Fwd: Issues with recovering private keys with new TPS key recovery Features
by John Magne
Hello Niranjan:
Thanks for this observation and all of the info.
Niranjan, you are correct. I was able to verify your results.
I was also able to figure out the cause and a fix.
The problem turns out to be some missing settings from the
externalRegAddToToken
profile.
Below I will print out what should be the minimum for this to work and will explain in-line:
op.enroll.externalRegAddToToken._000=#########################################
op.enroll.externalRegAddToToken._001=# for externalReg recovering certs/keys only
op.enroll.externalRegAddToToken._002=#########################################
op.enroll.externalRegAddToToken.auth.enable=true
op.enroll.externalRegAddToToken.auth.id=ldap1
op.enroll.externalRegAddToToken.cardmgr_instance=A0000000030000
op.enroll.externalRegAddToToken.issuerinfo.enable=true
op.enroll.externalRegAddToToken.issuerinfo.value=
op.enroll.externalRegAddToToken.loginRequest.enable=true
op.enroll.externalRegAddToToken.pkcs11obj.compress.enable=true
op.enroll.externalRegAddToToken.pkcs11obj.enable=true
op.enroll.externalRegAddToToken.tks.conn=tks1
op.enroll.externalRegAddToToken.update.applet.directory=/usr/share/pki/tps/applets
op.enroll.externalRegAddToToken.update.applet.emptyToken.enable=true
op.enroll.externalRegAddToToken.update.applet.enable=false
op.enroll.externalRegAddToToken.update.applet.encryption=true
op.enroll.externalRegAddToToken.update.applet.requiredVersion=1.4.4d40a449
op.enroll.externalRegAddToToken.update.symmetricKeys.enable=false
op.enroll.externalRegAddToToken.update.symmetricKeys.requiredVersion=1
The following are the missing settings.
These tell TPS what capabilities to grant to the keys on the token:
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.decrypt=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.derive=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.encrypt=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.private=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.sensitive=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.sign=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.signRecover=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.token=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.unwrap=true
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.verify=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.verifyRecover=false
op.enroll.externalRegAddToToken.keyGen.encryption.private.keyCapabilities.wrap=false
We also need the following setting to make sure the label of the token is set properly.
We want what is in the "cn" value in ldap. Your example was giving us the cuid value, which is a fallback.
op.enroll.externalRegAddToToken.keyGen.tokenName=$auth.cn$
I suspect we need similar settings in the deleteISEToken profile as well:
With this config, here is the output of the certutil and the smartcard utility run against my token:
Note: I chose to create this token with ONLY two recovered encryption certs.
certutil -d ./ -K -h "John Magne"
certutil: Checking token "John Magne" in slot "OmniKey CardMan 3121 00 00"
Enter Password or Pin for "John Magne":
< 0> rsa 01 encryption key for john c1
< 1> rsa 02 encryption key for john c2
[jmagne@localhost tests]$ certutil -d ./ -K -h "John Magne"
certutil: Checking token "John Magne" in slot "OmniKey CardMan 3121 00 00"
Enter Password or Pin for "John Magne":
< 0> rsa 01 encryption key for john c1
< 1> rsa 02 encryption key for john c2
[jmagne@localhost tests]$ ./smartcard ./
Running Smart Card tests...
Starting thread for Module COOLKEY
Waiting for card insert
SmartCardThread for COOLKEY started
Found Smart cart John Magne. running Tests
Password for John Magne?
-----Found Cert 1: UID=jmagne,O=Token Key User
KeyType: RSA
CertID [1] = 01
KeyID [1] = 01
Key can encipher... Testing enciphering
**enciphering test succeeded
-----Found Cert 2: UID=jmagne,O=Token Key User
KeyType: RSA
CertID [1] = 02
KeyID [1] = 02
Key can encipher... Testing enciphering
**enciphering test succeeded
----- Forwarded Message -----
> From: "M.R Niranjan" <mrniranjan(a)redhat.com>
> To: "Christina Fu" <cfu(a)redhat.com>
> Cc: "John Magne" <jmagne(a)redhat.com>, "Asha Akkiangady" <aakkiang(a)redhat.com>, "Roshni Pattath" <rpattath(a)redhat.com>
> Sent: Tuesday, October 15, 2013 2:10:57 AM
> Subject: Issues with recovering private keys with new TPS key recovery Features
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> I am facing issues with regard to Private keys recovered on to the token
> using externalRegAddToToken and delegateISEtoken token types.
>
> Token Type: externalRegAddToToken:
>
> 1. With the token type externalRegAddToToken, I am able to recover the
> certs specified in the certsToAdd attribute, but I could not list the
> private keys of the Cert recovered on the token
>
>
> Example steps:
>
> 1. Enroll a token testuser-3 with tpsclient
> 2. Create a registration user pkiuser2 to recover testuser-3 on to the token
> 3. Using externalRegAddToToken Enroll smartcard with pkiuser2 credentials,
> 4. Enrollment is successfull and we could see testuser-3 cert on the token
> 5. But when using certutil -K command on the token, private keys are not
> listed. and the same can be confirmed by loading the private key to
> firefox browser and taking backup of the testuser-3 cert from firefox
> which fails.
>
> I am attaching more detailed steps and logs of my steps for this
> procedure in file: externalRegAddToToken
>
>
> Token Type: delegateISEtoken
>
> 1. Enroll a token testuser-4 with tpsclient
> 2. Create a registration user pkiuser3 to recover testuser-4 on to the token
> 3. Using delegateISEtoken tokentype Enroll smartcard with pkiuser3
> credentials,
> 4. Enrollment is successfull and we could see testuser-4 cert on the token
>
> 5. with this tokenType, we could see that certs/Keys of the testuser-4
> cert is also recovered but using pk12util i am unable to export it to a
> file.
>
> I am attaching detailed steps and logs of my steps for this procedure in
> file: delegateISEtoken
>
>
> Could you review and let me know if it's something i am missing or is a bug.
>
>
> - --
> Regards
> Niranjan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlJdBqEACgkQLu3FX2BHx8fEQgCfcVs84Kx1akz2JTSqQ8GogkPy
> 0VYAoI6AwMlK0evmouxyfqa8JFVZgXD/
> =ZJ/s
> -----END PGP SIGNATURE-----
>
11 years, 4 months
[PATCH] TRAC Ticket #667 - provide option for ca-less drm install [20131001]
by Matthew Harmsen
RESENT to include the DATE of this PATCH in the Subject line.
The attached patch addresses the following TRAC ticket:
* https://fedorahosted.org/pki/ticket/667 TRAC Ticket #667 - provide
option for ca-less drm install
Unlike the previous patch which did not utilize a security domain and
utilized the legacy GUI panel configuration, this patch only pertains to
the non-GUI 'pkispawn' installation/configuration process as documented at:
* http://pki.fedoraproject.org/wiki/Stand-alone_PKI_Subsystems
Using this code, I have successfully installed a stand-alone DRM
utilizing a separate PKI CA as my external CA for testing purposes.
Should this code be approved, I will add the following:
* update the 'pkispawn' man page
* add similar default values as parameters to OCSP
At this stage, this code has not been tested to see if a DRM can be
successfully cloned from a Stand-Alone DRM.
-- Matt
11 years, 4 months
[PATCH] 320 Added access control for TPS token.
by Endi Sukma Dewata
The TPS token REST interface has been modified to require client
certificate authentication and limit modifications to administrators only.
Ticket #652
--
Endi S. Dewata
11 years, 4 months
[PATCH] 278 Storing authentication info in session.
by Endi Sukma Dewata
The authenticator configuration has been modified to store the
authentication info in the session so it can be used by other servlets.
An update script has been added to update the configuration in existing
instances.
The SSLAuthenticatorWithFalback was modified to propagate the
configuration to the actual authenticator handling the request.
--
Endi S. Dewata
11 years, 4 months
[PATCH] 317 Added TPS audit resource.
by Endi Sukma Dewata
A new REST service and clients have been added to manage the audit
configuration in the TPS configuration file.
Ticket #652
--
Endi S. Dewata
11 years, 4 months
[PATCH] 322 Added CA certificate CLI.
by Endi Sukma Dewata
The ca-cert-* commands have been added to eventually replace cert-*.
The CATest has been updated to use the CertClient directly.
--
Endi S. Dewata
11 years, 4 months
