From 8fd3bae32bb540a850b64479c56d60f5557bc100 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Wed, 7 Feb 2018 14:05:13 -0800 Subject: [PATCH 1/2] Fix Bug 1542210 - pki console configurations that involves ldap passwords leave the plain text password in debug logs Simple sensitive data debug log prevention here. Change-Id: Ic409aaf7e392403c6a4c5afb255a421e1d351c46 (cherry picked from commit ff70df12dd7fc4f801b281233f64bca3c674173b) (cherry picked from commit e86691f5a5aba9c2d783ccddf79eb7226c36672c) --- .../cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java index d983e6c..769e8e4 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java @@ -216,12 +216,13 @@ public class AdminServlet extends HttpServlet { pn.equalsIgnoreCase("pin") || pn.equalsIgnoreCase("pwd") || pn.equalsIgnoreCase("pwdagain") || - pn.equalsIgnoreCase("uPasswd")) { + pn.equalsIgnoreCase("uPasswd") || + pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) { CMS.debug("AdminServlet::service() param name='" + pn + - "' value='(sensitive)'"); + "' value='(sensitive)'"); } else { CMS.debug("AdminServlet::service() param name='" + pn + - "' value='" + httpReq.getParameter(pn) + "'"); + "' value='" + httpReq.getParameter(pn) + "'"); } } } -- 1.8.3.1 From 511001c4aaa8e48de3932b4508846729b2e4ab6b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 8 Feb 2018 15:06:53 +1100 Subject: [PATCH 2/2] Fix lightweight CA key replication The resolution for issue https://pagure.io/dogtagpki/issue/2654 caused a regression in lightweight CA key replication. When the authorityMonitor encounters a CA whose keys are not present, signingUnit initialisation fails (as expected). The signing info event logging behaviour introduced in commit 4551eb1ce6b14e4a37f9c70b3bfd6c9050e13f10 then results in a NullPointerException, crashing the authorityMonitor thread. Fix the issue by extracting the signing info event logging behaviour to a separate method, and invoke that method as the final step of signingUnit initialisation. Fixes: https://pagure.io/dogtagpki/issue/2929 Change-Id: Ic6663c09c30754f4fb914dcaf0bc2d902aa91473 (cherry picked from commit 2251f78c22b2e3b23450cdb274207893932cbd0b) --- base/ca/src/com/netscape/ca/CertificateAuthority.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index e5d21eb..9aaa9cb 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -662,7 +662,10 @@ public class CertificateAuthority } throw e; } + } + private void generateSigningInfoAuditEvents() + throws EBaseException { try { if (isHostAuthority()) { @@ -1852,6 +1855,8 @@ public class CertificateAuthority throw new ECAException( CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); } + + generateSigningInfoAuditEvents(); } /** -- 1.8.3.1