Bug 1949656

Summary: CRMF requests with extensions other than SKID cannot be processed [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Chris Zinda <czinda>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: aakkiang, cfu, gswami, jreznik, mharmsen, msauton, skhandel
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.5.18-13.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1963225 (view as bug list) Environment:
Last Closed: 2021-06-08 22:33:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1963225, 2001161    
Attachments:
Description Flags
cfu's test KRA transport cert none

Description Chris Zinda 2021-04-14 18:00:04 UTC 
Description of problem:
CRMF Requests with any extensions other the SubjectKeyIdentifier are not being handled correctly by RedHat CS


[13/Apr/2021:20:36:41][ajp-bio-127.0.0.1-6116-exec-2]: EnrollProfile: Start parseCRMF(): 
[13/Apr/2021:20:36:41][ajp-bio-127.0.0.1-6116-exec-2]: EnrollInput ::in verifyPOP
[13/Apr/2021:20:36:41][ajp-bio-127.0.0.1-6116-exec-2]: EnrollInput: verifyPOP: CertReqMsg has not POP, return
[13/Apr/2021:20:36:41][ajp-bio-127.0.0.1-6116-exec-2]: EnrollProfile: fillCertReqMsg: Start parseCertReqMsg 
[13/Apr/2021:20:36:41][ajp-bio-127.0.0.1-6116-exec-2]: EnrollProfile:  requested notBefore: Wed Nov 20 00:00:00 UTC 2019
[13/Apr/2021:20:36:41][ajp-bio-127.0.0.1-6116-exec-2]: EnrollProfile:  requested notAfter:  Sun Nov 20 23:59:59 UTC 2022
[13/Apr/2021:20:36:41][ajp-bio-127.0.0.1-6116-exec-2]: EnrollProfile:  current CA time:     Tue Apr 13 20:36:41 UTC 2021
[13/Apr/2021:20:36:41][ajp-bio-127.0.0.1-6116-exec-2]: EnrollProfile: fillCertReqMsg: found extension:{2 5 29 15}
[13/Apr/2021:20:36:41][ajp-bio-127.0.0.1-6116-exec-2]: EnrollProfile: Unable to fill certificate request message: java.io.IOException: java.lang.NullPointerException
java.io.IOException: java.lang.NullPointerException
	at netscape.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:103)
	at com.netscape.cms.profile.common.EnrollProfile.fillCertReqMsg(EnrollProfile.java:2292)
	at com.netscape.cms.profile.input.CertReqInput.populate(CertReqInput.java:151)
	at com.netscape.cms.profile.common.BasicProfile.populateInput(BasicProfile.java:1090)
	at com.netscape.cms.profile.common.EnrollProfile.populateInput(EnrollProfile.java:2600)
	at com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:374)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:279)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:131)
	at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:493)
	<even more call stack>

The SKID comment and problematic line of code is here (from <dogtag>/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java)

                /*
                 * there seems to be an issue with constructor in Extension
                 * when feeding SubjectKeyIdentifierExtension;
                 * Special-case it
                 */
                OBJECT_IDENTIFIER SKIoid =
                        new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString());
                for (int j = 0; j < numexts; j++) {
                    org.mozilla.jss.pkix.cert.Extension jssext =
                            certTemplate.extensionAt(j);
                    boolean isCritical = jssext.getCritical();
                    org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid =
                            jssext.getExtnId();
                    CMS.debug(method + "found extension:" + jssoid.toString());
                    long[] numbers = jssoid.getNumbers();
                    int[] oidNumbers = new int[numbers.length];

                    for (int k = numbers.length - 1; k >= 0; k--) {
                        oidNumbers[k] = (int) numbers[k];
                    }
                    ObjectIdentifier oid =
                            new ObjectIdentifier(oidNumbers);
                    org.mozilla.jss.asn1.OCTET_STRING jssvalue =
                            jssext.getExtnValue();
                    ByteArrayOutputStream jssvalueout =
                            new ByteArrayOutputStream();

                    jssvalue.encode(jssvalueout);
                    byte[] extValue = jssvalueout.toByteArray();

                    Extension ext = null;
                    if (jssoid.equals(SKIoid)) {
                        CMS.debug(method + "found SUBJECT_KEY_IDENTIFIER extension");
                        ext = new SubjectKeyIdentifierExtension(false,
                                jssext.getExtnValue().toByteArray());
                    } else {
                        new Extension(oid, isCritical, extValue);  < --- 2
                    }

                    extensions.parseExtension(ext);	<--- 1
                }

The problem is that when we reach <--- 1 with a SKID, ext is set. When we reach that point for anything else it is not because " new Extension(oid, isCritical, extValue);" is not assigned to ext. The else block should read:

ext = new Extension(oid, isCritical, extValue);

The line of code as it appears in github is:

https://github.com/dogtagpki/pki/blob/v10.6.10/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java#L2276

https://github.com/dogtagpki/pki/blob/v10.5.18/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java#L2289

. 




Version-Release number of selected component (if applicable):
9.x and 10.x

How reproducible:
Very

Steps to Reproduce:
1. CRMF Requests with any extensions other the SubjectKeyIdentifier are not being handled correctly by RedHat CS

2.
3.

Actual results:
Request is being rejected.

Expected results:
Issue cert with other extensions.

Additional info:
Comment 8 Christina Fu 2021-04-20 17:37:10 UTC 
Created attachment 1773856 [details]
cfu's test KRA transport cert

Hi Chris, could you please ask them to generate a CRMF request using this transport cert? Thanks.
Comment 23 errata-xmlrpc 2021-06-08 22:33:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2315