From 8fd3bae32bb540a850b64479c56d60f5557bc100 Mon Sep 17 00:00:00 2001

From: Jack Magne <jmagne@redhat.com>

Date: Wed, 7 Feb 2018 14:05:13 -0800

Subject: [PATCH 1/2] Fix Bug 1542210 - pki console configurations that

 involves ldap passwords leave the plain text password in debug logs

Simple sensitive data debug log prevention here.

Change-Id: Ic409aaf7e392403c6a4c5afb255a421e1d351c46

(cherry picked from commit ff70df12dd7fc4f801b281233f64bca3c674173b)

(cherry picked from commit e86691f5a5aba9c2d783ccddf79eb7226c36672c)

---

 .../cms/src/com/netscape/cms/servlet/admin/AdminServlet.java       | 7 ++++---

 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java

index d983e6c..769e8e4 100644

--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java

+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java

@@ -216,12 +216,13 @@ public class AdminServlet extends HttpServlet {

                     pn.equalsIgnoreCase("pin") ||

                     pn.equalsIgnoreCase("pwd") ||

                     pn.equalsIgnoreCase("pwdagain") ||

-                    pn.equalsIgnoreCase("uPasswd")) {

+                    pn.equalsIgnoreCase("uPasswd") ||

+                    pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) {

                 CMS.debug("AdminServlet::service() param name='" + pn +

-                         "' value='(sensitive)'");

+                        "' value='(sensitive)'");

             } else {

                 CMS.debug("AdminServlet::service() param name='" + pn +

-                         "' value='" + httpReq.getParameter(pn) + "'");

+                        "' value='" + httpReq.getParameter(pn) + "'");

             }

         }

     }

-- 

1.8.3.1

From 511001c4aaa8e48de3932b4508846729b2e4ab6b Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Thu, 8 Feb 2018 15:06:53 +1100

Subject: [PATCH 2/2] Fix lightweight CA key replication

The resolution for issue https://pagure.io/dogtagpki/issue/2654

caused a regression in lightweight CA key replication.  When the

authorityMonitor encounters a CA whose keys are not present,

signingUnit initialisation fails (as expected).  The signing info

event logging behaviour introduced in commit

4551eb1ce6b14e4a37f9c70b3bfd6c9050e13f10 then results in a

NullPointerException, crashing the authorityMonitor thread.

Fix the issue by extracting the signing info event logging behaviour

to a separate method, and invoke that method as the final step of

signingUnit initialisation.

Fixes: https://pagure.io/dogtagpki/issue/2929

Change-Id: Ic6663c09c30754f4fb914dcaf0bc2d902aa91473

(cherry picked from commit 2251f78c22b2e3b23450cdb274207893932cbd0b)

---

 base/ca/src/com/netscape/ca/CertificateAuthority.java | 5 +++++

 1 file changed, 5 insertions(+)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java

index e5d21eb..9aaa9cb 100644

--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java

+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java

@@ -662,7 +662,10 @@ public class CertificateAuthority

             }

             throw e;

         }

+    }

+    private void generateSigningInfoAuditEvents()

+            throws EBaseException {

         try {

             if (isHostAuthority()) {

@@ -1852,6 +1855,8 @@ public class CertificateAuthority

             throw new ECAException(

                     CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString()));

         }

+

+        generateSigningInfoAuditEvents();

     }

     /**

-- 

1.8.3.1