Tree - rpms/pki-core - src.fedoraproject.org

rpms / pki-core

Overview Files Commits Branches Forks Releases
Monitoring status:

Bugzilla Assignee:

Fedora:: mharmsen
EPEL:: mharmsen
Files

Blob Blame History Raw
From e2a8a88c7ba7f3ab7889e2eec6ca4d3b2987a827 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
Date: Tue, 18 Oct 2016 18:58:21 -0700
Subject: [PATCH] PIN_RESET policy is not giving expected results when set on a
 token.

Simple fix to actually honor the PIN_RESET=<YES>or<NO> policy for a given token.

Ticket #2510.

(cherry picked from commit 8c15e8d60a4004cb63ebb0bf2bed73be919d54ee)
---
 .../server/tps/processor/TPSPinResetProcessor.java | 34 ++++++++++++++++------
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
index 9d0625a..fe3f801 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
@@ -21,6 +21,7 @@ import java.io.IOException;
 
 import org.dogtagpki.server.tps.TPSSession;
 import org.dogtagpki.server.tps.TPSSubsystem;
+import org.dogtagpki.server.tps.TPSTokenPolicy;
 import org.dogtagpki.server.tps.channel.SecureChannel;
 import org.dogtagpki.server.tps.dbs.ActivityDatabase;
 import org.dogtagpki.server.tps.dbs.TokenRecord;
@@ -98,15 +99,7 @@ public class TPSPinResetProcessor extends TPSProcessor {
                     TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
         }
 
-        TokenStatus status = tokenRecord.getTokenStatus();
-
-        CMS.debug(method + ": Token status: " + status);
-
-        if (!status.equals(TokenStatus.ACTIVE)) {
-            throw new TPSException(method + " Attempt to reset pin of token not currently active!",
-                    TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
-
-        }
+        TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps);
 
         session.setTokenRecord(tokenRecord);
 
@@ -142,6 +135,29 @@ public class TPSPinResetProcessor extends TPSProcessor {
 
         checkAndAuthenticateUser(appletInfo, tokenType);
 
+        TokenStatus status = tokenRecord.getTokenStatus();
+
+        CMS.debug(method + ": Token status: " + status);
+
+        if (!status.equals(TokenStatus.ACTIVE)) {
+            logMsg = method + "Can not reset the pin of a non active token.";
+            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+            throw new TPSException(method + " Attempt to reset pin of token not currently active!",
+                    TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
+
+        }
+
+        boolean pinResetAllowed = tokenPolicy.isAllowedPinReset(tokenRecord.getId());
+
+        CMS.debug(method + ": PinResetPolicy: Pin Reset Allowed:  " + pinResetAllowed);
+        logMsg = method + " PinReset Policy forbids pin reset operation.";
+        if (pinResetAllowed == false) {
+            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+            throw new TPSException(method + " Attempt to reset pin when token policy disallows it.!",
+                    TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
+
+        }
+
         checkAndUpgradeApplet(appletInfo);
         appletInfo = getAppletInfo();
 
-- 
1.8.3.1
rpms / pki-core

Source Code

Files
