Open pki-bot opened 4 years ago
Comment from mharmsen (@mharmsen) at 2016-06-30 20:46:51
Per PKI Bug Council of 06/30/2016: 10.4
Comment from nkinder (@nkinder) at 2017-02-27 14:06:39
Metadata Update from @nkinder:
Comment from mharmsen (@mharmsen) at 2017-03-03 20:06:53
Metadata Update from @mharmsen:
Comment from mharmsen (@mharmsen) at 2017-08-09 16:45:12
Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.
Comment from mharmsen (@mharmsen) at 2017-08-09 16:45:12
Metadata Update from @mharmsen:
This issue was migrated from Pagure Issue #791. Originally filed by nkinder (@nkinder) on 2013-11-11 19:39:09:
Description of problem:
Scenario-1:
Unable to Recover certs/keys generated using EE profile caDualCert with keypair size 3072 .
Steps to reproduce:
Generate user cert called "uid=t1,E=t1@example.org,CN=t1" using caDualCert profile with Keysize 3072
Approve the request from CA Agent
Enable External Registration
use tpsclient to recover the t1 cert using admin3a user created in Reg DB.
dn: uid=admin3a,dc=gsslab,dc=pnq,dc=redhat,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: top objectClass: extensibleobject cn: admin3a sn: admin3a userPassword: redhat uid: admin3a givenName: admin3a mail: admin3a@example.org firstname: admin3a edipi: 23456788 pcc: AA exec-edipi: 111111110 exec-pcc: BB exec-mail: admin3a@EXAMPLE.COM
dn: uid=admin3a,dc=gsslab,dc=pnq,dc=redhat,dc=com changetype: modify replace: tokenType tokenType: externalRegAddToToken
replace: certsToAdd certsToAdd: 22021660,ca1,169,drm1
op=var_set name=ra_host value=pkiserver.gsslab.pnq.redhat.com op=var_set name=ra_port value=7888 op=var_set name=ra_uri value=/nk_service op=token_set cuid=55555555555555555551 msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 op=token_set auth_key=404142434445464748494a4b4c4d4e4f op=token_set mac_key=404142434445464748494a4b4c4d4e4f op=token_set kek_key=404142434445464748494a4b4c4d4e4f op=ra_enroll uid=admin3a pwd=redhat new_pin=Secret123 num_threads=1 op=exit
tpsclient < enroll.tps
Output> Thread (0) status='0' time='40870 msec' Result> Error - Operation 'ra_enroll' Failure (40870 msec) Command>op=exit
Note: Increasing TCP Recv. Buffersize to 32768 doesn't help either.
Scenario-2: Unable to Enroll token using userKey profile with keysize increased to 3072.
op.enroll.userKey.keyGen.encryption.keySize=3072 op.enroll.userKey.keyGen.signing.keySize=3072
externalReg.authId=ldap3 externalReg.delegation.enable=false externalReg.delete.deleteFromDB=false externalReg.enable=false
Set TCP Recv. buffer size as shown below: tps.recvBufSize=32768 tps.printBufFull=true
Restart TPS service
Create user fubar1 in Authentication DB.
dn: uid=fubar1,dc=gsslab,dc=pnq,dc=redhat,dc=com uid: fubar1 cn: fubar1 sn: 1 objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person ou: US userPassword: redhat mail: fubar1@example.org st: North Carolina l: Raleigh
$ ldapadd -x -D "cn=Directory Manager" -w redhat@123 -h localhost -f users.ldif adding new entry "uid=fubar1,dc=gsslab,dc=pnq,dc=redhat,dc=com"
op=var_set name=ra_host value=pkiserver.gsslab.pnq.redhat.com op=var_set name=ra_port value=7888 op=var_set name=ra_uri value=/nk_service op=token_set cuid=66666666666666666661 msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 op=token_set auth_key=404142434445464748494a4b4c4d4e4f op=token_set mac_key=404142434445464748494a4b4c4d4e4f op=token_set kek_key=404142434445464748494a4b4c4d4e4f op=ra_enroll uid=fubar1 pwd=redhat new_pin=Secret123 num_threads=1 op=exit
tpsclient < enroll.tps
Enrollment fails:
Output> Thread (0) status='0' time='70697 msec' Result> Error - Operation 'ra_enroll' Failure (70697 msec) Command>op=exit