From 8fd3bae32bb540a850b64479c56d60f5557bc100 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@redhat.com>
Date: Wed, 7 Feb 2018 14:05:13 -0800
Subject: [PATCH 1/2] Fix Bug 1542210 - pki console configurations that
involves ldap passwords leave the plain text password in debug logs
Simple sensitive data debug log prevention here.
Change-Id: Ic409aaf7e392403c6a4c5afb255a421e1d351c46
(cherry picked from commit ff70df12dd7fc4f801b281233f64bca3c674173b)
(cherry picked from commit e86691f5a5aba9c2d783ccddf79eb7226c36672c)
---
.../cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
index d983e6c..769e8e4 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
@@ -216,12 +216,13 @@ public class AdminServlet extends HttpServlet {
pn.equalsIgnoreCase("pin") ||
pn.equalsIgnoreCase("pwd") ||
pn.equalsIgnoreCase("pwdagain") ||
- pn.equalsIgnoreCase("uPasswd")) {
+ pn.equalsIgnoreCase("uPasswd") ||
+ pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) {
CMS.debug("AdminServlet::service() param name='" + pn +
- "' value='(sensitive)'");
+ "' value='(sensitive)'");
} else {
CMS.debug("AdminServlet::service() param name='" + pn +
- "' value='" + httpReq.getParameter(pn) + "'");
+ "' value='" + httpReq.getParameter(pn) + "'");
}
}
}
--
1.8.3.1
From 511001c4aaa8e48de3932b4508846729b2e4ab6b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 8 Feb 2018 15:06:53 +1100
Subject: [PATCH 2/2] Fix lightweight CA key replication
The resolution for issue https://pagure.io/dogtagpki/issue/2654
caused a regression in lightweight CA key replication. When the
authorityMonitor encounters a CA whose keys are not present,
signingUnit initialisation fails (as expected). The signing info
event logging behaviour introduced in commit
4551eb1ce6b14e4a37f9c70b3bfd6c9050e13f10 then results in a
NullPointerException, crashing the authorityMonitor thread.
Fix the issue by extracting the signing info event logging behaviour
to a separate method, and invoke that method as the final step of
signingUnit initialisation.
Fixes: https://pagure.io/dogtagpki/issue/2929
Change-Id: Ic6663c09c30754f4fb914dcaf0bc2d902aa91473
(cherry picked from commit 2251f78c22b2e3b23450cdb274207893932cbd0b)
---
base/ca/src/com/netscape/ca/CertificateAuthority.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index e5d21eb..9aaa9cb 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -662,7 +662,10 @@ public class CertificateAuthority
}
throw e;
}
+ }
+ private void generateSigningInfoAuditEvents()
+ throws EBaseException {
try {
if (isHostAuthority()) {
@@ -1852,6 +1855,8 @@ public class CertificateAuthority
throw new ECAException(
CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString()));
}
+
+ generateSigningInfoAuditEvents();
}
/**
--
1.8.3.1