Bug 1582323

Summary: DER encoding error for enumerated types with a value of zero
Product: Red Hat Enterprise Linux 7 Reporter: Alex Wood <awood>
Component: jssAssignee: Alex Scheel <ascheel>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: ascheel, gkapoor, mharmsen, prisingh
Target Milestone: rcKeywords: TestCaseProvided
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: jss-4.4.6-1.el7 Doc Type: Bug Fix
Doc Text:
Cause: A bug in the DER encoder causes JSS to generate incorrect CRL entries when the revocation reason is "unspecified". This resulted in zero-length integer values, while DER specifies that all integer values must have length at least one. Result: JSS will now generate correct DER encodings of CRLs.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:06:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Test case to replicate error none

Description Alex Wood 2018-05-24 21:11:21 UTC 
Created attachment 1441245 [details]
Test case to replicate error

Description of problem:
Creating a CRL entry with a CRL Reason of "unspecified" (which has a value of 0) results in an encoding error due to the way JSS encodes ASN.1 enumerations in DerOutputStream.  Instead of encoding the enumeration as 0x0A0100, the value portion of the TLV is omitted and it's encoded as 0x0A00.

From what I can tell from X.690 (https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf), "The encoding of an enumerated value shall be that 
of the integer value with which it is associated" and for integers "The encoding of an integer value shall be primitive. The contents octets shall consist of one or more octets."


Version-Release number of selected component (if applicable): 4.4


How reproducible: Always


Steps to Reproduce:
1. Compile and run the attached test case:

% javac -cp ~/.m2/repository/org/mozilla/jss/4.4.0/jss-4.4.0.jar EnumerationZeroTest.java                                               

% java -cp ~/.m2/repository/org/mozilla/jss/4.4.0/jss-4.4.0.jar:. -Djava.library.path=/usr/lib64/jss EnumerationZeroTest


Actual results: The JDK X509CRL class cannot parse the generated CRL due to the way that the CRL reason is encoded.  Instead of being encoded as 0x0A0100, it's encoded as 0x0A00.

Full encoded extension: 30090603551d1504020a00  Encoded CRL Reason: 0a00        Reason value: 0
Full encoded extension: 300a0603551d1504030a0101        Encoded CRL Reason: 0a0101      Reason value: 1

The JDK then throws an error when attempting to generate the CRL: "java.security.cert.CRLException: Invalid encoding: zero length Int value"


Expected results: The reason is encoded as 0x0A0100
Comment 2 Matthew Harmsen 2018-06-27 01:17:21 UTC 
Moved to RHEL 7.7 due to lack of development resource time.
Comment 3 Alex Scheel 2019-01-14 14:43:13 UTC 
This will be present in the RHEL 7.7 rebase due to bz#1659527.

Upstream commit: https://github.com/dogtagpki/jss/commit/fc3197ee80753d6a25956ad8c1d931fa94213661
Comment 8 Pritam Singh 2019-05-03 13:59:34 UTC 
jss version:
# rpm -qa | grep jss
jss-4.4.6-1.el7.x86_64
tomcatjss-7.2.1-8.el7_6.noarch

pki version:
# rpm -qa | grep pki-*
pki-symkey-10.5.16-2.el7.x86_64
redhat-pki-server-theme-10.5.16-1.el7pki.noarch
pki-kra-10.5.16-2.el7.noarch
pki-tks-10.5.16-2.el7pki.noarch
pki-base-java-10.5.16-2.el7.noarch
pki-ca-10.5.16-2.el7.noarch
pki-ocsp-10.5.16-2.el7pki.noarch
redhat-pki-console-theme-10.5.16-1.el7pki.noarch
pki-tps-10.5.16-2.el7pki.x86_64
pki-tools-10.5.16-2.el7.x86_64
pki-server-10.5.16-2.el7.noarch
pki-console-10.5.16-1.el7pki.noarch
redhat-pki-10.5.16-1.el7pki.noarch
pki-base-10.5.16-2.el7.noarch

Step of reproduction:

# javac -cp /usr/lib64/jss/jss4.jar EnumerationZeroTest.java
# java -cp /usr/lib64/jss/jss4.jar:. -Djava.library.path=/usr/lib64/jss EnumerationZeroTest

Proof of concept:
File has been attached.

Please find the attached test result and let me know if it needs additional test approach.
Compiled the test and analysed that its matching the expected result without generating any exception on jss-4.4.6-1.

Hence marking this bz verified.
Comment 10 errata-xmlrpc 2019-08-06 13:06:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2219