Bug 441801

Summary: pkiconsole doesn't import trusted certificate
Product: [Retired] Dogtag Certificate System Reporter: Jonathan Barber <jon>
Component: ConsoleAssignee: Andrew Wnuk <awnuk>
Status: CLOSED WONTFIX QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: medium    
Version: 1.0CC: benl, dpal, jgalipea, msauton
Target Milestone: 1.0   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-06 19:50:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 445047    
Attachments:
Description Flags
CA cert that fails to import none

Description Jonathan Barber 2008-04-10 08:38:52 UTC 
Description of problem:
When adding a trusted CA certificate chain (consisting of a single self signed
cert) the pkiconsole fails with error message "Certificate Error: Failed to decode"

Additionaly, PrettyPrintCert raises an exception:
# PrettyPrintCert lifesci-cacert.pem
PrettyPrintCert:  Error encountered on parsing certificate :
java.security.cert.CertificateParsingException: java.io.IOException:
java.io.IOException:
IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No
data available in passed DER encoded value.
null

the tool "pp" displays the certificate correctly, and certutil can import it
into the certificate database.

Suggests a bug in the java code?

Version-Release number of selected component (if applicable):
pki-java-tools-1.0.0-1.fc8
pki-console-1.0.0-1.fc8

How reproducible:
Always.

Steps to Reproduce:
1. Run above PrettyPrintCert with the attached certificate
  
Actual results:
Nothing

Expected results:
Certificate to be imported into the DB.

Additional info:
Comment 1 Jonathan Barber 2008-04-10 08:38:52 UTC 
Created attachment 301953 [details]
CA cert that fails to import
Comment 2 Jonathan Barber 2008-04-10 08:52:45 UTC 
# java -version
java version "1.7.0"
IcedTea Runtime Environment (build 1.7.0-b21)
IcedTea Client VM (build 1.7.0-b21, mixed mode)
Comment 3 Jonathan Barber 2008-04-10 08:59:07 UTC 
pp reports of the cert that:

            Name: Certificate Issuer Alt Name
            Error: Parsing extension: Certificate extension value is invalid.
            Data: Sequence {
            }

openssl shows:
             X509v3 Issuer Alternative Name:
                <EMPTY>

I guess this is where the uncaught exception in the java is coming from.
Comment 8 Andrew Wnuk 2008-10-10 00:31:37 UTC 
1. Fix provided in 439027 is addressing the issue related to importing
   trusted CA certificate chain via CA console.
2. Attached certificate does not comply with RFC 5280 therefore is rejected.
   RFC 5280 (http://www.ietf.org/rfc/rfc5280.txt):
     4.2.1.7.  Issuer Alternative Name
       ...
       IssuerAltName ::= GeneralNames
       GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   dumpasn1 output:
     ...
     1327    3:           OBJECT IDENTIFIER issuerAltName (2 5 29 18)
              :             (X.509 id-ce (2 5 29))
     1332    2:           OCTET STRING, encapsulates {
     1334    0:             SEQUENCE {}
              :             }
              :           }


PrettyPrintCert should gracefully handle IssuerAltName containing no GeneralName.
Comment 10 Jenny Severance 2009-06-11 19:06:43 UTC 
1. Console errors importing attached CA certificate Certificate Error: Failed to decode.

2. PrettyPrintCert still throws exception.

[root@qe-blade-11 jgalipea]# PrettyPrintCert cert 
PrettyPrintCert:  Error encountered on parsing certificate :
java.security.cert.CertificateParsingException: java.io.IOException: java.io.IOException: IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No data available in passed DER encoded value.
null
Comment 11 Chandrasekar Kannan 2009-06-25 19:31:11 UTC 
this needs to be in new state for the developer to pick it up