From f5ffc69f79e4e0f4989094561ab0fd5ff5536d14 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 12 Jul 2018 10:24:33 -0700 Subject: [PATCH 1/2] Bugzilla 1548203 LDAP password from console update in audit This patch replace ldap passwords with "(sensitive)" in audit log. fixes https://bugzilla.redhat.com/show_bug.cgi?id=1548203 Change-Id: I6271ec1da4164f731dd3a61534b0e511097a845a (cherry picked from commit cf9c23a842000755d872202777b0a280bda7f1a1) --- .../server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java index 769e8e4..2b8cec7 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java @@ -991,7 +991,11 @@ public class AdminServlet extends HttpServlet { if (name.equals(Constants.OP_TYPE)) continue; if (name.equals(Constants.RS_ID)) continue; - String value = req.getParameter(name); + String value = null; + if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD")) + value = "(sensitive)"; + else + value = req.getParameter(name); params.put(name, value); } -- 1.8.3.1 From 46e808e86bb393848cca6434cc06c79a14611fa9 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Mon, 15 Jan 2018 13:59:33 -0800 Subject: [PATCH 2/2] Test fix for TPS server side key gen for only identity cert problem. Change-Id: I15fc1b8a3fa92568aca853f0e89b9e87bbad463d (cherry picked from commit c87d7820f7b1af97134197a23543e9fc4be1aa39) (cherry picked from commit c1314749b7b3a2a6647aadd6945186833e539da8) --- .../server/tps/cms/TKSRemoteRequestHandler.java | 26 +++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java index 65d0ed0..8155f90 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java @@ -103,7 +103,8 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler String tokenType) throws EBaseException { - CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): begins."); + String method = "TKSRemoteRequestHandler: computeSessionKey(): "; + CMS.debug(method + " begins."); if (cuid == null || kdd == null || keyInfo == null || card_challenge == null || card_cryptogram == null || host_challenge == null) { throw new EBaseException("TKSRemoteRequestHandler: computeSessionKey(): input parameter null."); @@ -111,10 +112,25 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler IConfigStore conf = CMS.getConfigStore(); - boolean serverKeygen = - conf.getBoolean("op.enroll." + - tokenType + ".keyGen.encryption.serverKeygen.enable", - false); + boolean serverKeygen = false; + + //Try out all the currently supported cert types to see if we are doing server side keygen here + String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"}; + for (String keygenString : keygenStrings) { + boolean enabled = conf.getBoolean("op.enroll." + + tokenType + ".keyGen." + + keygenString + ".serverKeygen.enable", false); + + CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled); + if (enabled) { + serverKeygen = true; + break; + } + } + + + + if (keySet == null) keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet"); -- 1.8.3.1