Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true

[pki-bot]

This issue was migrated from Pagure Issue #2498. Originally filed by rpattath (@rpattath) on 2016-10-04 18:13:35:

• Closed as Fixed
• Assigned to cfu (@cfu)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1381635

---

Token format with external reg fails when
op.format.externalRegAddToToken.revokeCert=true

Steps to Reproduce:

1. External reg is enabled in TPS
2. Enroll a externalRegAddToToken tokentype and recover certs on the token
3. The following additional config changes are made

externalReg.format.loginRequest.enable=false
op.format.externalRegAddToToken.revokeCert=true

4. Format the token in step 2

Actual results:

Format operation fails

Expected results:

Format should be successful and the certs on the token should be revoked

Additional info:

Log messages

04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.unwrapWrappedSymKeyOnToken:Entering...
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.makeDes3KeyDerivedFromDes2: Entering ...
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.extractDes2FromDes3: Entering:
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.makeDes3KeyDerivedFromDes2: extracted8 key
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.unwrapWrappedSymKeyOnToken:Returning symkey...
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
TPSProcessor.generateSecureChannel: retrieved session key:
org.mozilla.jss.pkcs11.PK11SymKey@7877e868
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.unwrapWrappedSymKeyOnToken:Entering...
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.makeDes3KeyDerivedFromDes2: Entering ...
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.extractDes2FromDes3: Entering:
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.makeDes3KeyDerivedFromDes2: extracted8 key
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannelProtocol.unwrapWrappedSymKeyOnToken:Returning symkey...
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
TPSProcessor.generateSecureChannel: retrieved enc session key
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannel.SecureChannel: For
SCP01.
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
TPSProcessor.checkAndUpdradeSymKeys: Leaving successfully....
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannel.externalAuthenticate: entering.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannel.externalAuthenticate: about to call computeAPDUMac.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannel.computeAPDUMac:
got data To MAC
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannel.computeAPDUMac:
MAC computed
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSConnection.write: Writing:
s=95&msg_type=9&pdu_size=21pdu_data=<do not print>
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSSession.read() about to call
read on connection : org.dogtagpki.tps.TPSConnection@3ff417eb
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSConnection read()
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSConnection.read: Reading:
s=38&msg_type=10&pdu_size=2&pdu_data=%90%00
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSMessage.createMessage:
message: s=38&msg_type=10&pdu_size=2&pdu_data=<do not
print>&pdu_size=2&pdu_data=%90%00
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSMessage msg_type: 10
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSMessage operation: null
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSMessage extensions: null
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSSession.read() message
created
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: APDUResponse.checkResult : sw1:
0x90 sw2: 0x0
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]:
SecureChannel.externalAuthenticate: Successfully completed, exiting ...
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SignedAuditEventFactory:
create() message created for eventType=TOKEN_FORMAT_SUCCESS

[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: revokeCertsAtFormat: begins
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: getRevocationReasonAtFormat
finding config: op.format.externalRegAddToToken.revokeCert.reason
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSProcessor.getCAConnectorID:
finding config: op.format.externalRegAddToToken.ca.conn
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSSession.process: Message
processing failed: TPSProcessor.getCAConnectorID: Internal error finding config
value:op.format.externalRegAddToToken.ca.conn
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSConnection.write: Writing:
s=43&msg_type=13&operation=5&result=1&message=35
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSSession.process: leaving:
result: 1 status: STATUS_ERROR_CONTACT_ADMIN
[04/Oct/2016:11:26:47][http-bio-25080-exec-2]: After session.process() exiting
...

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-10-04 23:07:28

Per PKI Bug Council Meeting of 10/04/2016: needs more investigation

[pki-bot]

Comment from cfu (@cfu) at 2016-10-10 23:11:58

Investigation result:
I think work around is just to add the missing param:
op.format.externalRegAddToToken.ca.conn=ca1

[pki-bot]

Comment from cfu (@cfu) at 2016-10-11 17:51:38

commit 34b0a80
Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com
Date: Mon Oct 10 16:05:26 2016 -0700

Ticket 2498 Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true
This patch adds the missing parameters in the CS.cfg for externalRegAddToToken in regards to format operation. It also changed the non-defined ldap2 and ldap3 and ldap1

[pki-bot]

Comment from rpattath (@rpattath) at 2017-02-27 14:10:05

Metadata Update from @rpattath:

• Issue assigned to cfu
• Issue set to the milestone: 10.3.8