[RFE] TPS Recovery Enhancement - Framework & Prototype

[pki-bot]

This issue was migrated from Pagure Issue #575. Originally filed by nkinder (@nkinder) on 2013-03-26 04:55:23:

• Closed as Fixed
• Assigned to cfu (@cfu)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=927312
  • https://bugzilla.redhat.com/show_bug.cgi?id=[927312

---

Require the ability to recover non-revoked/expired certificates to an active token.

[pki-bot]

Comment from jmagne (@jmagne) at 2013-06-14 02:20:54

This ticket can be treated as one aspect of the general effort to allow the user to override our fairly rigid recovery policy. The external db record driven procedure to be implemented will only adhere to what the db record tells us to do. CFU and I will make sure this specific requirement will be taken care of as well. Will work more closely on this when cfu has the high level support for the procedure discussed in the other ticket.

[pki-bot]

Comment from cfu (@cfu) at 2013-06-17 20:45:40

This ticket is specific to the "Framework" and "Prototype" part of the TPS Revocation Enhancement work.

[pki-bot]

Comment from cfu (@cfu) at 2013-07-11 18:16:26

https://bugzilla.redhat.com/show_bug.cgi?id=927312#c10 The above checkin provides the following Framework and prototype:

Framework - per Base External Registration Design: http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS#Base_External_Registration_Design

• TPS: The ExternalRegAttrs class and its sub-classes which provide content structures and manipulation functions for attributes retrieved from each the registration user record during authentication. Such structure is attached to the RA_Session to be carried around for use.
• TPS: shared authentication-related functions for the following operations: Format, Enroll, and Pin-reset.
• DRM: interface and the underlying functionality to allow key recovery by key id
• TPS: function to call to DRM's new interface to do key recovery by key id
• TPS: function to call to CA to do revocation by serial number
• TPS: function to call to CA to retrieve a certificate by serial number and the parsing of which

Prototype -

• TPS: For ease of development without having to fabricate registration user record content on ldap, prototype code within LDAP authentication to retrieve and parse info from CS.cfg which mimics the info that would be gotten from the registration db.

What the prototype will NOT do: the actual key injection or deletion from the token. Because of this, the prototype currently only works for tpsclient. The new key recovery and revocation processing functions always returns true after successful recovery of keys/certs and revocation.

[pki-bot]

Comment from cfu (@cfu) at 2013-07-11 18:34:46

In Phase 2 of this task, the following main feature/issues will be addressed:

• Delegation (http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS#Delegation_Design)
• Renewal

And some "loose ends" will be addressed, such as (not limited to):

• add auditing
• log tokendb activities
• "userid" required by RecoverKey()
• revocation reasons control
• more error handling for the framework code
• etc.

[pki-bot]

Comment from cfu (@cfu) at 2013-07-25 23:03:11

https://bugzilla.redhat.com/show_bug.cgi?id=927312#c17 The above checkin provides the following feature and its prototype:

Feature - Delegation Feature per design on http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS#Delegation_Design

CA new profiles:

• caTokenUserAuthKeyRenewal
• caTokenUserDelegateAuthKeyEnrollment
• caTokenUserDelegateSigningKeyEnrollment

TPS new profiles:

• delegateISEtoken - for ID(auth), Signing, and Encryption
• delegateIEtoken - for ID(auth), and Encryption
• externalRegAddToToken - for adding(recovering) certs/keys to token

Provides:

• delegation feature
• renewal for externalRegistration mode
• token CUID comparision if supplied on user reg record
• delete cert entry from tokendb upon deletion from token if so specified
• avoid formatting tokens at places (e.g. failure)
• other misc. cleanup

What is not (yet) covered:

• temporary token TPS profiles for externalReg profiles
• Auditing still missing in new code at some places
• tokendb activities may be missing at some places in new code
• some error handling may still be missing in new code

[pki-bot]

Comment from jmagne (@jmagne) at 2013-09-06 20:57:45

WE have provided this fix to QA and the customer as a beta. Closing

[pki-bot]

Comment from nkinder (@nkinder) at 2017-02-27 14:01:20

Metadata Update from @nkinder:

• Issue assigned to cfu
• Issue set to the milestone: 10.1 - 08/13 (August)