dogtagpki

Clone
Source Code
GIT

#1665 Certificate Revocation Reasons not being updated in some cases
Closed: fixed 6 years ago Opened 8 years ago by ddas.

Closed: fixed
Reopen Issue

I set up my TPS CS.cfg file to provide a revocation reason of superseded
(CRLReasonExtension=4) and that works fine when I terminate an active token.

When I suspend an active token, the certificates are revoked with the
revocation reason as "certificate is on hold" (which is CRLReasonExtension=6).
When I then mark the token as terminated, the CRLReasonExtension value does not
get changed to 4 so when I look at the certificate in the CA Agent Page the
revocation reason is still "certificate is on hold". I thought it was a
problem because the certificate status is already "REVOKED" and maybe the CA
won't change the reason, but when I mark a suspended token as Lost, the
revocation reason changes to "Key compromised."

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1262000 (Red Hat Certificate System)

Per CS/DS meeting of 11/02/2015: 10.3

commit 03d578a6254620e4d4122b92b922f8711773ad40
Author: Christina Fu cfu@redhat.com
Date: Mon May 23 16:22:54 2016 -0700

Ticket 1665 - Cert Revocation Reasons not being updated when on-hold
This patch fixes the following areas:
- In the CA, when revokeCert is called, make it possible to move from on_hold
to revoke.
- In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows
the on_hold cert to be put in the bucket to be revoked.
- there are a few minor fixes such as typos and one have to do with the
populate method in SubjectDNInput.java needs better handling of subject in
case it's null.
Note: This patch does not make attempt to allow agents to revoke certs that
are on_hold from agent interface.  The search filter needs to be modified to
allow that.

How to test:
Select a TPS profile that you wish to test with, and modify
"...onHold.revokeCert" to true
check if
"...onHold.revokeCert.reason" is 6
also
"...destroyed.revokeCert" to true
check if
"...destroyed.revokeCert.reason" is 0

do the above for every key type in the same profile that you wish to be put onhold/offhold/destroyed.
You might want to leave one cert untouched (not revoked if made temporarily lost) just to compare how it differs with others for the later activities.

Do an enrollment of the profile, and check that the token is active, and the certs are too.
at TPS admin interface, select the token, "Change Status" and change from Active to Temporarily lost.
Click on "show certificate", you should see that the certs that match the key type that you changed to revokeCert true should now have "revoked_on_hold" status.

Now go back to token, and change status to permanently lost, and check the certificate status, they should now be revoked (this was previously not possible).
Also check on the CA and make sure the certs are revoked.

Metadata Update from @ddas:
- Issue assigned to cfu
- Issue set to the milestone: 10.3.2
7 years ago

reopen for realignment work.

Metadata Update from @cfu:
- Custom field feature adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field version adjusted to None
- Issue status updated to: Open (was: Closed)
6 years ago

commit 36213c8b614775feadfebef54db034e1155d33c7 (HEAD -> master, origin/master, origin/HEAD, revokeReason)
Author: Christina Fu cfu@redhat.com
Date: Thu Jul 20 17:50:38 2017 -0700

Ticket #1665 (code realignment) Certificate Revocation Reasons not being updated in some cases
This patch makes sure that when a token is temporarily lost (certs on_hold), its certs are properly revoked when moving to other revocation reasons when marked damaged or permanently lost.
In addition, on the CA side, this patch to some degree mimics the original request for transitions from SUPERSEDED to KEY_COMPROMISED, although in the current TPS that is prohibited.
Also, the original requested code skipped over informing CRLIssuingPoints, while in this patch, that is not skipped as the revocation reason has changed it should be updated;  Time stamp in the cert record is also updated, which is different from the original requested code.
Development tests were conducted on currently allowed TPS token state transitions only.

Change-Id: I675ce13892a7c48eba42870a87954398d7dc8168

Metadata Update from @cfu:
- Issue status updated to: Closed (was: Open)
6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.0 (was: 10.3.2)
6 years ago

Metadata Update from @mharmsen:
- Issue close_status updated to: fixed
6 years ago

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1274098, https://bugzilla.redhat.com/show_bug.cgi?id=1262000,https://bugzilla.redhat.com/show_bug.cgi?id=1471996,https://bugzilla.redhat.com/show_bug.cgi?id=1500474 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1274098, https://bugzilla.redhat.com/show_bug.cgi?id=1262000)
6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.5.0-1.fc27
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2224

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
major
None
None
defect
None
None
None
None
None
RHCust
None
pki-core-10.5.0-1.fc27
None
None
None
None
TPS
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.