Hello Niranjan:
Thanks for this observation and all of the info.
Niranjan, you are correct. I was able to verify your results.
I was also able to figure out the cause and a fix.
The problem turns out to be some missing settings from the
externalRegAddToToken
profile.
Below I will print out what should be the minimum for this to work and will explain
in-line:
op.enroll.externalRegAddToToken._000=#########################################
op.enroll.externalRegAddToToken._001=# for externalReg recovering certs/keys only
op.enroll.externalRegAddToToken._002=#########################################
op.enroll.externalRegAddToToken.auth.enable=true
op.enroll.externalRegAddToToken.auth.id=ldap1
op.enroll.externalRegAddToToken.cardmgr_instance=A0000000030000
op.enroll.externalRegAddToToken.issuerinfo.enable=true
op.enroll.externalRegAddToToken.issuerinfo.value=
op.enroll.externalRegAddToToken.loginRequest.enable=true
op.enroll.externalRegAddToToken.pkcs11obj.compress.enable=true
op.enroll.externalRegAddToToken.pkcs11obj.enable=true
op.enroll.externalRegAddToToken.tks.conn=tks1
op.enroll.externalRegAddToToken.update.applet.directory=/usr/share/pki/tps/applets
op.enroll.externalRegAddToToken.update.applet.emptyToken.enable=true
op.enroll.externalRegAddToToken.update.applet.enable=false
op.enroll.externalRegAddToToken.update.applet.encryption=true
op.enroll.externalRegAddToToken.update.applet.requiredVersion=1.4.4d40a449
op.enroll.externalRegAddToToken.update.symmetricKeys.enable=false
op.enroll.externalRegAddToToken.update.symmetricKeys.requiredVersion=1
The following are the missing settings.
These tell TPS what capabilities to grant to the keys on the token:
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.decrypt=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.derive=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.encrypt=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.private=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.sensitive=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.sign=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.signRecover=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.token=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.unwrap=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.verify=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.verifyRecover=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.wrap=false
We also need the following setting to make sure the label of the token is set properly.
We want what is in the "cn" value in ldap. Your example was giving us the cuid
value, which is a fallback.
op.enroll.externalRegAddToToken.keyGen.tokenName=$auth.cn$
I suspect we need similar settings in the deleteISEToken profile as well:
With this config, here is the output of the certutil and the smartcard utility run against
my token:
Note: I chose to create this token with ONLY two recovered encryption certs.
certutil -d ./ -K -h "John Magne"
certutil: Checking token "John Magne" in slot "OmniKey CardMan 3121 00
00"
Enter Password or Pin for "John Magne":
< 0> rsa 01 encryption key for john c1
< 1> rsa 02 encryption key for john c2
[jmagne@localhost tests]$ certutil -d ./ -K -h "John Magne"
certutil: Checking token "John Magne" in slot "OmniKey CardMan 3121 00
00"
Enter Password or Pin for "John Magne":
< 0> rsa 01 encryption key for john c1
< 1> rsa 02 encryption key for john c2
[jmagne@localhost tests]$ ./smartcard ./
Running Smart Card tests...
Starting thread for Module COOLKEY
Waiting for card insert
SmartCardThread for COOLKEY started
Found Smart cart John Magne. running Tests
Password for John Magne?
-----Found Cert 1: UID=jmagne,O=Token Key User
KeyType: RSA
CertID [1] = 01
KeyID [1] = 01
Key can encipher... Testing enciphering
**enciphering test succeeded
-----Found Cert 2: UID=jmagne,O=Token Key User
KeyType: RSA
CertID [1] = 02
KeyID [1] = 02
Key can encipher... Testing enciphering
**enciphering test succeeded
----- Forwarded Message -----
From: "M.R Niranjan" <mrniranjan(a)redhat.com>
To: "Christina Fu" <cfu(a)redhat.com>
Cc: "John Magne" <jmagne(a)redhat.com>, "Asha Akkiangady"
<aakkiang(a)redhat.com>, "Roshni Pattath" <rpattath(a)redhat.com>
Sent: Tuesday, October 15, 2013 2:10:57 AM
Subject: Issues with recovering private keys with new TPS key recovery Features
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
I am facing issues with regard to Private keys recovered on to the token
using externalRegAddToToken and delegateISEtoken token types.
Token Type: externalRegAddToToken:
1. With the token type externalRegAddToToken, I am able to recover the
certs specified in the certsToAdd attribute, but I could not list the
private keys of the Cert recovered on the token
Example steps:
1. Enroll a token testuser-3 with tpsclient
2. Create a registration user pkiuser2 to recover testuser-3 on to the token
3. Using externalRegAddToToken Enroll smartcard with pkiuser2 credentials,
4. Enrollment is successfull and we could see testuser-3 cert on the token
5. But when using certutil -K command on the token, private keys are not
listed. and the same can be confirmed by loading the private key to
firefox browser and taking backup of the testuser-3 cert from firefox
which fails.
I am attaching more detailed steps and logs of my steps for this
procedure in file: externalRegAddToToken
Token Type: delegateISEtoken
1. Enroll a token testuser-4 with tpsclient
2. Create a registration user pkiuser3 to recover testuser-4 on to the token
3. Using delegateISEtoken tokentype Enroll smartcard with pkiuser3
credentials,
4. Enrollment is successfull and we could see testuser-4 cert on the token
5. with this tokenType, we could see that certs/Keys of the testuser-4
cert is also recovered but using pk12util i am unable to export it to a
file.
I am attaching detailed steps and logs of my steps for this procedure in
file: delegateISEtoken
Could you review and let me know if it's something i am missing or is a bug.
- --
Regards
Niranjan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlJdBqEACgkQLu3FX2BHx8fEQgCfcVs84Kx1akz2JTSqQ8GogkPy
0VYAoI6AwMlK0evmouxyfqa8JFVZgXD/
=ZJ/s
-----END PGP SIGNATURE-----