diff options
| author | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-11-15 17:37:07 -0800 |
|---|---|---|
| committer | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-11-22 16:00:40 -0800 |
| commit | 4027d3caa872f2950dae0b3d2208c0c54ceb4a4c (patch) | |
| tree | e34cc65fd7d80e914f93bea144a5c85c172ba068 /base/tps | |
| parent | 52694cd6acf81446623b6d24947d8d3afdc8536c (diff) | |
| download | pki-4027d3caa872f2950dae0b3d2208c0c54ceb4a4c.tar.gz pki-4027d3caa872f2950dae0b3d2208c0c54ceb4a4c.tar.xz pki-4027d3caa872f2950dae0b3d2208c0c54ceb4a4c.zip | |
Change lifecycle at end of enrollment if it is not already set.
TPS throws "err=6" when attempting to format and enroll G&D Cards.
https://bugzilla.redhat.com/show_bug.cgi?id=1320283
This fix addresses this bug , but also:
Fixes this issue:
Applet upgrade during rekey operation results in formatted token.
Also, it takes care of a related issue where the new apdu needed for the
lifecycle state causes the testing tool "tpslcient" to seg fault.
The fix here is a minimal fix to have tpsclient return an error when it gets
this apdu it can't handle, instead of crashing.
Diffstat (limited to 'base/tps')
| -rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java | 17 | ||||
| -rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 46 |
2 files changed, 60 insertions, 3 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index af3e92e08..64cc571e3 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -100,6 +100,13 @@ public class TPSEnrollProcessor extends TPSProcessor { AppletInfo appletInfo = null; TokenRecord tokenRecord = null; + + byte lifecycleState = (byte) 0xf0; + int appletUpgraded = 0; + + + lifecycleState = getLifecycleState(); + try { appletInfo = getAppletInfo(); auditOpRequest("enroll", appletInfo, "success", null); @@ -353,7 +360,7 @@ public class TPSEnrollProcessor extends TPSProcessor { //We will skip the auth step inside of format format(true); } else { - checkAndUpgradeApplet(appletInfo); + appletUpgraded = checkAndUpgradeApplet(appletInfo); //Get new applet info appletInfo = getAppletInfo(); } @@ -542,7 +549,13 @@ public class TPSEnrollProcessor extends TPSProcessor { writeIssuerInfoToToken(channel, appletInfo); statusUpdate(99, "PROGRESS_SET_LIFECYCLE"); - channel.setLifeycleState((byte) 0x0f); + + if( lifecycleState != 0x0f || appletUpgraded == 1) { + CMS.debug(method + " Need to reset the lifecycle state. current state: " + lifecycleState + " Was applet upgraded: " + appletUpgraded ); + channel.setLifeycleState((byte) 0x0f); + } else { + CMS.debug(method + " No need to reset lifecycle state, it is already at the proper value."); + } //update the tokendb with new certs CMS.debug(method + " updating tokendb with certs."); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index 2b42dc613..9530dd544 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -59,6 +59,7 @@ import org.dogtagpki.server.tps.mapping.FilterMappingParams; import org.dogtagpki.tps.apdu.APDU; import org.dogtagpki.tps.apdu.APDUResponse; import org.dogtagpki.tps.apdu.GetDataAPDU; +import org.dogtagpki.tps.apdu.GetLifecycleAPDU; import org.dogtagpki.tps.apdu.GetStatusAPDU; import org.dogtagpki.tps.apdu.GetVersionAPDU; import org.dogtagpki.tps.apdu.InitializeUpdateAPDU; @@ -388,6 +389,46 @@ public class TPSProcessor { } + protected byte getLifecycleState() { + + byte resultState = (byte) 0xf0; + + String method = "TPSProcessor.getLifecycleState:"; + CMS.debug(".getLifecycleState: "); + + GetLifecycleAPDU getLifecycle = new GetLifecycleAPDU(); + + try { + + selectCoolKeyApplet(); + + APDUResponse response = handleAPDURequest(getLifecycle); + + if (!response.checkResult()) { + return resultState; + } + + TPSBuffer result = response.getResultDataNoCode(); + + CMS.debug(method + " result size: " + result.size()); + + //Only one byte of data returned not including the 2 result bytes + + if (result.size() == 1) { + resultState = result.at(0); + + CMS.debug(method + " result: " + resultState); + } + + } catch (TPSException | IOException e) { + CMS.debug(method + " problem getting state: " + e); + } + + return resultState; + + } + + protected TPSBuffer encryptData(AppletInfo appletInfo, TPSBuffer keyInfo, TPSBuffer plaintextChallenge, String connId) throws TPSException { @@ -868,7 +909,7 @@ public class TPSProcessor { } - protected void checkAndUpgradeApplet(AppletInfo appletInfo) throws TPSException, IOException { + protected int checkAndUpgradeApplet(AppletInfo appletInfo) throws TPSException, IOException { CMS.debug("checkAndUpgradeApplet: entering.."); @@ -904,6 +945,7 @@ public class TPSProcessor { } + return upgraded; } protected void upgradeApplet(AppletInfo appletInfo, String operation, String new_version, @@ -2984,6 +3026,8 @@ public class TPSProcessor { } } + + protected boolean checkSymmetricKeysEnabled() throws TPSException { boolean result = true; |