From 4027d3caa872f2950dae0b3d2208c0c54ceb4a4c Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
Date: Tue, 15 Nov 2016 17:37:07 -0800
Subject: Change lifecycle at end of enrollment if it is not already set.

TPS throws "err=6" when attempting to format and enroll G&D Cards.
https://bugzilla.redhat.com/show_bug.cgi?id=1320283

This fix addresses this bug , but also:
Fixes this issue:

Applet upgrade during rekey operation results in formatted token.

 Also, it takes care of a related issue where the new apdu needed for the
lifecycle state causes the testing tool "tpslcient" to seg fault.
The fix here is a minimal fix to have tpsclient return an error when it gets
this apdu it can't handle, instead of crashing.
---
 .../server/tps/processor/TPSEnrollProcessor.java   | 17 +++++++-
 .../server/tps/processor/TPSProcessor.java         | 46 +++++++++++++++++++++-
 2 files changed, 60 insertions(+), 3 deletions(-)

(limited to 'base/tps')

diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index af3e92e08..64cc571e3 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -100,6 +100,13 @@ public class TPSEnrollProcessor extends TPSProcessor {
 
         AppletInfo appletInfo = null;
         TokenRecord tokenRecord = null;
+
+        byte lifecycleState = (byte) 0xf0;
+        int appletUpgraded = 0;
+
+
+        lifecycleState = getLifecycleState();
+
         try {
             appletInfo = getAppletInfo();
             auditOpRequest("enroll", appletInfo, "success", null);
@@ -353,7 +360,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
             //We will skip the auth step inside of format
             format(true);
         } else {
-            checkAndUpgradeApplet(appletInfo);
+            appletUpgraded = checkAndUpgradeApplet(appletInfo);
             //Get new applet info
             appletInfo = getAppletInfo();
         }
@@ -542,7 +549,13 @@ public class TPSEnrollProcessor extends TPSProcessor {
         writeIssuerInfoToToken(channel, appletInfo);
 
         statusUpdate(99, "PROGRESS_SET_LIFECYCLE");
-        channel.setLifeycleState((byte) 0x0f);
+
+        if( lifecycleState != 0x0f || appletUpgraded == 1) {
+            CMS.debug(method  + " Need to reset the lifecycle state. current state: " + lifecycleState + " Was applet upgraded: " + appletUpgraded );
+            channel.setLifeycleState((byte) 0x0f);
+        } else {
+            CMS.debug(method + " No need to reset lifecycle state, it is already at the proper value.");
+        }
 
         //update the tokendb with new certs
         CMS.debug(method + " updating tokendb with certs.");
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 2b42dc613..9530dd544 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -59,6 +59,7 @@ import org.dogtagpki.server.tps.mapping.FilterMappingParams;
 import org.dogtagpki.tps.apdu.APDU;
 import org.dogtagpki.tps.apdu.APDUResponse;
 import org.dogtagpki.tps.apdu.GetDataAPDU;
+import org.dogtagpki.tps.apdu.GetLifecycleAPDU;
 import org.dogtagpki.tps.apdu.GetStatusAPDU;
 import org.dogtagpki.tps.apdu.GetVersionAPDU;
 import org.dogtagpki.tps.apdu.InitializeUpdateAPDU;
@@ -388,6 +389,46 @@ public class TPSProcessor {
 
     }
 
+    protected byte getLifecycleState() {
+
+        byte resultState = (byte) 0xf0;
+
+        String method = "TPSProcessor.getLifecycleState:";
+        CMS.debug(".getLifecycleState: ");
+
+        GetLifecycleAPDU getLifecycle = new GetLifecycleAPDU();
+
+        try {
+
+            selectCoolKeyApplet();
+
+            APDUResponse response = handleAPDURequest(getLifecycle);
+
+            if (!response.checkResult()) {
+                return resultState;
+            }
+
+            TPSBuffer result = response.getResultDataNoCode();
+
+            CMS.debug(method + " result size: " + result.size());
+
+            //Only one byte of data returned not including the 2 result bytes
+
+            if (result.size() == 1) {
+                resultState = result.at(0);
+
+                CMS.debug(method + " result: " + resultState);
+            }
+
+        } catch (TPSException | IOException e) {
+             CMS.debug(method + " problem getting state: " + e);
+        }
+
+        return resultState;
+
+    }
+
+
     protected TPSBuffer encryptData(AppletInfo appletInfo, TPSBuffer keyInfo, TPSBuffer plaintextChallenge,
             String connId) throws TPSException {
 
@@ -868,7 +909,7 @@ public class TPSProcessor {
 
     }
 
-    protected void checkAndUpgradeApplet(AppletInfo appletInfo) throws TPSException, IOException {
+    protected int checkAndUpgradeApplet(AppletInfo appletInfo) throws TPSException, IOException {
 
         CMS.debug("checkAndUpgradeApplet: entering..");
 
@@ -904,6 +945,7 @@ public class TPSProcessor {
 
         }
 
+        return upgraded;
     }
 
     protected void upgradeApplet(AppletInfo appletInfo, String operation, String new_version,
@@ -2984,6 +3026,8 @@ public class TPSProcessor {
         }
     }
 
+
+
     protected boolean checkSymmetricKeysEnabled() throws TPSException {
         boolean result = true;
 
-- 
cgit