Bug 1562841

Summary: servlet profileSubmitCMCSimple throws NPE
Product: Red Hat Enterprise Linux 7 Reporter: Geetika Kapoor <gkapoor>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact:
Priority: high    
Version: 7.5CC: cfu, mharmsen, msauton
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.9-2.el7 Doc Type: No Doc Update
Doc Text:
Previously, ProfileSubmitCMCServlet missed to handle null auth.instance_id value in the profile so it threw NullPointerException when handling CMC simple requests. Now the problem is fixed.
Story Points: ---
Clone Of:
: 1574848 (view as bug list) Environment:
Last Closed: 2018-10-30 11:05:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1574848    

Description Geetika Kapoor 2018-04-02 17:00:47 UTC
Description of problem:

Trying to send httpclient request to CA for caSimpleCMCUserCert and this throws NPE.

[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Caught exception in renderFinalError:
java.lang.NullPointerException
    at com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet.process(ProfileSubmitCMCServlet.java:512)
    at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512)

Refer:
-----

1. https://tcms.engineering.redhat.com/case/188137/?from_plan=18814
2. https://tcms.engineering.redhat.com/case/188143/?from_plan=18814
3. https://tcms.engineering.redhat.com/case/188144/?from_plan=18814 ===
this looks useful.
    -- However, in this test case i don't get step 5 completely.


Version-Release number of selected component (if applicable):


How reproducible:

always

Steps to Reproduce:


1. open /usr/share/pki/ca/webapps/ca/WEB-INF/web.xml.

   <servlet>
      <servlet-name>  caProfileSubmitCMCSimple  </servlet-name>
      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
             <init-param><param-name>  GetClientCert  </param-name>
                         <param-value> true       </param-value> </init-param>

2. Restart CA instance.
3.PKCS10Client -d test -p SECret.123 -n "uid=testuser-22,ou=People,dc=example,dc=org"  -a rsa -o abc
4. AtoB abc abcd
5. HttpClient httpclient.cfg
6. Http.cfg file:


[root@nocp1 ~]# cat httpclient.cfg
#host: host name for the http server
#host=csqa4-guest04.idm.lab.eng.rdu.redhat.com
host=nocp1.idm.lab.eng.rdu2.redhat.com

#port: port number
port=20443

#secure: true for secure connection, false for nonsecure connection
#For secure connection, in an ECC setup, must set environment variable
'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command
secure=true

#input: full path for the enrollment request, the content must be in
binary format
input=abcd

#output: full path for the response in binary format
output=abcde

#tokenname: name of token where SSL client authentication cert can be
found (default is internal)
#This parameter will be ignored if secure=false
tokenname=internal

#dbdir: directory for cert8.db, key3.db and secmod.db
#This parameter will be ignored if secure=false
dbdir=/root/test

#clientmode: true for client authentication, false for no client
authentication
#This parameter will be ignored if secure=false
clientmode=true

#password: password for cert8.db
#This parameter will be ignored if secure=false and clientauth=false
password=SECret.123

#nickname: nickname for client certificate
#This parameter will be ignored if clientmode=false
#nickname=PKI CA Administrator
nickname=PKI CA Administrator for Non-TMS-CA

#servlet: servlet name
servlet=/ca/ee/ca/profileSubmitCMCSimple

Actual results:

NPE occurs.

Expected results:

Request should process.


Additional info:

Debug logs for hhtpclient request

[02/Apr/2018:12:29:17][http-bio-20443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not XML {1}, use default authz mgr: {2}.
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not XML {1}, use default authz mgr: {2}.
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCSimple
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: caProfileSubmitCMCSimple start to service.
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Start of ProfileSubmitCMCServlet Input Parameters
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: End of ProfileSubmitCMCServlet Input Parameters
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: start serving
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: SubId=profile
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: profileId caSimpleCMCUserCert
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: authenticator not found
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: set Inputs into Context
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: set sslClientCertProvider
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: in auditSubjectID
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@797ce46b, profileContext=com.netscape.cms.profile.common.ProfileContext@74b5ced1}
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet auditSubjectID: subjectID: null
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event CMC_REQUEST_RECEIVED
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Caught exception in renderFinalError:
java.lang.NullPointerException
    at com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet.process(ProfileSubmitCMCServlet.java:512)
    at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED

Comment 2 Christina Fu 2018-04-17 21:38:29 UTC
issue was caused by missing auth.instance_id in the profile.
Should add that to the profile for fix.

Comment 3 Matthew Harmsen 2018-04-20 02:16:05 UTC
Per RHEL 7.5.z/7.6/8.0 Triage:  7.5.z

cfu: Decided to keep this bug and fix the profile by adding the missing auth id.

Comment 4 Christina Fu 2018-04-20 20:16:08 UTC
commit 203db212a3dce216687dd2aac349fe37d2e92a96 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH, ticket-2992-simpleCMC)
Author: Christina Fu <cfu>
Date:   Thu Apr 19 17:11:34 2018 -0700

    Ticket #2992 servlet profileSubmitCMCSimple throws NPE
    
    This patch addresses the issue that when auth.instance_id is not specified in
    the profile, NPE is thrown.
    Alternative is to add auth.instance_id value, but it's better to leave this
    as manual approval only without changing the functionality.
    
    fixes https://pagure.io/dogtagpki/issue/2992
    
    Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d

Comment 5 Christina Fu 2018-04-20 20:32:54 UTC
Suggested test procedure for QE:

Please note that due to lack of the security provisions like the Full CMC requests, we should just keep the auth.instance_id value empty, which will then require a CA agent to manually approve the request.

1. Run PKCS10Client to generate a PKCS#10 request. e.g.

PKCS10Client -d . -p myPass -n "cn=just me cfu, uid=cfu" -o pkcs10.req.pem

2. Run AtoB to convert the PEM file produced by PKCS10Client above to binary:
AtoB pkcs10.req.pem pkcs10.req

3. Create an HttpClient file as you would normally but pay special attention to:
  - input : the binary request above (e.g. pkcs10.req)
  - clientmode : false if this is a non-agent user; (I think it suffice to just do this)
  - servlet=/ca/ee/ca/profileSubmitCMCSimple?profileId=caECSimpleCMCUserCert
4. run HttpClient against the HttoClient file above
5. as a CA agent, check if the reuqest shows up;
6. manually approves it and see if the cert gets issued.

Please note that although technically it is possible to add auth.instance_id to the profile, as we don't want to encourage auth-approval for simnple CMC for the security reasons above, the above steps for testing should be sufficient.

Comment 10 Christina Fu 2018-06-26 23:51:00 UTC
commit f917433fdec8516b52b7f0cbf6895b854e2d3c81 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu>
Date:   Tue Jun 26 15:16:53 2018 -0700

    Ticket 2992 CMC Simple request profiles and CMCResponse to support simple response
    
    This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018.
    
    In addition, CMCResponse has been improved to handle CMC simple response.
    
    fixes https://pagure.io/dogtagpki/issue/2992
    
    Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a

Comment 12 Geetika Kapoor 2018-08-16 12:19:29 UTC
Test Env:

rpm -qa pki-ca
pki-ca-10.5.9-5.el7.noarch

For more test details, Refer https://bugzilla.redhat.com/show_bug.cgi?id=1574848

Comment 14 errata-xmlrpc 2018-10-30 11:05:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195