We currently have an issue with the fact that the PKCS#11 blob with certs and keys, that gets written to a token, locates its various cert and key object with indexed values like the following:
C0 - cert 0 k1 - priv key of C0 k2 - pub key of C0
...
C2 - cert 2 k4 - prive key of C2 k5 - priv key of C2
Note that the formula is k(x) = C 2 and C2 + 1
Right now in coolkey, at least in Fedora, each object to be located by libcoolkey has to have an index between 0 and 9, due to the fact that the index is encoded as ascii as part of the muslce object id format.
If the index goes to 10 or more, problems occur for obvious reasons. The problem is thus two fold.
We need to make sure the libcoolkey that actually uses certs can support more than 0-9 for object id's. There is a question of whether or not some version of the rhel5 version of coolkey was fixed to do this. This will require some tracking down. As of now it looks like the current Fedora coolkey and possibly rhel7 has this 0-9 limitation, stay tuned.
There is a bunch of code in TPS that creates and parses these objects that will eventually be blasted down to the token during an enrollment operation. We need to make sure that whatever the limitation for an index is, either 9 or whatever we must enforce that in the code and not allow someone to try to save off say C10, which is not allowed.
This part will be the major portion of the work for this ticket in TPS. Also if the limit is raised beyond 9, we need to make sure that the current code can handle THAT and if not fix it to allow such.
Per CS/DS Meeting of 2016/01/25: 10.3 - high
[2016/01/25] - We could just have the design document cover how many certs/keys can be put on a token.
Patch acked and tested by cfu:
commit 9bd94a0a54793a0720b803846ce2291e5064c2ae
Writing objects: 100% (16/16), 5.39 KiB | 0 bytes/s, done. Total 16 (delta 11), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/pki.git 9bd94a0..c4f904f master -> master
Fedora builds for libcoolkey done. Waiting on getting those pushed.
Metadata Update from @jmagne: - Issue assigned to jmagne - Issue set to the milestone: 10.3.0
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2292
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.