[Pki-devel] [pki-devel][PATCH] 0083-PIN_RESET-policy-is-not-giving-expected-results-when.patch
PIN_RESET policy is not giving expected results when set on a token. Simple fix to actually honor the PIN_RESET=or policy for a given token. Minor logging improvements added as well for this error condition. Ticket #2510. From 09dba122f01881b93d32a03a51d0be37c247cb30 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Tue, 18 Oct 2016 18:58:21 -0700 Subject: [PATCH] PIN_RESET policy is not giving expected results when set on a token. Simple fix to actually honor the PIN_RESET=or policy for a given token. Ticket #2510. --- .../server/tps/processor/TPSPinResetProcessor.java | 34 -- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java index 9d0625a..fe3f801 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java @@ -21,6 +21,7 @@ import java.io.IOException; import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; +import org.dogtagpki.server.tps.TPSTokenPolicy; import org.dogtagpki.server.tps.channel.SecureChannel; import org.dogtagpki.server.tps.dbs.ActivityDatabase; import org.dogtagpki.server.tps.dbs.TokenRecord; @@ -98,15 +99,7 @@ public class TPSPinResetProcessor extends TPSProcessor { TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); } -TokenStatus status = tokenRecord.getTokenStatus(); - -CMS.debug(method + ": Token status: " + status); - -if (!status.equals(TokenStatus.ACTIVE)) { -throw new TPSException(method + " Attempt to reset pin of token not currently active!", -TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); - -} +TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps); session.setTokenRecord(tokenRecord); @@ -142,6 +135,29 @@ public class TPSPinResetProcessor extends TPSProcessor { checkAndAuthenticateUser(appletInfo, tokenType); +TokenStatus status = tokenRecord.getTokenStatus(); + +CMS.debug(method + ": Token status: " + status); + +if (!status.equals(TokenStatus.ACTIVE)) { +logMsg = method + "Can not reset the pin of a non active token."; +auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg); +throw new TPSException(method + " Attempt to reset pin of token not currently active!", +TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); + +} + +boolean pinResetAllowed = tokenPolicy.isAllowedPinReset(tokenRecord.getId()); + +CMS.debug(method + ": PinResetPolicy: Pin Reset Allowed: " + pinResetAllowed); +logMsg = method + " PinReset Policy forbids pin reset operation."; +if (pinResetAllowed == false) { +auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg); +throw new TPSException(method + " Attempt to reset pin when token policy disallows it.!", +TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); + +} + checkAndUpgradeApplet(appletInfo); appletInfo = getAppletInfo(); -- 2.5.0 ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch
If tested to work for all cases, ACK. Christina On 10/18/2016 03:22 PM, John Magne wrote: Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Fixes this bug #1381375. The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using the "by cert" method. Also this bug addresses: Bug 1379379 - Unable to read an encrypted email using renewed tokens The URL encoding problem was affecting the proper verification of this bug. and Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued The URI encoding was also making this bug appear to fail more than it should have. There is also a minor fix to the feature that makes sure it works. This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [pki-devel][PATCH] 0082-Cert-Key-recovery-is-successful-when-the-cert-serial.patch
Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Fixes this bug #1381375. The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using the "by cert" method. Also this bug addresses: Bug 1379379 - Unable to read an encrypted email using renewed tokens The URL encoding problem was affecting the proper verification of this bug. and Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued The URI encoding was also making this bug appear to fail more than it should have. There is also a minor fix to the feature that makes sure it works. This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared. From a1f1e030298c38e0c08a514852a435e77d88a2b9 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Tue, 18 Oct 2016 15:08:44 -0700 Subject: [PATCH] Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches Fixes this bug #1381375. The portion this patch fixes involves URL encoding glitch we encountered when recovering keys using the "by cert" method. Also this bug addresses: Bug 1379379 - Unable to read an encrypted email using renewed tokens The URL encoding problem was affecting the proper verification of this bug. and Bug 1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued The URI encoding was also making this bug appear to fail more than it should have. There is also a minor fix to the feature that makes sure it works. This small fix is in TPSEngine.java where the constant for GenerateNewAndRecoverLast scheme is declared. --- .../server/tps/cms/KRARemoteRequestHandler.java| 9 ++-- .../org/dogtagpki/server/tps/engine/TPSEngine.java | 15 -- .../server/tps/processor/TPSEnrollProcessor.java | 63 -- 3 files changed, 50 insertions(+), 37 deletions(-) diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java index 80439ca..3674526 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java @@ -23,7 +23,6 @@ import java.util.Hashtable; import org.dogtagpki.server.connector.IRemoteRequest; import org.dogtagpki.server.tps.TPSSubsystem; -import org.dogtagpki.tps.main.Util; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; @@ -265,15 +264,15 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler String sendMsg = null; try { if (b64cert != null) { // recover by cert -// CMS.debug("KRARemoteRequestHandler: recoverKey(): uriEncoded cert= " + Util.uriEncode(b64cert)); +// CMS.debug("KRARemoteRequestHandler: recoverKey(): uriEncoded cert= " + b64cert); sendMsg = IRemoteRequest.TOKEN_CUID + "=" + cuid + "&" + IRemoteRequest.KRA_UserId + "=" + userid + "&" + IRemoteRequest.KRA_RECOVERY_CERT + "=" + -Util.uriEncode(b64cert) + +b64cert + "&" + IRemoteRequest.KRA_Trans_DesKey + "=" + -Util.uriEncode(sDesKey); +sDesKey; } else if (keyid != BigInteger.valueOf(0)) { // recover by keyid ... keyid != BigInteger.valueOf(0) CMS.debug("KRARemoteRequestHandler: recoverKey(): keyid = " + keyid); sendMsg = IRemoteRequest.TOKEN_CUID + "=" + @@ -283,7 +282,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler "&" + IRemoteRequest.KRA_RECOVERY_KEYID + "=" + keyid.toString() + "&" + IRemoteRequest.KRA_Trans_DesKey + "=" + -Util.uriEncode(sDesKey); +sDesKey; } } catch (Exception e) { CMS.debug("KRARemoteRequestHandler: recoverKey(): uriEncode failed: " + e); diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java index 93edfde..319ff67 100644 --- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -185,7 +185,7 @@ public class TPSEngine { public static final String CFG_PIN_RESET_STRING = "create_pin.string"; public static final String CFG_SCHEME = "scheme"; -public static final String RECOVERY_SCHEME_GENERATE_NEW_KEY_AND_RECOVER_LAST = "GenerateNewKeyandRecoverLast";
Re: [Pki-devel] [PATCH] 844 Fixed CryptoUtil.getTokenName().
Code looks good. ACK if tested to work in both FIPS and non-FIPS, with or without HSM. Might be a future exercise to find out where the string "Internal Key Storage Token" comes from. Christina On 10/13/2016 06:57 PM, Endi Sukma Dewata wrote: The CryptoUtil.getTokenName() has been modified to check both the short name and full name of the internal token. The ConfigurationUtils.deleteCert() has also been modified to call CryptoUtil.getTokenName(). https://fedorahosted.org/pki/ticket/2500 Pushed to master under one-liner/trivial rule. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel