Blame SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-2.patch

e0d192
From 6bd383b5f142c4f2795bb3bfb2db167981622a9d Mon Sep 17 00:00:00 2001
e0d192
From: jmagne <jmagne@redhat.com>
e0d192
Date: Wed, 30 Sep 2020 13:35:25 -0400
e0d192
Subject: [PATCH 1/6] Resolve: Bug 1710978 - TPS - Add logging to
e0d192
 tdbAddCertificatesForCUID if adding or searching for cert record fails (#559)
e0d192
e0d192
Submitted by RHCS-maint.
e0d192
e0d192
    This fix provides better logging when the update to the token db sufferes a partial or complete failure.
e0d192
e0d192
    Due to the unlikelyness of this happening in practice, this fix provides a simple config based way to simulate
e0d192
    the issue, such that the log activity can be easily observed just as if had happened during an actual failure.
e0d192
e0d192
    Set the following in the TPS's CS.cfg:
e0d192
e0d192
    op.enroll.testAddCertsToDBFailure=true.
e0d192
e0d192
    The setting is false by default.
e0d192
e0d192
Co-authored-by: Jack Magne <jmagne@test.host.com>
e0d192
(cherry picked from commit d7f2b72dd4fe9cd21de70fb8ce1806f66aec3624)
e0d192
---
e0d192
 .../src/org/dogtagpki/server/tps/TPSTokendb.java   | 76 ++++++++++++++++++----
e0d192
 .../server/tps/processor/TPSEnrollProcessor.java   | 14 +++-
e0d192
 2 files changed, 75 insertions(+), 15 deletions(-)
e0d192
e0d192
diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
e0d192
index 446fa3f..7434502 100644
e0d192
--- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
e0d192
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
e0d192
@@ -241,25 +241,75 @@ public class TPSTokendb {
e0d192
 
e0d192
         CMS.debug(method + " found token " + cuid);
e0d192
         CMS.debug(method + " number of certs to update:" + certs.size());
e0d192
+
e0d192
+         // Keep track of which certs made it to the database and which didn't,
e0d192
+         // in case of failure
e0d192
+         class CnIssuerPair {
e0d192
+             public final String cn;
e0d192
+             public final String issuer;
e0d192
+
e0d192
+             public CnIssuerPair(String _cn, String _issuer) {
e0d192
+                 cn = _cn;
e0d192
+                 issuer = _issuer;
e0d192
+             }
e0d192
+ 
e0d192
+             public String toString() {
e0d192
+                 return "(cn=" + cn + ", issuerCn=" + issuer + ")";
e0d192
+             }
e0d192
+         }
e0d192
+ 
e0d192
+         ArrayList<CnIssuerPair> cnIssuerPairsRemaining = new ArrayList<CnIssuerPair>(certs.size());
e0d192
+         for(TPSCertRecord cert : certs) {
e0d192
+             String cn = cert.getId();
e0d192
+             String issuerCn = cert.getIssuedBy();
e0d192
+             cnIssuerPairsRemaining.add(new CnIssuerPair(cn, issuerCn));
e0d192
+         }
e0d192
+
e0d192
+        boolean testAddCertsFailure = false;
e0d192
+        //Contrive a very difficult to reproduce testing scenario
e0d192
+
e0d192
         try {
e0d192
+            IConfigStore configStore = CMS.getConfigStore();
e0d192
+
e0d192
+            // get conn ID
e0d192
+            String config = "op.enroll." + "testAddCertsToDBFailure";
e0d192
+            testAddCertsFailure = configStore.getBoolean(config,false);
e0d192
+        } catch (Exception e) {
e0d192
+           testAddCertsFailure = false;
e0d192
+        }
e0d192
+        
e0d192
+        try {
e0d192
+            int count = 0;
e0d192
             for (TPSCertRecord cert : certs) {
e0d192
-                try {
e0d192
-                    if (!isCertOnToken(cert, cuid)) {
e0d192
-                        CMS.debug(method + " adding cert with serial: " + cert.getSerialNumber());
e0d192
-                        tps.certDatabase.addRecord(cert.getId(), cert);
e0d192
-                    } else {
e0d192
-                        // cert already on token
e0d192
-                        CMS.debug(method + "retain and skip adding with serial:" + cert.getSerialNumber());
e0d192
-                    }
e0d192
-                } catch (Exception e) {
e0d192
-                    CMS.debug(method + "Exception after isCertOnToken call"+ e.toString());
e0d192
-                    // ignore; go to next;
e0d192
+                if (!isCertOnToken(cert, cuid)) {
e0d192
+                    CMS.debug(method + " adding cert with serial: " + cert.getSerialNumber());
e0d192
+                    // After at least one cert is added correctly, perform the test of a failure
e0d192
+                    // if so configured.
e0d192
+                   
e0d192
+                    if(count > 0 && testAddCertsFailure == true) {
e0d192
+                        throw new Exception(method + ": " + "Failed to add certificate to token db, as part of a test of failure condition.");
e0d192
+                    }   
e0d192
+                    tps.certDatabase.addRecord(cert.getId(), cert);
e0d192
+                } else {
e0d192
+                    // cert already on token
e0d192
+                    CMS.debug(method + "retain and skip adding with serial:" + cert.getSerialNumber());
e0d192
                 }
e0d192
+                
e0d192
+                // Successfully added cert or verified it was already there, so remove
e0d192
+                // it from the 'remaining' list
e0d192
+                cnIssuerPairsRemaining.removeIf(p -> (p.cn == cert.getId() && p.issuer == cert.getIssuedBy()));
e0d192
+                count ++ ;
e0d192
             }
e0d192
         } catch (Exception e) {
e0d192
             CMS.debug(method + e);
e0d192
-            // TODO: what if it throws in the middle of the cert list -- some cert records already updated?
e0d192
-            throw new TPSException(e.getMessage());
e0d192
+
e0d192
+             String subjectDn = certs.get(0).getSubject();
e0d192
+             String logMsg = method +  ": " +  "Failed to add or verify the following certs for [" + subjectDn + "] in the Certificate DB: ";
e0d192
+             for(CnIssuerPair pair : cnIssuerPairsRemaining) {
e0d192
+                 logMsg += pair + "; ";
e0d192
+             }
e0d192
+
e0d192
+             throw new TPSException(logMsg);
e0d192
         }
e0d192
     }
e0d192
 
e0d192
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
e0d192
index f1e773a..5175344 100644
e0d192
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
e0d192
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
e0d192
@@ -618,8 +618,18 @@ public class TPSEnrollProcessor extends TPSProcessor {
e0d192
         ArrayList<TPSCertRecord> certRecords = certsInfo.toTPSCertRecords(tokenRecord.getId(), tokenRecord.getUserID());
e0d192
 
e0d192
         CMS.debug(method + " adding certs to token with tdbAddCertificatesForCUID...");
e0d192
-        tps.tdb.tdbAddCertificatesForCUID(tokenRecord.getId(), certRecords);
e0d192
-        CMS.debug(method + " tokendb updated with certs to the cuid so that it reflects what's on the token");
e0d192
+        try {
e0d192
+            tps.tdb.tdbAddCertificatesForCUID(tokenRecord.getId(), certRecords);
e0d192
+            CMS.debug(method + " tokendb updated with certs to the cuid so that it reflects what's on the token");
e0d192
+        } catch(TPSException e) {
e0d192
+            CMS.debug(method + " Exception occurred in tdbAddCertificatesForCUID: " + e.getMessage());
e0d192
+            try {
e0d192
+                auditEnrollment(userid, "enrollment", appletInfo, "failure", channel.getKeyInfoData().toHexStringPlain(), null, null, e.getMessage());
e0d192
+                tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), e.getMessage(), "failure");
e0d192
+            } catch(Exception f) {
e0d192
+                CMS.debug(method + " Failed to log previous exception: " + f);
e0d192
+            }
e0d192
+        }
e0d192
 
e0d192
         String finalAppletVersion = appletInfo.getFinalAppletVersion();
e0d192
         if(finalAppletVersion == null)
e0d192
-- 
e0d192
1.8.3.1
e0d192
e0d192
e0d192
From dfaecd2ce22313a0144939f5009cb0096511fceb Mon Sep 17 00:00:00 2001
e0d192
From: jmagne <jmagne@redhat.com>
e0d192
Date: Wed, 30 Sep 2020 13:39:27 -0400
e0d192
Subject: [PATCH 2/6] Resolve: Bug 1858860 - TPS - Update Error Codes returned
e0d192
 to client (CIW/ESC) to Match CS8. (#564)
e0d192
e0d192
This is simply the addition to one very simple patch to the pin reset procedure, that provides
e0d192
the proper error code back to the client in 2 very unlikely error scenarios.
e0d192
e0d192
RHCS-maint.
e0d192
e0d192
Co-authored-by: Jack Magne <jmagne@test.host.com>
e0d192
(cherry picked from commit 3c58273ddb5567b86f7aad664f2af5e6560f3928)
e0d192
---
e0d192
 .../src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java  | 4 ++--
e0d192
 1 file changed, 2 insertions(+), 2 deletions(-)
e0d192
e0d192
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
e0d192
index de5c634..7d3a7cd 100644
e0d192
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
e0d192
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
e0d192
@@ -50,7 +50,7 @@ public class TPSPinResetProcessor extends TPSProcessor {
e0d192
     @Override
e0d192
     public void process(BeginOpMsg beginMsg) throws TPSException, IOException {
e0d192
         if (beginMsg == null) {
e0d192
-            throw new TPSException("TPSPinResetProcessor.process: invalid input data, not beginMsg provided.",
e0d192
+            throw new TPSException("TPSPinResetProcessor.process: invalid input data, no beginMsg provided.",
e0d192
                     TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
e0d192
         }
e0d192
         setBeginMessage(beginMsg);
e0d192
@@ -306,7 +306,7 @@ public class TPSPinResetProcessor extends TPSProcessor {
e0d192
             logMsg = logMsg + ":" + e.toString();
e0d192
             tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg,
e0d192
                     "failure");
e0d192
-            throw new TPSException(logMsg);
e0d192
+            throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_UPDATE_TOKENDB_FAILED);
e0d192
         }
e0d192
 
e0d192
         CMS.debug(method + ": Token Pin successfully reset!");
e0d192
-- 
e0d192
1.8.3.1
e0d192
e0d192
e0d192
From 6dc155765b9752c9b1e89d442c53b464756df325 Mon Sep 17 00:00:00 2001
e0d192
From: Christina Fu <cfu@redhat.com>
e0d192
Date: Tue, 8 Sep 2020 17:18:49 -0400
e0d192
Subject: [PATCH 3/6] Bug1858861 TPS - Server side key generation is not
e0d192
 working for Identity only tokens Missing some commits
e0d192
e0d192
  This patch relates to Bug 1494591, where the fix was missing a patch.
e0d192
e0d192
  It makes it so that as long as one keyType has serverKeyGen enabled then
e0d192
  all key tyes under the same tps profile are considered server-side
e0d192
  keygen.
e0d192
e0d192
  Code submittd by RHCS-MAINT
e0d192
e0d192
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1858861
e0d192
e0d192
(cherry picked from commit 103a03062c235cc3e51f98e721ca6d72eb1f5a9d)
e0d192
---
e0d192
 .../server/tps/cms/TKSRemoteRequestHandler.java    | 50 ++++++++++++++++------
e0d192
 1 file changed, 38 insertions(+), 12 deletions(-)
e0d192
e0d192
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
e0d192
index 8155f90..770819d 100644
e0d192
--- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
e0d192
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
e0d192
@@ -127,9 +127,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
e0d192
                 break;
e0d192
             }
e0d192
         }
e0d192
-
e0d192
-
e0d192
-
e0d192
+        CMS.debug(method + " final serverkegGen enabled? " + serverKeygen);
e0d192
 
e0d192
         if (keySet == null)
e0d192
             keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet");
e0d192
@@ -264,10 +262,23 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
e0d192
 
e0d192
         IConfigStore conf = CMS.getConfigStore();
e0d192
 
e0d192
-        boolean serverKeygen =
e0d192
-                conf.getBoolean("op.enroll." +
e0d192
-                        tokenType + ".keyGen.encryption.serverKeygen.enable",
e0d192
-                        false);
e0d192
+        boolean serverKeygen = false;
e0d192
+
e0d192
+        //Try out all the currently supported cert types to see if we are doing server side keygen here
e0d192
+        String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"};
e0d192
+        for (String keygenString : keygenStrings) {
e0d192
+            boolean enabled = conf.getBoolean("op.enroll." +
e0d192
+                    tokenType + ".keyGen." +
e0d192
+                    keygenString + ".serverKeygen.enable", false);
e0d192
+
e0d192
+            CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled);
e0d192
+            if (enabled) {
e0d192
+                serverKeygen = true;
e0d192
+                break;
e0d192
+            }
e0d192
+        }
e0d192
+        CMS.debug(method + " final serverkegGen enabled? " + serverKeygen);
e0d192
+
e0d192
         if (keySet == null)
e0d192
             keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet");
e0d192
 
e0d192
@@ -427,7 +438,9 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
e0d192
             String tokenType)
e0d192
             throws EBaseException {
e0d192
 
e0d192
-        CMS.debug("TKSRemoteRequestHandler: computeSessionKeySCP02(): begins.");
e0d192
+        String method = "TKSRemoteRequestHandler: computeSessionKeysSCP02(): ";
e0d192
+
e0d192
+        CMS.debug(method + " begins.");
e0d192
         if (cuid == null || kdd == null || keyInfo == null ||
e0d192
                 sequenceCounter == null
e0d192
                 || derivationConstant == null) {
e0d192
@@ -436,10 +449,23 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
e0d192
 
e0d192
         IConfigStore conf = CMS.getConfigStore();
e0d192
 
e0d192
-        boolean serverKeygen =
e0d192
-                conf.getBoolean("op.enroll." +
e0d192
-                        tokenType + ".keyGen.encryption.serverKeygen.enable",
e0d192
-                        false);
e0d192
+        boolean serverKeygen = false;
e0d192
+
e0d192
+        //Try out all the currently supported cert types to see if we are doing server side keygen here
e0d192
+        String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"};
e0d192
+        for (String keygenString : keygenStrings) {
e0d192
+            boolean enabled = conf.getBoolean("op.enroll." +
e0d192
+                    tokenType + ".keyGen." +
e0d192
+                    keygenString + ".serverKeygen.enable", false);
e0d192
+
e0d192
+            CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled);
e0d192
+            if (enabled) {
e0d192
+                serverKeygen = true;
e0d192
+                break;
e0d192
+            }
e0d192
+        }
e0d192
+        CMS.debug(method + " final serverkegGen enabled? " + serverKeygen);
e0d192
+
e0d192
         if (keySet == null)
e0d192
             keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet");
e0d192
 
e0d192
-- 
e0d192
1.8.3.1
e0d192
e0d192
e0d192
From 9627046fe5d38c447c85ec3a1be75ab86dbdaaac Mon Sep 17 00:00:00 2001
e0d192
From: Christina Fu <cfu@redhat.com>
e0d192
Date: Tue, 13 Oct 2020 16:19:06 -0700
e0d192
Subject: [PATCH 4/6] Bug1883639-add profile caAuditSigningCert
e0d192
e0d192
  Existing profiiles caStorageCert.cfg and caTransportCert.cfg
e0d192
  should be used for KRA.
e0d192
  a caAuditSigningCert profile is added, although I find
e0d192
  a misleading profile named caSignedLogCert.cfg  that was intended for
e0d192
  the use.  I disabled caSignedLogCert.cfg instead.
e0d192
e0d192
  I also removed the SHA1 algorithms from all the *storage* and *audit*
e0d192
  profiles while I'm at it.
e0d192
e0d192
  The upgrade scripts only adds the new profile caAuditSigningCert.  It
e0d192
  does not modify existing profiles or remove those two IPA specific
e0d192
  ones.
e0d192
e0d192
  fixes https://bugzilla.redhat.com/show_bug.cgi?id=1883639
e0d192
e0d192
(cherry picked from commit 73efcea0c74eb4882c003a7fe6cef21fa7627363)
e0d192
---
e0d192
 base/ca/shared/conf/CS.cfg                         |  4 +-
e0d192
 base/ca/shared/profiles/ca/caAuditSigningCert.cfg  | 80 ++++++++++++++++++++++
e0d192
 .../profiles/ca/caInternalAuthAuditSigningCert.cfg |  2 +-
e0d192
 .../profiles/ca/caInternalAuthDRMstorageCert.cfg   |  2 +-
e0d192
 .../profiles/ca/caInternalAuthTransportCert.cfg    |  2 +-
e0d192
 base/ca/shared/profiles/ca/caSignedLogCert.cfg     |  4 +-
e0d192
 base/ca/shared/profiles/ca/caStorageCert.cfg       |  2 +-
e0d192
 base/ca/shared/profiles/ca/caTransportCert.cfg     |  2 +-
e0d192
 .../10.5.17/02-AddProfileCaAuditSigningCert        | 52 ++++++++++++++
e0d192
 9 files changed, 142 insertions(+), 8 deletions(-)
e0d192
 create mode 100644 base/ca/shared/profiles/ca/caAuditSigningCert.cfg
e0d192
 create mode 100644 base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert
e0d192
e0d192
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
e0d192
index 2c50831..1eb8881 100644
e0d192
--- a/base/ca/shared/conf/CS.cfg
e0d192
+++ b/base/ca/shared/conf/CS.cfg
e0d192
@@ -976,7 +976,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
e0d192
 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
e0d192
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
e0d192
 os.userid=nobody
e0d192
-profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caServerKeygen_UserCert,caServerKeygen_DirUserCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
e0d192
+profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caServerKeygen_UserCert,caServerKeygen_DirUserCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caAuditSigningCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
e0d192
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
e0d192
 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
e0d192
 profile.caManualRenewal.class_id=caEnrollImpl
e0d192
@@ -1087,6 +1087,8 @@ profile.caECServerCert.class_id=caEnrollImpl
e0d192
 profile.caECServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECServerCert.cfg
e0d192
 profile.caSignedLogCert.class_id=caEnrollImpl
e0d192
 profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg
e0d192
+profile.caAuditSigningCert.class_id=caEnrollImpl
e0d192
+profile.caAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAuditSigningCert.cfg
e0d192
 profile.caSigningUserCert.class_id=caEnrollImpl
e0d192
 profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg
e0d192
 profile.caSimpleCMCUserCert.class_id=caEnrollImpl
e0d192
diff --git a/base/ca/shared/profiles/ca/caAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caAuditSigningCert.cfg
e0d192
new file mode 100644
e0d192
index 0000000..68dfcad
e0d192
--- /dev/null
e0d192
+++ b/base/ca/shared/profiles/ca/caAuditSigningCert.cfg
e0d192
@@ -0,0 +1,80 @@
e0d192
+desc=This certificate profile is for enrolling audit signing certificates.
e0d192
+visible=true
e0d192
+enable=true
e0d192
+enableBy=admin
e0d192
+auth.instance_id=
e0d192
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
e0d192
+name=Manual Audit Signing Certificate Enrollment
e0d192
+input.list=i1,i2
e0d192
+input.i1.class_id=certReqInputImpl
e0d192
+input.i2.class_id=submitterInfoInputImpl
e0d192
+output.list=o1
e0d192
+output.o1.class_id=certOutputImpl
e0d192
+policyset.list=auditSigningCertSet
e0d192
+policyset.auditSigningCertSet.list=1,2,3,4,5,6,9
e0d192
+policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl
e0d192
+policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint
e0d192
+policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*
e0d192
+policyset.auditSigningCertSet.1.constraint.params.accept=true
e0d192
+policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl
e0d192
+policyset.auditSigningCertSet.1.default.name=Subject Name Default
e0d192
+policyset.auditSigningCertSet.1.default.params.name=
e0d192
+policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl
e0d192
+policyset.auditSigningCertSet.2.constraint.name=Validity Constraint
e0d192
+policyset.auditSigningCertSet.2.constraint.params.range=720
e0d192
+policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false
e0d192
+policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false
e0d192
+policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl
e0d192
+policyset.auditSigningCertSet.2.default.name=Validity Default
e0d192
+policyset.auditSigningCertSet.2.default.params.range=720
e0d192
+policyset.auditSigningCertSet.2.default.params.startTime=0
e0d192
+policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
e0d192
+policyset.auditSigningCertSet.3.constraint.name=Key Constraint
e0d192
+policyset.auditSigningCertSet.3.constraint.params.keyType=-
e0d192
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
e0d192
+policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
e0d192
+policyset.auditSigningCertSet.3.default.name=Key Default
e0d192
+policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
e0d192
+policyset.auditSigningCertSet.4.constraint.name=No Constraint
e0d192
+policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
e0d192
+policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default
e0d192
+policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl
e0d192
+policyset.auditSigningCertSet.5.constraint.name=No Constraint
e0d192
+policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
e0d192
+policyset.auditSigningCertSet.5.default.name=AIA Extension Default
e0d192
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true
e0d192
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
e0d192
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0=
e0d192
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
e0d192
+policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false
e0d192
+policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1
e0d192
+policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
e0d192
+policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false
e0d192
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false
e0d192
+policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl
e0d192
+policyset.auditSigningCertSet.6.default.name=Key Usage Default
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
e0d192
+policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
e0d192
+policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
e0d192
+policyset.auditSigningCertSet.9.constraint.name=No Constraint
e0d192
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
+policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
e0d192
+policyset.auditSigningCertSet.9.default.name=Signing Alg
e0d192
+policyset.auditSigningCertSet.9.default.params.signingAlg=-
e0d192
diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
e0d192
index 55cfd8c..86f288e 100644
e0d192
--- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
e0d192
+++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
e0d192
@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
e0d192
 policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
e0d192
 policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
e0d192
 policyset.auditSigningCertSet.9.constraint.name=No Constraint
e0d192
-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
 policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
e0d192
 policyset.auditSigningCertSet.9.default.name=Signing Alg
e0d192
 policyset.auditSigningCertSet.9.default.params.signingAlg=-
e0d192
diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
e0d192
index ae9593e..23a0850 100644
e0d192
--- a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
e0d192
+++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
e0d192
@@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false
e0d192
 policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
e0d192
 policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl
e0d192
 policyset.drmStorageCertSet.9.constraint.name=No Constraint
e0d192
-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
 policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl
e0d192
 policyset.drmStorageCertSet.9.default.name=Signing Alg
e0d192
 policyset.drmStorageCertSet.9.default.params.signingAlg=-
e0d192
diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
e0d192
index 359881e..cbeb0eb 100644
e0d192
--- a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
e0d192
+++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
e0d192
@@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
e0d192
 policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
e0d192
 policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
e0d192
 policyset.transportCertSet.8.constraint.name=No Constraint
e0d192
-policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
 policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl
e0d192
 policyset.transportCertSet.8.default.name=Signing Alg
e0d192
 policyset.transportCertSet.8.default.params.signingAlg=-
e0d192
diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
e0d192
index ddd3d1a..01e21f1 100644
e0d192
--- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg
e0d192
+++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
e0d192
@@ -1,6 +1,6 @@
e0d192
 desc=This profile is for enrolling audit log signing certificates
e0d192
-visible=true
e0d192
-enable=true
e0d192
+visible=false
e0d192
+enable=false
e0d192
 enableBy=admin
e0d192
 auth.class_id=
e0d192
 name=Manual Audit Log Signing Certificate Enrollment
e0d192
diff --git a/base/ca/shared/profiles/ca/caStorageCert.cfg b/base/ca/shared/profiles/ca/caStorageCert.cfg
e0d192
index abb9715..0791b79 100644
e0d192
--- a/base/ca/shared/profiles/ca/caStorageCert.cfg
e0d192
+++ b/base/ca/shared/profiles/ca/caStorageCert.cfg
e0d192
@@ -73,7 +73,7 @@ policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false
e0d192
 policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false
e0d192
 policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl
e0d192
 policyset.drmStorageCertSet.9.constraint.name=No Constraint
e0d192
-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
 policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl
e0d192
 policyset.drmStorageCertSet.9.default.name=Signing Alg
e0d192
 policyset.drmStorageCertSet.9.default.params.signingAlg=-
e0d192
diff --git a/base/ca/shared/profiles/ca/caTransportCert.cfg b/base/ca/shared/profiles/ca/caTransportCert.cfg
e0d192
index 51dc084..f6ae711 100644
e0d192
--- a/base/ca/shared/profiles/ca/caTransportCert.cfg
e0d192
+++ b/base/ca/shared/profiles/ca/caTransportCert.cfg
e0d192
@@ -79,7 +79,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
e0d192
 policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
e0d192
 policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
e0d192
 policyset.transportCertSet.8.constraint.name=No Constraint
e0d192
-policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
e0d192
 policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl
e0d192
 policyset.transportCertSet.8.default.name=Signing Alg
e0d192
 policyset.transportCertSet.8.default.params.signingAlg=-
e0d192
diff --git a/base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert b/base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert
e0d192
new file mode 100644
e0d192
index 0000000..02b8477
e0d192
--- /dev/null
e0d192
+++ b/base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert
e0d192
@@ -0,0 +1,52 @@
e0d192
+# Authors:
e0d192
+#     Christina Fu <cfu@redhat.com>
e0d192
+#
e0d192
+# Copyright Red Hat, Inc.
e0d192
+#
e0d192
+# SPDX-License-Identifier: GPL-2.0-or-later
e0d192
+
e0d192
+from __future__ import absolute_import
e0d192
+import logging
e0d192
+import os
e0d192
+import shutil
e0d192
+
e0d192
+import pki
e0d192
+
e0d192
+logger = logging.getLogger(__name__)
e0d192
+
e0d192
+
e0d192
+class AddProfileCaAuditSigningCert(pki.server.upgrade.PKIServerUpgradeScriptlet):
e0d192
+
e0d192
+    def __init__(self):
e0d192
+        super(AddProfileCaAuditSigningCert, self).__init__()
e0d192
+        self.message = 'Add caAuditSigningCert profile'
e0d192
+
e0d192
+    def upgrade_subsystem(self, instance, subsystem):
e0d192
+
e0d192
+        if subsystem.name != 'ca':
e0d192
+            return
e0d192
+
e0d192
+        path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'caAuditSigningCert.cfg')
e0d192
+
e0d192
+        if not os.path.exists(path):
e0d192
+            logger.info('Creating caAuditSigningCert.cfg')
e0d192
+            self.backup(path)
e0d192
+            shutil.copyfile('/usr/share/pki/ca/profiles/ca/caAuditSigningCert.cfg', path)
e0d192
+            os.chown(path, instance.uid, instance.gid)
e0d192
+            os.chmod(path, 0o0660)
e0d192
+
e0d192
+        logger.info('Adding caAuditSigningCert into profile.list')
e0d192
+        profile_list = subsystem.config.get('profile.list').split(',')
e0d192
+        if 'caAuditSigningCert' not in profile_list:
e0d192
+            profile_list.append('caAuditSigningCert')
e0d192
+            profile_list.sort()
e0d192
+            subsystem.config['profile.list'] = ','.join(profile_list)
e0d192
+
e0d192
+        logger.info('Adding profile.caAuditSigningCert.class_id')
e0d192
+        subsystem.config['profile.caAuditSigningCert.class_id'] = 'caEnrollImpl'
e0d192
+
e0d192
+        logger.info('Adding profile.caAuditSigningCert.config')
e0d192
+        subsystem.config['profile.caAuditSigningCert.config'] = path
e0d192
+
e0d192
+        self.backup(subsystem.cs_conf)
e0d192
+        subsystem.save()
e0d192
-- 
e0d192
1.8.3.1
e0d192
e0d192
e0d192
From 77eadead2fea96d897f3f09894ce612b9e1ee19d Mon Sep 17 00:00:00 2001
e0d192
From: Christina Fu <cfu@redhat.com>
e0d192
Date: Wed, 16 Sep 2020 18:47:33 -0400
e0d192
Subject: [PATCH 5/6] Bug1858867-TPS does not check token cuid on the user
e0d192
 externalReg record during PIN reset
e0d192
e0d192
  RHCS-MAINT contribution
e0d192
  This patch makes sure that if "tokenCUID" exists for the user reg record,
e0d192
  pinReset operation would make sure that it mathes with the current
e0d192
  token cuid;
e0d192
  If the "tokenCUID" does not exist in the user registration record
e0d192
  then any token can be used for pinReset;
e0d192
e0d192
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1858867
e0d192
e0d192
(cherry picked from commit 1f24b6f0b9d37139b2069564ee6b2f5fe2bae527)
e0d192
---
e0d192
 .../server/tps/processor/TPSPinResetProcessor.java | 26 ++++++++++++++++++++++
e0d192
 1 file changed, 26 insertions(+)
e0d192
e0d192
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
e0d192
index 7d3a7cd..af42689 100644
e0d192
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
e0d192
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
e0d192
@@ -187,6 +187,32 @@ public class TPSPinResetProcessor extends TPSProcessor {
e0d192
             } else {
e0d192
                 CMS.debug(method + " --> registrationtype attribute disabled or not found, continuing.");
e0d192
             }
e0d192
+            
e0d192
+            /*
e0d192
+             * If cuid is provided on the user registration record, then
e0d192
+             * we have to compare that with the current token cuid;
e0d192
+             *
e0d192
+             * If, the cuid is not provided on the user registration record,
e0d192
+             * then any token can be used.
e0d192
+             */
e0d192
+            if (erAttrs.getTokenCUID() != null) {
e0d192
+                CMS.debug(method + " checking if token cuid matches record cuid");
e0d192
+                CMS.debug(method + " erAttrs.getTokenCUID()=" + erAttrs.getTokenCUID());
e0d192
+                CMS.debug(method + " tokenRecord.getId()=" + tokenRecord.getId());
e0d192
+                if (!tokenRecord.getId().equalsIgnoreCase(erAttrs.getTokenCUID())) {
e0d192
+                    logMsg = "isExternalReg: token CUID not matching record:" + tokenRecord.getId() + " : " +
e0d192
+                            erAttrs.getTokenCUID();
e0d192
+                    CMS.debug(method + logMsg);
e0d192
+                    tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg,
e0d192
+                            "failure");
e0d192
+                    throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_NOT_TOKEN_OWNER);
e0d192
+                } else {
e0d192
+                    logMsg = "isExternalReg: token CUID matches record";
e0d192
+                    CMS.debug(method + logMsg);
e0d192
+                }
e0d192
+            } else {
e0d192
+                CMS.debug(method + " no need to check if token cuid matches record");
e0d192
+            }
e0d192
 
e0d192
             session.setExternalRegAttrs(erAttrs);
e0d192
             setExternalRegSelectedTokenType(erAttrs);
e0d192
-- 
e0d192
1.8.3.1
e0d192
e0d192
e0d192
From 8c17891db620896e684cf0efd4ead66d8b1b4e1d Mon Sep 17 00:00:00 2001
e0d192
From: jmagne <jmagne@redhat.com>
e0d192
Date: Mon, 19 Oct 2020 21:26:43 -0400
e0d192
Subject: [PATCH 6/6] Enhancment to Bug 1858860 - TPS - Update Error Codes
e0d192
 returned to client (CIW/ESC) to Match CS8. (#3360)
e0d192
e0d192
This enhancement allows config values to be used to test the unlikely error conditions addressed in the original bug:
e0d192
e0d192
    To test one two scenarios, use these settings one at a time:
e0d192
e0d192
    op.pinReset.testNoBeginMsg=false
e0d192
    op.pinReset.testUpdateDBFailure=false
e0d192
e0d192
    The first one will test the error code returned when the beginOp message is missing when atempting
e0d192
    a pin Reset operation. The error returned should be error "4".
e0d192
e0d192
    The second one will test if the update of the db for the token does not complete properly.
e0d192
e0d192
    The error returned in this scenario should be "41".
e0d192
e0d192
    The tpsclient utility can be used to test these two scenarios. Once again try them separately
e0d192
    because the first error will stop the pin reset procedure before the second scenario can even happen.
e0d192
e0d192
Co-authored-by: Jack Magne <jmagne@test.host.com>
e0d192
(cherry picked from commit 509d31cf80e13c564b50d41feb11fd9c2eb9db73)
e0d192
---
e0d192
 .../server/tps/processor/TPSPinResetProcessor.java | 29 +++++++++++++++++++++-
e0d192
 1 file changed, 28 insertions(+), 1 deletion(-)
e0d192
e0d192
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
e0d192
index af42689..805af20 100644
e0d192
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
e0d192
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
e0d192
@@ -49,7 +49,19 @@ public class TPSPinResetProcessor extends TPSProcessor {
e0d192
 
e0d192
     @Override
e0d192
     public void process(BeginOpMsg beginMsg) throws TPSException, IOException {
e0d192
-        if (beginMsg == null) {
e0d192
+
e0d192
+        IConfigStore configStore = CMS.getConfigStore();
e0d192
+
e0d192
+        // Use this only for testing, not for normal operation.
e0d192
+        String configName = "op.pinReset.testNoBeginMsg";
e0d192
+        boolean testPinResetNoBeginMsg = false;
e0d192
+        try {
e0d192
+            testPinResetNoBeginMsg = configStore.getBoolean(configName,false);
e0d192
+        } catch (EBaseException e) {
e0d192
+            testPinResetNoBeginMsg = false;
e0d192
+        }
e0d192
+
e0d192
+        if (beginMsg == null || testPinResetNoBeginMsg == true) {
e0d192
             throw new TPSException("TPSPinResetProcessor.process: invalid input data, no beginMsg provided.",
e0d192
                     TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
e0d192
         }
e0d192
@@ -324,7 +336,22 @@ public class TPSPinResetProcessor extends TPSProcessor {
e0d192
 
e0d192
         statusUpdate(100, "PROGRESS_PIN_RESET_COMPLETE");
e0d192
         logMsg = "update token during pin reset";
e0d192
+
e0d192
+        IConfigStore configStore = CMS.getConfigStore();
e0d192
+
e0d192
+        // Use this only for testing, not for normal operation.
e0d192
+        String configName = "op.pinReset.testUpdateDBFailure";
e0d192
+        boolean testUpdateDBFailure = false;
e0d192
         try {
e0d192
+            testUpdateDBFailure = configStore.getBoolean(configName,false);
e0d192
+        } catch (EBaseException e) {
e0d192
+            testUpdateDBFailure = false;
e0d192
+        }
e0d192
+
e0d192
+        try {
e0d192
+            if(testUpdateDBFailure == true) {
e0d192
+                throw new Exception("Test failure to update DB for Pin Reset!");
e0d192
+            }
e0d192
             tps.tdb.tdbUpdateTokenEntry(tokenRecord);
e0d192
             tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg, "success");
e0d192
             CMS.debug(method + ": token record updated!");
e0d192
-- 
e0d192
1.8.3.1
e0d192