It is currently possible to attempt to enroll multiple tokens to a single user causing an additional entry in the TPS token database.
Steps to reproduce:
1) Create tpsclient file: ~~~ cat > token_enroll.txt << EOF op=var_set name=ra_host value=<TPS_HOST_URL> op=var_set name=ra_port value=7888 op=var_set name=ra_uri value=/nk_service op=token_set cuid=00000000000000200000 msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 op=token_set auth_key=404142434445464748494a4b4c4d4e4f op=token_set mac_key=404142434445464748494a4b4c4d4e4f op=token_set kek_key=404142434445464748494a4b4c4d4e4f op=ra_enroll uid=tuser pwd=test new_pin=Secret123 num_threads=1 op=exit EOF ~~~ 2) Eroll token using tpsclient # tpsclient < token_enroll.txt 3) Modify token cuid in token_enroll.txt from: cuid=00000000000000200000 to cuid=00000000000000200001 4) Enroll token using tpsclient # tpsclient < token_enroll.txt
Actual Results:
- tpsclient enroll fails with: ~~~ Result> Error - Operation 'ra_enroll' Failure (9787 msec) ~~~ - TPS token database has additional unintialized token entry for user
Expected Results:
- tpsclient enroll fails - NO additional unintialized token entry for user
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1181667 (Red Hat Certificate System)
Per CS/DS meeting of 11/02/2015:
Closed as WONT FIX for RHCS 8.x version of product.
Per PKI Bug Council of 06/23/2016: 10.3.4
Checkin:
commit e326cd2f06bd651cdd87646eea94622e18cec28d Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com Date: Fri Jun 24 11:02:35 2016 -0700
Add ability to disallow TPS to enroll a single user on multiple tokens. This patch will install a check during the early portion of the enrollment process check a configurable policy whether or not a user should be allowed to have more that one active token. This check will take place only for brand new tokens not seen before. The check will prevent the enrollment to proceed and will exit before the system has a chance to add this new token to the TPS tokendb. The behavior will be configurable for the the external reg and not external reg scenarios as follows: tokendb.nonExternalReg.allowMultiActiveTokensUser=false tokendb.enroll.externalReg.allowMultiActiveTokensUser=false
Closing:
Per CS/DS Meeting of 10/03/2016:
commit 1efc001db20afc34b7353f6d2b114593eb761b90 Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com Date: Wed Oct 5 18:16:35 2016 -0700
Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664 This bug was previously not completely fixed where we left a loophole to allow a user to end up with 2 active tokens. This fix closes that loophole. Also: Fix for: Unable to read an encrypted email using renewed tokens. #2483 This fix provides for a new optional renewal based token policy, that allows the user to retain or recover old encryption certs for that profile, that get overwritten by the renewal process. An example is: RENEW=YES;RENEW_KEEP_OLD_ENC_CERTS=YES The default is YESk you have to explicitly set it to NO to turn it off. The second part of the policy is new. When this is set to "YES", the system will make sure the old enc cert will remain on the token. If it's missing or "NO", no such attempt will be made.
Last minute addition to really fix the issue.
commit 68574756d5afa1c14cd6cc316298aa8f721e7244 Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com Date: Mon Oct 10 15:56:03 2016 -0700
Another Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664 We just found out the code doesn't account for if the user has an active token which IS the token currently being worked on.
Metadata Update from @dsirrine: - Issue assigned to jmagne - Issue set to the milestone: 10.3.7
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2223
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.