Blob Blame History Raw
From fb857eac7f74c91fda65dd9d676b28b6df2eaa78 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 3 Jan 2019 20:08:36 -0600
Subject: [PATCH 1/7] Removed validation for token state transitions

The TPSSubsystem has been modified to remove the validation for
tokendb.allowedTransitions property. This will allow adding new
transitions via PKI CLI or TPS Web UI.

The TPSSubsystem will continue to validate tps.operations.allowedTransitions
as before so it will only allow transitions already defined in
the default CS.cfg.

https://bugzilla.redhat.com/show_bug.cgi?id=1470433
(cherry picked from commit e9079332d66f166cd89673e2160fd52dbb48728c)
---
 .../src/org/dogtagpki/server/tps/TPSSubsystem.java |   4 +-
 docs/admin/TPS_Token_Lifecycle.md                  | 139 +++++++++++++++++++++
 2 files changed, 141 insertions(+), 2 deletions(-)
 create mode 100644 docs/admin/TPS_Token_Lifecycle.md

diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java b/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java
index 2f43ba3..0e8f318 100644
--- a/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java
@@ -126,8 +126,8 @@ public class TPSSubsystem implements IAuthority, ISubsystem {
 
         FileConfigStore defaultConfig = new FileConfigStore("/usr/share/pki/tps/conf/CS.cfg");
 
-        uiTransitions = loadAndValidateTokenStateTransitions(
-                defaultConfig, cs, TPSEngine.CFG_TOKENDB_ALLOWED_TRANSITIONS);
+        uiTransitions = loadTokenStateTransitions(
+                cs, TPSEngine.CFG_TOKENDB_ALLOWED_TRANSITIONS);
 
         operationTransitions = loadAndValidateTokenStateTransitions(
                 defaultConfig, cs, TPSEngine.CFG_OPERATIONS_ALLOWED_TRANSITIONS);
diff --git a/docs/admin/TPS_Token_Lifecycle.md b/docs/admin/TPS_Token_Lifecycle.md
new file mode 100644
index 0000000..194a95f
--- /dev/null
+++ b/docs/admin/TPS_Token_Lifecycle.md
@@ -0,0 +1,139 @@
+# TPS Token Lifecycle
+
+## Token States
+
+Below are the supported token states in TPS:
+
+| Code | Name        | Label                        |
+| ---- | ----------- | ---------------------------- |
+| 0    | FORMATTED   | Formatted (uninitialized)    |
+| 1    | DAMAGED     | Physically damaged           |
+| 2    | PERM_LOST   | Permanently lost             |
+| 3    | SUSPENDED   | Suspended (temporarily lost) |
+| 4    | ACTIVE      | Active                       |
+| 6    | TERMINATED  | Terminated                   |
+| 7    | UNFORMATTED | Unformatted                  |
+
+In the CS.cfg the token states will be displayed by their codes.
+In PKI CLI the token states will be displayed by their names.
+In TPS Web UI the token states will be displayed by their labels.
+
+## Token State Transitions via PKI CLI or TPS Web UI
+
+Token state can be changed via PKI CLI or TPS Web UI.
+The transitions that can be done via PKI CLI or TPS Web UI are defined in the following property in
+/etc/pki/&lt;instance&gt;/tps/CS.cfg:
+
+```
+tokendb.allowedTransitions=0:1,0:2,0:3,0:6,3:2,3:6,4:1,4:2,4:3,4:6,6:7
+```
+
+The property contains a comma-separated list of transitions. Each transition is written in this format:
+
+    <current state code>:<new state code>
+
+The above list represents the following transitions:
+
+| Transition | Current State | Next State  | Label                                                          |
+| ---------- | ------------- | ----------- | -------------------------------------------------------------- |
+| 0:1        | FORMATTED     | DAMAGED     | This token has been physically damaged.                        |
+| 0:2        | FORMATTED     | PERM_LOST   | This token has been permanently lost.                          |
+| 0:3        | FORMATTED     | SUSPENDED   | This token has been suspended (temporarily lost).              |
+| 0:6        | FORMATTED     | TERMINATED  | This token has been terminated.                                |
+| 3:2        | SUSPENDED     | TERMINATED  | This suspended (temporarily lost) token has been terminated.   |
+| 3:6        | SUSPENDED     | PERM_LOST   | This suspended (temporarily lost) has become permanently lost. |
+| 4:1        | ACTIVE        | DAMAGED     | This token has been physically damaged.                        |
+| 4:2        | ACTIVE        | PERM_LOST   | This token has been permanently lost.                          |
+| 4:3        | ACTIVE        | SUSPENDED   | This token has been suspended (temporarily lost).              |
+| 4:6        | ACTIVE        | TERMINATED  | This token has been terminated.                                |
+| 6:7        | TERMINATED    | UNFORMATTED | Reuse this token.                                              |
+
+The following transitions are generated automatically depending on the original state of the token.
+If a token was originally FORMATTED then became SUSPENDED, it can only return to FORMATTED state.
+If a token was originally ACTIVE then became SUSPENDED, it can only return to the ACTIVE state.
+
+| Transition | Current State | Next State | Label                                                   |
+| ---------- | ------------- | ---------- | ------------------------------------------------------- |
+| 3:2        | SUSPENDED     | FORMATTED  | This suspended (temporarily lost) token has been found. |
+| 3:4        | SUSPENDED     | ACTIVE     | This suspended (temporarily lost) token has been found. |
+
+To customize the tokendb.allowedTransitions property, edit the property in /etc/pki/&lt;instance&gt;/tps/CS.cfg,
+then restart the server.
+
+## Token State Transitions via Token Operations
+
+Token states can also be changed via token operations (e.g. format, enroll).
+The transitions that can be done via token operations are defined in the following property in
+/etc/pki/&lt;instance&gt;/tps/CS.cfg:
+
+```
+tps.operations.allowedTransitions=0:0,0:4,4:4,4:0,7:0
+```
+
+The property contains a comma-delimited list of transitions.
+Each transition is written in this format:
+
+    <current state code>:<new state code>
+
+The above list represents the following transitions:
+
+| Transition | Current State | Next State | Description                                                           |
+| ---------- | ------------- | ---------- | --------------------------------------------------------------------- |
+| 0:0        | FORMATTED     | FORMATTED  | This allows reformatting a token or upgrading applet/key in a token.  |
+| 0:4        | FORMATTED     | ACTIVE     | This allows enrolling a token.                                        |
+| 4:4        | ACTIVE        | ACTIVE     | This allows re-enrolling an active token (for external registration). |
+| 4:0        | ACTIVE        | FORMATTED  | This allows formatting an active token.                               |
+| 7:0        | UNFORMATTED   | FORMATTED  | This allows formatting a blank or previously used token.              |
+
+To customize the tps.operations.allowedTransitions property, edit the property in /etc/pki/&lt;instance&gt;/tps/CS.cfg,
+then restart the server.
+
+This property can only be customized to remove transitions from the original list.
+New transitions cannot be added into tps.operations.allowedTransitions unless it is already defined
+in the default tps.operations.allowedTransitions in /usr/share/pki/tps/conf/CS.cfg.
+
+## Token State and Transition Labels for TPS Web UI
+
+The default token state and transition labels for TPS Web UI are defined in /usr/share/pki/tps/conf/token-states.properties:
+
+```
+# Token states
+UNFORMATTED         = Unformatted
+FORMATTED           = Formatted (uninitialized)
+ACTIVE              = Active
+SUSPENDED           = Suspended (temporarily lost)
+PERM_LOST           = Permanently lost
+DAMAGED             = Physically damaged
+TEMP_LOST_PERM_LOST = Temporarily lost then permanently lost
+TERMINATED          = Terminated
+
+# Token state transitions
+FORMATTED.DAMAGED        = This token has been physically damaged.
+FORMATTED.PERM_LOST      = This token has been permanently lost.
+FORMATTED.SUSPENDED      = This token has been suspended (temporarily lost).
+FORMATTED.TERMINATED     = This token has been terminated.
+SUSPENDED.ACTIVE         = This suspended (temporarily lost) token has been found.
+SUSPENDED.PERM_LOST      = This suspended (temporarily lost) token has become permanently lost.
+SUSPENDED.TERMINATED     = This suspended (temporarily lost) token has been terminated.
+SUSPENDED.FORMATTED      = This suspended (temporarily lost) token has been found.
+ACTIVE.DAMAGED           = This token has been physically damaged.
+ACTIVE.PERM_LOST         = This token has been permanently lost.
+ACTIVE.SUSPENDED         = This token has been suspended (temporarily lost).
+ACTIVE.TERMINATED        = This token has been terminated.
+TERMINATED.UNFORMATTED   = Reuse this token.
+```
+
+To customize the labels, copy the default token-states.properties into TPS configuration folder:
+
+```
+$ cp /usr/share/pki/tps/conf/token-states.properties /var/lib/pki/pki-tomcat/tps/conf
+```
+Then edit the new file.
+There is no need to restart the server, but the TPS Web UI will need to be reloaded.
+
+To remove the customized labels simply delete the customized file:
+
+```
+$ rm /var/lib/pki/pki-tomcat/tps/conf/token-states.properties
+```
+Then reload the TPS Web UI.
-- 
1.8.3.1


From 80c61529b041dca01116726535de87f18a5d16cd Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
Date: Thu, 15 Aug 2019 12:23:57 -0400
Subject: [PATCH 2/7] Resolve (additional patch for) Bug 1470410 - TPS doesn't
 update revocation status when certificate already marked as
 unformatted/terminated/damaged

This is one of the previously missed patches.
Submited by RHCS-maint

(cherry picked from commit e4b9e6ed3cf03bd8c026d2d944b615f9b306219a)
---
 base/ca/src/com/netscape/ca/CAService.java                        | 8 +++++---
 .../src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java  | 3 ++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
index e4e4efe..4e8afac 100644
--- a/base/ca/src/com/netscape/ca/CAService.java
+++ b/base/ca/src/com/netscape/ca/CAService.java
@@ -981,7 +981,7 @@ public class CAService implements ICAService, IService {
         CRLExtensions crlentryexts = crlentry.getExtensions();
         String msg = "";
 
-        CMS.debug("CAService.revokeCert: revokeCert begins");
+        CMS.debug("CAService.revokeCert: revokeCert begins: serial:" + serialno.toString());
 
         // Get the revocation reason
         Enumeration enum1 = crlentryexts.getElements();
@@ -1000,6 +1000,7 @@ public class CAService implements ICAService, IService {
                     CMS.getUserMessage("CMS_CA_MISSING_REV_REASON",
                             "0x" + serialno.toString(16)));
         }
+        CMS.debug("CAService.revokeCert: revocaton request revocation reason: " + revReason.toString());
 
         CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialno);
 
@@ -1026,6 +1027,7 @@ public class CAService implements ICAService, IService {
                 CMS.debug("CAService.revokeCert: " + msg);
                 throw new EBaseException(msg);
             }
+            CMS.debug("CAService.revokeCert: already revoked cert with existing revocation reason:" + recRevReason.toString());
         }
 
         // for cert already revoked, also check whether revocation reason is changed from SUPERSEDED to KEY_COMPROMISE
@@ -1044,11 +1046,11 @@ public class CAService implements ICAService, IService {
         try {
             // if cert has already revoked, update the revocation info only
             CMS.debug("CAService.revokeCert: about to call markAsRevoked");
-            if (certStatus.equals(ICertRecord.STATUS_REVOKED) && certRec.isCertOnHold()) {
+            if (certStatus.equals(ICertRecord.STATUS_REVOKED)) {
                 mCA.getCertificateRepository().markAsRevoked(serialno,
                         new RevocationInfo(revdate, crlentryexts),
                         true /*isAlreadyRevoked*/);
-                CMS.debug("CAService.revokeCert: on_hold cert marked revoked");
+                CMS.debug("CAService.revokeCert: Already-revoked cert marked revoked");
                 mCA.log(ILogger.LL_INFO,
                         CMS.getLogMessage("CMSCORE_CA_CERT_REVO_INFO_UPDATE",
                                 recRevReason.toString(),
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
index 39529c9..16ae5fd 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
@@ -540,10 +540,11 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
         } else {
             CMS.debug("CARemoteRequestHandler: revokeCertificate(): using default ca ID:" + connid);
         }
-        CMS.debug("CARemoteRequestHandler: revokeCertificate(): begins on serial#:" + serialno);
+        CMS.debug("CARemoteRequestHandler: revokeCertificate(): begins");
         if (serialno == null || reason == null) {
             throw new EBaseException("CARemoteRequestHandler: revokeCertificate(): input parameter null.");
         }
+        CMS.debug("CARemoteRequestHandler: revokeCertificate(): revoking serial#:" + serialno + "; reason String:" + reason.toString() + "; reason code:" + reason.getCode());
 
         // IConfigStore conf = CMS.getConfigStore();
 
-- 
1.8.3.1


From aef8f648e4651f29cec0ba7e8235185d94e8f39b Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
Date: Thu, 15 Aug 2019 18:21:33 -0400
Subject: [PATCH 3/7] Resolve (additiona patch for) Bug 1470433 - Add supported
 transitions to TPS

per suggestion in comment#4

Submited by RHCS-maint.

(cherry picked from commit f9c10c352fc2129cd9f2cdf6baade6e445de5bd0)
---
 base/tps/shared/conf/CS.cfg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 8a9d828..eb5b831 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -2448,7 +2448,7 @@ tokendb.addConfigTemplate=addConfig.template
 tokendb.addResultTemplate=addResults.template
 tokendb.agentSelectConfigTemplate=agentSelectConfig.template
 tokendb.agentViewConfigTemplate=agentViewConfig.template
-tokendb.allowedTransitions=0:1,0:2,0:3,0:6,3:2,3:6,4:1,4:2,4:3,4:6,6:7
+tokendb.allowedTransitions=0:1,0:2,0:3,0:6,3:2,3:6,4:1,4:2,4:3,4:6,6:7,1:2,7:1,7:2,6:1,6:2,3:1,3:4
 tokendb.auditAdminTemplate=auditAdmin.template
 tokendb.auditLog=[PKI_INSTANCE_PATH]/logs/tokendb-audit.log
 tokendb.baseDN=ou=Tokens,[TOKENDB_ROOT]
-- 
1.8.3.1


From a336e4d5a27f4de9d39b4e8131e0da5889ad8dd4 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
Date: Mon, 19 Aug 2019 21:26:23 -0400
Subject: [PATCH 4/7] =?UTF-8?q?Resolve=20Bug=201585722=20-=20TMS=20-=20PKI?=
 =?UTF-8?q?SocketFactory=20=E2=80=93=20Modify=20Logging=20to=20Allow=20Ext?=
 =?UTF-8?q?ernal=20Use=20of=20class=20to=20work=20like=20CS8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Submited by RHCS-maint.

(cherry picked from commit 67b3b4fa936aa60618c2084dbbc15e8f9a13a699)
---
 .../cmscore/ldapconn/PKISocketFactory.java         | 59 +++++++++++++++++-----
 1 file changed, 45 insertions(+), 14 deletions(-)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
index e9f28c9..00df65b 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
@@ -23,6 +23,8 @@ import java.net.Socket;
 import java.net.UnknownHostException;
 import java.util.Iterator;
 import java.util.Vector;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
 import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
@@ -48,6 +50,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
     private String mClientAuthCertNickname;
     private boolean mClientAuth;
     private boolean keepAlive;
+    private static boolean external = false;
     PKIClientSocketListener sockListener = null;
 
     public PKISocketFactory() {
@@ -65,22 +68,34 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
         init();
     }
 
+    public PKISocketFactory(String certNickname, boolean external) {
+        this.secure = true;
+        PKISocketFactory.external = external;
+        mClientAuthCertNickname = certNickname;
+        init();
+    }
+
     public void init() {
         try {
-            IConfigStore cs = CMS.getConfigStore();
-            keepAlive = cs.getBoolean("tcp.keepAlive", true);
-            CMS.debug("TCP Keep-Alive: " + keepAlive);
+            if(!external){
+                IConfigStore cs = CMS.getConfigStore();
+                keepAlive = cs.getBoolean("tcp.keepAlive", true);
+            } else {
+                keepAlive = true;
+            }
+
+            log(Level.INFO, "TCP Keep-Alive: " + keepAlive, null);
             sockListener = new PKIClientSocketListener();
 
         } catch (Exception e) {
-            CMS.debug(e);
+            log(Level.SEVERE, null, e);
             throw new RuntimeException("Unable to read TCP configuration: " + e, e);
         }
     }
 
     public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostException, IOException {
         String method = "ldapconn/PKISocketFactory.makeSSLSocket: ";
-        CMS.debug(method + "begins");
+        log(Level.INFO, method + "begins", null);
 
         /*
          * let inherit TLS range and cipher settings
@@ -115,8 +130,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
 
         if (mClientAuthCertNickname != null) {
             mClientAuth = true;
-            CMS.debug("LdapJssSSLSocket: set client auth cert nickname " +
-                    mClientAuthCertNickname);
+            log(Level.INFO, method + " set client auth cert nickname " +
+                    mClientAuthCertNickname, null);
 
             //We have already established the manual cert selection callback
             //Doing it this way will provide some debugging info on the candidate certs
@@ -127,6 +142,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
     }
 
     public Socket makeSocket(String host, int port) throws LDAPException {
+        String method = "ldapconn/PKISocketFactory.makeSocket: ";
+        log(Level.INFO, method + "begins", null);
         Socket s = null;
 
         try {
@@ -145,7 +162,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
                 try {
                     s.close();
                 } catch (IOException e1) {
-                    CMS.debug(e1);
+                    log(Level.SEVERE, null, e1);
                 }
             }
             throw new LDAPException("Unable to create socket: " + e);
@@ -165,6 +182,20 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
     public void log(int level, String msg) {
     }
 
+    private static void log(Level level, String msg, Exception e) {
+        if(!external && e != null){
+            CMS.debug(e);
+        } else if (!external) {
+            CMS.debug(msg);
+        } else {
+            if(e != null){
+                Logger.getLogger("PKISocketFactory").log(level, e.getMessage());
+            } else {
+                Logger.getLogger("PKISocketFactory").log(level, msg);
+            }
+        }
+    }
+
     static class ClientHandshakeCB implements SSLHandshakeCompletedListener {
         Object sc;
 
@@ -173,7 +204,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
         }
 
         public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
-            CMS.debug("SSL handshake happened");
+            log(Level.INFO, "SSL handshake happened", null);
         }
     }
 
@@ -181,14 +212,14 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
         String desiredCertName = null;
 
         public SSLClientCertificateSelectionCB(String clientAuthCertNickname) {
-            CMS.debug("SSLClientCertificateSelectionCB: Setting desired cert nickname to: " + clientAuthCertNickname);
+            log(Level.INFO, "SSLClientCertificateSelectionCB: Setting desired cert nickname to: " + clientAuthCertNickname, null);
             desiredCertName = clientAuthCertNickname;
         }
 
         @Override
         public String select(Vector certs) {
 
-            CMS.debug("SSLClientCertificatSelectionCB: Entering!");
+            log(Level.INFO, "SSLClientCertificatSelectionCB: Entering!", null);
 
             if(desiredCertName == null) {
                 return null;
@@ -200,15 +231,15 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
 
             while(itr.hasNext()){
                 String candidate = itr.next();
-                CMS.debug("Candidate cert: " + candidate);
+                log(Level.INFO, "Candidate cert: " + candidate, null);
                 if(desiredCertName.equalsIgnoreCase(candidate)) {
                     selection = candidate;
-                    CMS.debug("SSLClientCertificateSelectionCB: desired cert found in list: " + desiredCertName);
+                    log(Level.INFO, "SSLClientCertificateSelectionCB: desired cert found in list: " + desiredCertName, null);
                     break;
                 }
             }
 
-            CMS.debug("SSLClientCertificateSelectionCB: returning: " + selection);
+            log(Level.INFO, "SSLClientCertificateSelectionCB: returning: " + selection, null);
             return selection;
 
         }
-- 
1.8.3.1


From c92c65f52dcff03f47fc7f05efa427ee9166c2e6 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
Date: Mon, 26 Aug 2019 18:47:02 -0400
Subject: [PATCH 5/7] =?UTF-8?q?Resolve=20(addition=20issues=20for)=20Bug?=
 =?UTF-8?q?=201642577=20-=20TPS=20=E2=80=93=20Revoked=20Encryption=20Certi?=
 =?UTF-8?q?ficates=20Marked=20as=20Active=20in=20TPS=20Cert=20LDAP=20Durin?=
 =?UTF-8?q?g=20Token=20Key=20Recovery?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patch addresses the following:
* in TokenKeyRecoveryService.java, unwrap should be with temperatory true
* in CS.cfg, auths.instance.ldap1.ldapStringAttributes and auths.instance.ldap1.externalReg.attributes are expanded to include additional elements
* in CS.cfg registrationTypeAttributeName is added as original submitter suggested
* TPSEnrollProcessor.java, additional error checkings
* TPSProcessor.java, addresses case sensitive nature of List "contains" method

(cherry picked from commit 24bdc1e39a5bad6b944f6f5571bf48e7e2af52f6)
---
 .../com/netscape/kra/TokenKeyRecoveryService.java  |  2 +-
 base/tps/shared/conf/CS.cfg                        |  4 ++-
 .../server/tps/processor/TPSEnrollProcessor.java   |  2 +-
 .../server/tps/processor/TPSProcessor.java         | 34 ++++++++++++++++++----
 4 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index dcccc78..e95945a 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -678,7 +678,7 @@ public class TokenKeyRecoveryService implements IService {
                 privKey = mStorageUnit.unwrap(
                         keyRecord.getPrivateKeyData(),
                         pubkey,
-                        false,
+                        true,
                         keyRecord.getWrappingParams(mStorageUnit.getOldWrappingParams()));
             } catch (Exception e) {
                 CMS.debug("TokenKeyRecoveryService: recoverKey() - recovery failure");
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index eb5b831..4bd4bb7 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -61,10 +61,12 @@ auths.instance.ldap1.ldapStringAttributes._003=#       $<attribute>$
 auths.instance.ldap1.ldapStringAttributes._004=#   attributes example:
 auths.instance.ldap1.ldapStringAttributes._005=#mail,cn,uid,edipi,pcc,firstname,lastname,exec-edipi,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType
 auths.instance.ldap1.ldapStringAttributes._006=#################################
-auths.instance.ldap1.ldapStringAttributes=mail,cn,uid
+auths.instance.ldap1.ldapStringAttributes=mail,cn,uid,enrollmenttype,certsToAdd,tokenCUID,registrationtype,tokenType,firstname,lastname,exec-edipi,exec-mail
 auths.instance.ldap1.ldap.basedn=[LDAP_ROOT]
+auths.instance.ldap1.externalReg.attributes=certsToAdd,tokenCUID,enrollmenttype,registrationtype,tokenType
 auths.instance.ldap1.externalReg.certs.recoverAttributeName=certsToAdd
 auths.instance.ldap1.externalReg.cuidAttributeName=tokenCUID
+auths.instance.ldap1.externalReg.registrationTypeAttributeName=registrationtype
 auths.instance.ldap1.externalReg.tokenTypeAttributeName=tokenType
 auths.instance.ldap1.ldap.maxConns=15
 auths.instance.ldap1.ldap.minConns=3
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 77b320c..f1e773a 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -200,7 +200,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
             // Check if the external reg parameter registrationType matches currentTokenOperation,
             // otherwise stop the operation.
             CMS.debug(method + " checking if record registrationtype matches currentTokenOperation.");
-            if(erAttrs.getRegistrationType() != null) {
+            if(erAttrs.getRegistrationType() != null && erAttrs.getRegistrationType().length() > 0) {
                 if(!erAttrs.getRegistrationType().equalsIgnoreCase(currentTokenOperation)) {
                     CMS.debug(
                             method + " Error: registrationType " +
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index ec069b1..61da1d6 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -1294,12 +1294,12 @@ public class TPSProcessor {
             throws EBaseException, TPSException {
 
         String logMsg = null;
-        CMS.debug("TPSProcessor.authenticateUser");
         if (op.isEmpty() || userAuth == null || userCred == null) {
             logMsg = "TPSProcessor.authenticateUser: missing parameter(s): op, userAuth, or userCred";
             CMS.debug(logMsg);
             throw new EBaseException(logMsg);
         }
+        CMS.debug("TPSProcessor.authenticateUser: op: " + op);
         IAuthManager auth = userAuth.getAuthManager();
 
         try {
@@ -1311,6 +1311,12 @@ public class TPSProcessor {
                 while (n.hasMoreElements()) {
                     String name = n.nextElement();
                     CMS.debug("TPSProcessor.authenticateUser: got authToken val name:" + name);
+                    /* debugging authToken content vals
+                    String[] vals = authToken.getInStringArray(name);
+                    if (vals != null) {
+                        CMS.debug("TPSProcessor.authenticateUser: got authToken val :" + vals[0]);
+                    }
+                    */
                 }
                 return authToken;
             } else {
@@ -1811,6 +1817,21 @@ public class TPSProcessor {
         return ret;
     }
 
+   /*
+    * listCaseInsensitiveContains - case insensitive contain check
+    * @param s the string checked if contained in list
+    * @param list the list
+    * @returns true if list contains s; false otherwise
+    */
+    public boolean listCaseInsensitiveContains(String s, List<String> list){
+        for (String element : list){
+            if (element.equalsIgnoreCase(s)){
+                return true;
+            }
+        }
+        return false;
+    }
+
     /*
      * processExternalRegAttrs :
      * - retrieve from authToken relevant attributes for externalReg
@@ -1836,7 +1857,7 @@ public class TPSProcessor {
         if(attributesToProcess == null)
             return erAttrs;
 
-        if(attributesToProcess.contains(erAttrs.ldapAttrNameTokenType)) {
+        if(listCaseInsensitiveContains(erAttrs.ldapAttrNameTokenType, attributesToProcess)) {
             CMS.debug(method + ": getting from authToken:"
                     + erAttrs.ldapAttrNameTokenType);
             vals = authToken.getInStringArray(erAttrs.ldapAttrNameTokenType);
@@ -1852,17 +1873,20 @@ public class TPSProcessor {
                 erAttrs.setTokenType(vals[0]);
             }
         }
-        if(attributesToProcess.contains(erAttrs.ldapAttrNameTokenCUID)) {
+        if(listCaseInsensitiveContains(erAttrs.ldapAttrNameTokenCUID, attributesToProcess)) {
             CMS.debug(method + ": getting from authToken:"
                     + erAttrs.ldapAttrNameTokenCUID);
             vals = authToken.getInStringArray(erAttrs.ldapAttrNameTokenCUID);
             if (vals != null) {
                 CMS.debug(method + ": retrieved cuid:" + vals[0]);
                 erAttrs.setTokenCUID(vals[0]);
+            } else {
+                CMS.debug(method + ": " + erAttrs.ldapAttrNameTokenCUID +
+                        " attribute not found");
             }
         }
 
-        if(attributesToProcess.contains(erAttrs.ldapAttrNameRegistrationType)) {
+        if(listCaseInsensitiveContains(erAttrs.ldapAttrNameRegistrationType, attributesToProcess)) {
             CMS.debug(method + ": getting from authToken:"
                     + erAttrs.ldapAttrNameRegistrationType);
             vals = authToken.getInStringArray(erAttrs.ldapAttrNameRegistrationType);
@@ -1876,7 +1900,7 @@ public class TPSProcessor {
 
         }
 
-        if(attributesToProcess.contains(erAttrs.ldapAttrNameCertsToRecover)) {
+        if(listCaseInsensitiveContains(erAttrs.ldapAttrNameCertsToRecover, attributesToProcess)) {
             /*
              * certs to be recovered for this user
              *     - multi-valued
-- 
1.8.3.1


From 74c7c1133fd8d2f216eb1330147e870632ded68f Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
Date: Wed, 28 Aug 2019 18:11:36 -0400
Subject: [PATCH 6/7] simple typo fix in a debug line.

(cherry picked from commit 272b785d20bc807406bc1e89a52c0fc142e25e72)
---
 base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 61da1d6..baf0671 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -4172,7 +4172,7 @@ public class TPSProcessor {
 
         keyInfo = tokenRecord.getKeyInfo();
 
-        CMS.debug("TPProcessor.getKeyInfioFromTokenDB: returning: " + keyInfo);
+        CMS.debug("TPProcessor.getKeyInfoFromTokenDB: returning: " + keyInfo);
 
         return keyInfo;
 
-- 
1.8.3.1


From ce90aeab54f0a33d1c59bd5a95852ea2c62541e9 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
Date: Fri, 6 Sep 2019 16:49:00 -0400
Subject: [PATCH 7/7] Bug 1523330 - CC: missing audit event for CS acting as
 TLS client

This patch adds failed CLIENT_ACCESS_SESSION_ESTABLISH audit event for the case
when internal ldap server goes down

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523330

(cherry picked from commit 10d52dd0d6b562edc9e32c543017c67c1c0212a8)
---
 .../netscape/cmscore/ldapconn/PKISocketFactory.java | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
index 00df65b..dc93f5d 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
@@ -33,6 +33,9 @@ import org.mozilla.jss.ssl.SSLSocket;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+import com.netscape.cms.logging.SignedAuditLogger;
 
 import netscape.ldap.LDAPException;
 import netscape.ldap.LDAPSSLSocketFactoryExt;
@@ -46,6 +49,8 @@ import org.dogtagpki.server.PKIClientSocketListener;
  */
 public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
 
+    private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger();
+
     private boolean secure;
     private String mClientAuthCertNickname;
     private boolean mClientAuth;
@@ -157,6 +162,22 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
             s.setKeepAlive(keepAlive);
 
         } catch (Exception e) {
+            // for auditing
+            String localIP = "localhost";
+            try {
+                localIP = InetAddress.getLocalHost().getHostAddress();
+            } catch (UnknownHostException e2) {
+                // default to "localhost";
+            }
+            SignedAuditEvent auditEvent;
+            auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent(
+                        localIP,
+                        host,
+                        Integer.toString(port),
+                        "SYSTEM",
+                        "connect:" +e.toString());
+            signedAuditLogger.log(auditEvent);
+
             CMS.debug(e);
             if (s != null) {
                 try {
-- 
1.8.3.1