PIN_RESET policy is not giving expected results when set on a token.
Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given
token.
Minor logging improvements added as well for this error condition.
Ticket #2510.
From 09dba122f01881b93d32a03a51d0be37c247cb30 Mon Sep 17 00:00:00 2001
From: Jack Magne <[email protected]>
Date: Tue, 18 Oct 2016 18:58:21 -0700
Subject: [PATCH] PIN_RESET policy is not giving expected results when set on a
token.
Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given token.
Ticket #2510.
---
.../server/tps/processor/TPSPinResetProcessor.java | 34 ++++++++++++++++------
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
index 9d0625a..fe3f801 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
@@ -21,6 +21,7 @@ import java.io.IOException;
import org.dogtagpki.server.tps.TPSSession;
import org.dogtagpki.server.tps.TPSSubsystem;
+import org.dogtagpki.server.tps.TPSTokenPolicy;
import org.dogtagpki.server.tps.channel.SecureChannel;
import org.dogtagpki.server.tps.dbs.ActivityDatabase;
import org.dogtagpki.server.tps.dbs.TokenRecord;
@@ -98,15 +99,7 @@ public class TPSPinResetProcessor extends TPSProcessor {
TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
}
- TokenStatus status = tokenRecord.getTokenStatus();
-
- CMS.debug(method + ": Token status: " + status);
-
- if (!status.equals(TokenStatus.ACTIVE)) {
- throw new TPSException(method + " Attempt to reset pin of token not currently active!",
- TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
-
- }
+ TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps);
session.setTokenRecord(tokenRecord);
@@ -142,6 +135,29 @@ public class TPSPinResetProcessor extends TPSProcessor {
checkAndAuthenticateUser(appletInfo, tokenType);
+ TokenStatus status = tokenRecord.getTokenStatus();
+
+ CMS.debug(method + ": Token status: " + status);
+
+ if (!status.equals(TokenStatus.ACTIVE)) {
+ logMsg = method + "Can not reset the pin of a non active token.";
+ auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+ throw new TPSException(method + " Attempt to reset pin of token not currently active!",
+ TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
+
+ }
+
+ boolean pinResetAllowed = tokenPolicy.isAllowedPinReset(tokenRecord.getId());
+
+ CMS.debug(method + ": PinResetPolicy: Pin Reset Allowed: " + pinResetAllowed);
+ logMsg = method + " PinReset Policy forbids pin reset operation.";
+ if (pinResetAllowed == false) {
+ auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+ throw new TPSException(method + " Attempt to reset pin when token policy disallows it.!",
+ TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
+
+ }
+
checkAndUpgradeApplet(appletInfo);
appletInfo = getAppletInfo();
--
2.5.0
_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel
