From f5ffc69f79e4e0f4989094561ab0fd5ff5536d14 Mon Sep 17 00:00:00 2001

From: Christina Fu <cfu@redhat.com>

Date: Thu, 12 Jul 2018 10:24:33 -0700

Subject: [PATCH 1/2] Bugzilla 1548203 LDAP password from console update in

 audit

This patch replace ldap passwords with "(sensitive)" in audit log.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1548203

Change-Id: I6271ec1da4164f731dd3a61534b0e511097a845a

(cherry picked from commit cf9c23a842000755d872202777b0a280bda7f1a1)

---

 .../server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java

index 769e8e4..2b8cec7 100644

--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java

+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java

@@ -991,7 +991,11 @@ public class AdminServlet extends HttpServlet {

             if (name.equals(Constants.OP_TYPE)) continue;

             if (name.equals(Constants.RS_ID)) continue;

-            String value = req.getParameter(name);

+            String value = null;

+            if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD"))

+                value = "(sensitive)";

+            else

+                value = req.getParameter(name);

             params.put(name, value);

         }

-- 

1.8.3.1

From 46e808e86bb393848cca6434cc06c79a14611fa9 Mon Sep 17 00:00:00 2001

From: Jack Magne <jmagne@redhat.com>

Date: Mon, 15 Jan 2018 13:59:33 -0800

Subject: [PATCH 2/2] Test fix for TPS server side key gen for only identity

 cert problem.

Change-Id: I15fc1b8a3fa92568aca853f0e89b9e87bbad463d

(cherry picked from commit c87d7820f7b1af97134197a23543e9fc4be1aa39)

(cherry picked from commit c1314749b7b3a2a6647aadd6945186833e539da8)

---

 .../server/tps/cms/TKSRemoteRequestHandler.java    | 26 +++++++++++++++++-----

 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java

index 65d0ed0..8155f90 100644

--- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java

+++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java

@@ -103,7 +103,8 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler

             String tokenType)

             throws EBaseException {

-        CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): begins.");

+        String method = "TKSRemoteRequestHandler: computeSessionKey(): ";

+        CMS.debug(method + " begins.");

         if (cuid == null || kdd == null || keyInfo == null || card_challenge == null

                 || card_cryptogram == null || host_challenge == null) {

             throw new EBaseException("TKSRemoteRequestHandler: computeSessionKey(): input parameter null.");

@@ -111,10 +112,25 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler

         IConfigStore conf = CMS.getConfigStore();

-        boolean serverKeygen =

-                conf.getBoolean("op.enroll." +

-                        tokenType + ".keyGen.encryption.serverKeygen.enable",

-                        false);

+        boolean serverKeygen = false;

+

+        //Try out all the currently supported cert types to see if we are doing server side keygen here

+        String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"};

+        for (String keygenString : keygenStrings) {

+            boolean enabled = conf.getBoolean("op.enroll." +

+                    tokenType + ".keyGen." +

+                    keygenString + ".serverKeygen.enable", false);

+

+            CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled);

+            if (enabled) {

+                serverKeygen = true;

+                break;

+            }

+        }

+

+

+

+

         if (keySet == null)

             keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet");

-- 

1.8.3.1