[Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests.

Ade Lee alee at redhat.com
Fri Nov 11 14:20:21 UTC 2016 

Thanks for reviews (Endi and Jack).  Pushed to master with a few minor
changes to auditing.

Ade

On Wed, 2016-11-09 at 10:59 -0500, Ade Lee wrote:
> Based on feedback by Endi, I have reworked the patches.
> As Endi pointed out, it makes little sense for the client to
> determine
> whether or not a request is stored to ldap or not.  This should be a
> server side decision.
> 
> Accordingly, I have modified retrieveKey() as follows:
> 
> When clients call retrieveKey(), three possible alternatives now
> obtain:
> 
> 1. client passes in an approved request. Request is processed 
>    and the secret is retrieved.
> 2. client passes in key_id and wrapping parameters and either:
>   a) request can be processed immediately and synchronously
>      and request is created, and secret is returned.
>   b) request cannot be processed immediately.  Recovery request
>      is created and request_id returned to the client
>     
> Depending on server configuration, the requests in case (2a) will be
> stored in ldap or will be ephemeral (in memory only).
>     
> More complicated realm based logic to determine if requests
> can be processed synchronously (and possibly ephemerally) will be
> added
> in a later patch.
> 
> Python client patches coming soon as well.
> 
> *********************************************************************
> **
> You can test the patches as follows:
> 
> (archive and retrieve a passphrase)
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-archive --passphrase "foobar" --clientKeyID
> "test_1"
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-retrieve --keyID  0xc
> 
> (retrieve the passphrase using an approved recovery request)
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-retrieve --keyID 0xc
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-request-review --action approve  0x36
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-retrieve --requestID 0x36
> 
> The above should create requests (archival and recovery) in LDAP.
> Add the following to CS.cfg (and restart the KRA):
> 
>     kra.ephemeral=true
> 
> Redo the above tests, and no requests should be written to LDAP.
> 
> Finally, test a case where more than one approval is needed.
> Add the following to CS.cfg and restart the KRA.
> 
>     kra.noOfRequiredSecurityDataRecoveryAgents=2
> 
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-retrieve --keyID 0xc
> 
> This should return a recovery request ID (which will be written to
> LDAP).
> You will need another agent to approve this request before it can be
> used to retrieve the key.
> 
> Ade
> 
> On Fri, 2016-11-04 at 16:11 -0400, Ade Lee wrote:
> > 
> > Hi all, 
> > 
> > This is in support of Ticket https://fedorahosted.org/pki/ticket/25
> > 32
> > 
> > This is preliminary set of patches - just so you can see what I'm
> > doing
> > in case I need to change anything.
> > 
> > Note: With the changes, you can archive a secret like this:
> > 
> > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> > `hostname` -p 8443 key-archive --passphrase "ooga booga" --
> > clientKeyID
> > "test_1"
> > 
> > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> > `hostname` -p 8443 key-archive --passphrase "ooga booga" --
> > clientKeyID
> > "test_2" --express
> > 
> > The first invocation will archive a secret and create an archival
> > request in LDAP.  The second will create one only in memory - and
> > will
> > not store it in LDAP.
> > 
> > You can of course, see the requests created using - 
> > 
> > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> > `hostname` -p 8443 key-request-find
> > 
> > For retrieving the secret, you can do either:
> > 
> > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> > aleeredhat.laptop -p 8443 key-retrieve --keyID  0x5
> > 
> > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> > aleeredhat.laptop -p 8443 key-retrieve --keyID  0x5 --express
> > 
> > The first will retrieve the secret while creating a retrieval
> > request.
> > The second will create a retrieval request only in memory, and will
> > not
> > write it to LDAP.
> > 
> > In both cases, there should be audit logs both for retrieval and
> > archival.
> >  
> > Thanks,
> > Ade
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list