Menu
▾
▴
Re: [Ejbca-develop] Why does "ejbca.sh cryptotoken setpin" require the old PIN in this use case?
|
From: Jaime H. E. <hab...@gm...> - 2017-03-25 01:44:48
|
Next time I get around this funcionality and code again I will try to
create a patch ;).
On Fri, Mar 24, 2017 at 2:52 AM, Tomas Gustavsson <to...@pr...> wrote:
>
> Ok, I understand your point, it is certainly valid.
>
> If provided with a patch, we would include it.
>
> Regards,
> Tomas
>
> On 2017-03-24 00:35, Jaime Hablutzel Egoavil wrote:
> >
> >
> > On Wed, Mar 22, 2017 at 3:07 AM, Tomas Gustavsson <to...@pr...
> > <mailto:to...@pr...>> wrote:
> >
> >
> > The comment states that it is for verifying the supplied PIN. I.e.
> that
> > it works.
> >
> >
> > If I'm just about to set auto-activation for a PKCS #11 crypto token,
> > what is the purpose of verifying the old pin?. It should suffice to ask
> > for the new pin and set auto-activation with that.
> >
> >
> >
> > What is it exactly that you want to do, and what are your
> expectations
> > of the process?
> >
> >
> > I just think that the following command should suffice to update a pin
> > and set auto-activation for a PKCS #11 crypto token. No need for
> --oldpin.
> >
> > $ ejbca.sh cryptotoken setpin --token ManagementCA --newpin
> > partitionpassword
> >
> >
> >
> > /Tomas
> >
> > On 2017-03-21 18:34, Jaime Hablutzel Egoavil wrote:
> > >
> > >
> > > On Tue, Mar 21, 2017 at 10:19 AM, Tomas Gustavsson <
> to...@pr... <mailto:to...@pr...>
> > > <mailto:to...@pr... <mailto:to...@pr...>>> wrote:
> > >
> > > Hi,
> > >
> > > The "--help" text provides this information:
> > >
> > > For soft CryptoTokens the underlying keystore's pin will be
> modified and
> > > this requires the current activation PIN.
> > >
> > > So, being a generic command, it will use the "oldpin" to open
> the P12
> > > file, and change password to "newpin".
> > >
> > >
> > > Ok, for soft tokens it makes perfect sense: you need the previous
> PIN to
> > > open the P12 and protect it again, but the code I quoted doesn't
> apply
> > > for soft tokens, I'm quoting a larger chunk now:
> > >
> > > if
> > >
> > (*SoftCryptoToken.class.getName().equals(cryptoToken.
> getClass().getName())*)
> > > {
> > > ...
> > > *} else {*
> > > if (oldAutoActivationPin != null) {
> > > // If we have an old auto-activation pin we will compare
> the
> > > "current" with this value to avoid deactivating the token
> > > if (!oldAutoActivationPin.equals(new
> > > String(currentAuthenticationCode))) {
> > > final String msg = "Supplied PIN did not match
> > > auto-activation PIN.";
> > > log.info <http://log.info> <http://log.info>(msg);
> > > throw new CryptoTokenAuthenticationFaile
> dException(msg);
> > > } else {
> > > log.debug("Successfully verified the PIN for non-soft
> > > CryptoToken by comparing supplied PIN to auto-activation PIN.");
> > > }
> > > } else {
> > > *// If we don't have an auto-activation pin to compare the
> > > supplied PIN to, we need to verify the supplied*
> > > * // PIN can be used in a de-activation/activation cycle.*
> > > * final boolean wasInactive =
> > > !isCryptoTokenStatusActive(authenticationToken, cryptoTokenId);*
> > > * cryptoToken.deactivate();*
> > > * cryptoToken.activate(currentAuthenticationCode);*
> > > * if (wasInactive) {*
> > > * // Note that there is a small glitch here where the
> token
> > > was active, but we have no other options to verify the pin*
> > > * cryptoToken.deactivate();*
> > > * }*
> > > }
> > > if (newAuthenticationCode == null) {
> > >
> > cryptoTokenProperties.remove(CryptoToken.AUTOACTIVATE_PIN_
> PROPERTY);
> > > } else {
> > > BaseCryptoToken.setAutoActivatePin(cryptoTokenProperties,
> new
> > > String(newAuthenticationCode), true);
> > > }
> > > cryptoToken.setProperties(cryptoTokenProperties);
> > > }
> > >
> > > The highlighted section is the one that currently applies to PKCS
> #11
> > > crypto tokens and I just don't understand what is its purpose.
> > >
> > >
> > > The command just doesn't sense
> > > that you are not changing anything, but just giving the same
> PIN.
> > >
> > > Cheers,
> > > Tomas
> > >
> > > On 2017-03-21 05:46, Jaime Hablutzel Egoavil wrote:
> > > > Let's say I have a PKCS #11 crypto token deactivated and
> having
> > > > auto-activation disabled. Now, if I want to activate the
> > crypto token
> > > > and turn on auto-activation using the local CLI I need to
> > use the
> > > > following command:
> > > >
> > > > $ ejbca.sh cryptotoken setpin --token ManagementCA --oldpin
> > > > partitionpassword --newpin partitionpassword
> > > >
> > > > Where --oldpin is a mandatory parameter, but... why?, given
> > that the new
> > > > PIN should suffice to activate the partition and enable
> > auto-activation.
> > > >
> > > > Furthermore, I can see the following code being executed for
> the
> > > > previous operation (where currentAuthenticationCode
> > corresponds to
> > > > --oldpin).
> > > >
> > > > // If we don't have an auto-activation pin to compare the
> > supplied PIN
> > > > to, we need to verify the supplied
> > > > // PIN can be used in a de-activation/activation cycle.
> > > > final boolean wasInactive =
> > > > !isCryptoTokenStatusActive(authenticationToken,
> cryptoTokenId);
> > > > cryptoToken.deactivate();
> > > > cryptoToken.activate(*currentAuthenticationCode*);
> > > > if (wasInactive) {
> > > > // Note that there is a small glitch here where the token
> > was active,
> > > > but we have no other options to verify the pin
> > > > cryptoToken.deactivate();
> > > > }
> > > >
> > > > But I can't figure it out the reason to exercise this
> > > > de-activation/activation cycle in the current scenario. Why
> > would you
> > > > want to test the previous or current PIN when you are about
> > to set a new
> > > > one?.
> > > >
> > > > Can you please provide some explanation on the reason to
> require
> > > > --oldpin and what the previous code is doing?
> > > >
> > > > Note: Previous commands and code snippets apply to EJBCA CE
> > 6.5.0.4.
> > > >
> > > > --
> > > > Jaime Hablutzel - RPC 994690880
> > > >
> > > >
> > > >
> > >
> > ------------------------------------------------------------
> ------------------
> > > > Check out the vibrant tech community on one of the world's
> most
> > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Ejbca-develop mailing list
> > > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> > > >
> > >
> > > ------------------------------------------------------------
> ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> > >
> > >
> > >
> > >
> > > --
> > > Jaime Hablutzel - RPC 994690880
> > >
> > >
> > >
> > ------------------------------------------------------------
> ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > >
> > >
> > >
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > <mailto:Ejb...@li...>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> >
> >
> >
> >
> > --
> > Jaime Hablutzel - RPC 994690880
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
--
Jaime Hablutzel - RPC 994690880
|
