVE)) {
-throw new TPSException(method + " Attempt to reset pin of token not currently active!",
-TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
-
-}
+TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps);
session.setTokenRecord(tokenRecord);
@@ -142,6 +135,29 @@ public class TPSPinResetProcessor extends TPSProcessor {
checkAndAuthenticateUser(appletInfo, tokenType);
+TokenStatus status = tokenRecord.getTokenStatus();
+
+CMS.debug(method + ": Token status: " + status);
+
+if (!status.equals(TokenStatus.ACTIVE)) {
+logMsg = method + "Can not reset the pin of a non active token.";
+auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+throw new TPSException(method + " Attempt to reset pin of token not currently active!",
+TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
+
+}
+
+boolean pinResetAllowed = tokenPolicy.isAllowedPinReset(tokenRecord.getId());
+
+CMS.debug(method + ": PinResetPolicy: Pin Reset Allowed: " + pinResetAllowed);
+logMsg = method + " PinReset Policy forbids pin reset operation.";
+if (pinResetAllowed == false) {
+auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+throw new TPSException(method + " Attempt to reset pin when token policy disallows it.!",
+TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
+
+}
+
checkAndUpgradeApplet(appletInfo);
appletInfo = getAppletInfo();
--
2.5.0
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch
If tested to work for all cases, ACK. Christina On 10/18/2016 03:22 PM, John Magne wrote: Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Fixes this bug #1381375. The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using the "by cert" method. Also this bug addresses: Bug 1379379 - Unable to read an encrypted email using renewed tokens The URL encoding problem was affecting the proper verification of this bug. and Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued The URI encoding was also making this bug appear to fail more than it should have. There is also a minor fix to the feature that makes sure it works. This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH] 0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch
Cert/Key recovery is successful when the cert serial number and key id on the
ldap user mismatches
Fixes this bug #1381375.
The portion this patch fixes involves URL encoding glitch we encountered
when recovering keys using
the "by cert" method.
Also this bug addresses:
Bug 1379379 - Unable to read an encrypted email using renewed tokens
The URL encoding problem was affecting the proper verification of this bug.
and
Bug 1379749 - Automatic recovery of encryption cert is not working when a
token is physically damaged and a temporary token is issued
The URI encoding was also making this bug appear to fail more than it
should have.
There is also a minor fix to the feature that makes sure it works.
This small fix is in TPSEngine.java where the constant for
GenerateNewAndRecoverLast scheme is declared.
From a1f1e030298c38e0c08a514852a435e77d88a2b9 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Tue, 18 Oct 2016 15:08:44 -0700
Subject: [PATCH] Cert/Key recovery is successful when the cert serial number
and key id on the ldap user mismatches
Fixes this bug #1381375.
The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using
the "by cert" method.
Also this bug addresses:
Bug 1379379 - Unable to read an encrypted email using renewed tokens
The URL encoding problem was affecting the proper verification of this bug.
and
Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued
The URI encoding was also making this bug appear to fail more than it should have.
There is also a minor fix to the feature that makes sure it works.
This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared.
---
.../server/tps/cms/KRARemoteRequestHandler.java| 9 ++--
.../org/dogtagpki/server/tps/engine/TPSEngine.java | 15 --
.../server/tps/processor/TPSEnrollProcessor.java | 63 --
3 files changed, 50 insertions(+), 37 deletions(-)
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java
index 80439ca..3674526 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java
@@ -23,7 +23,6 @@ import java.util.Hashtable;
import org.dogtagpki.server.connector.IRemoteRequest;
import org.dogtagpki.server.tps.TPSSubsystem;
-import org.dogtagpki.tps.main.Util;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
@@ -265,15 +264,15 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler
String sendMsg = null;
try {
if (b64cert != null) { // recover by cert
-// CMS.debug("KRARemoteRequestHandler: recoverKey(): uriEncoded cert= " + Util.uriEncode(b64cert));
+// CMS.debug("KRARemoteRequestHandler: recoverKey(): uriEncoded cert= " + b64cert);
sendMsg = IRemoteRequest.TOKEN_CUID + "=" +
cuid +
"&" + IRemoteRequest.KRA_UserId + "=" +
userid +
"&" + IRemoteRequest.KRA_RECOVERY_CERT + "=" +
-Util.uriEncode(b64cert) +
+b64cert +
"&" + IRemoteRequest.KRA_Trans_DesKey + "=" +
-Util.uriEncode(sDesKey);
+sDesKey;
} else if (keyid != BigInteger.valueOf(0)) { // recover by keyid ... keyid != BigInteger.valueOf(0)
CMS.debug("KRARemoteRequestHandler: recoverKey(): keyid = " + keyid);
sendMsg = IRemoteRequest.TOKEN_CUID + "=" +
@@ -283,7 +282,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler
"&" + IRemoteRequest.KRA_RECOVERY_KEYID + "=" +
keyid.toString() +
"&" + IRemoteRequest.KRA_Trans_DesKey + "=" +
-Util.uriEncode(sDesKey);
+sDesKey;
}
} catch (Exception e) {
CMS.debug("KRARemoteRequestHandler: recoverKey(): uriEncode failed: " + e);
diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
index 93edfde..319ff67 100644
--- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
+++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
@@ -185,7 +185,7 @@ public class TPSEngine {
public static final String CFG_PIN_RESET_STRING = "create_pin.string";
public static final String CFG_SCHEME = "scheme";
-public static final String RECOVERY_SCHEME_GENERATE_NEW_KEY_AND_RECOVER_LAST = "GenerateNewKeyandRecoverLast";
Re: [Pki-devel] [PATCH] 844 Fixed CryptoUtil.getTokenName().
Code looks good. ACK if tested to work in both FIPS and non-FIPS, with or without HSM. Might be a future exercise to find out where the string "Internal Key Storage Token" comes from. Christina On 10/13/2016 06:57 PM, Endi Sukma Dewata wrote: The CryptoUtil.getTokenName() has been modified to check both the short name and full name of the internal token. The ConfigurationUtils.deleteCert() has also been modified to call CryptoUtil.getTokenName(). https://fedorahosted.org/pki/ticket/2500 Pushed to master under one-liner/trivial rule. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
