Bug 468347

Summary: Exception encountered when status of a revoked certificate is queried from OCSPClient tool on Fedora 8
Product: [Retired] Dogtag Certificate System Reporter: Kashyap Chamarthy <kchamart>
Component: OCSP ResponderAssignee: Andrew Wnuk <awnuk>
Status: CLOSED WORKSFORME QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.0CC: amesonero, benl, cfu, dpal, mharmsen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-12 01:06:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
OCSPClient query exception screenshot none

Description Kashyap Chamarthy 2008-10-24 09:03:21 UTC 
Description of problem:

Encountering a  "BER encoding" related exception when the status of a revoked certificate (with "key compromise" as reason) is queried via the OCSPClient tool from the terminal(Please refer the attached screenshot OCSPClient_error.png for the same)


Steps to Reproduce:
1.Install OCSP responder, configure it and restart the service.
2.Revoke a couple of certificates in CA subsystem and ensure that these certificates are revoked by checking their details.
3.Push the generated CRL to the OCSP responder
4.Use the OCSPClient tool from the terminal and query the the OCSP server for the status of a revoked certificate
  
Actual results:

A BER encoding related exception error is thrown, saying:

Error: org.mozilla.jss.asn1.InvalidBERException: SEQUENCE(item #0) >> End-of-file reached while decoding ASN.1 header

Expected results:
Status of the revoked certificate should be displayed as "revoked" in response to the OCSPClient query.

Additional info:

(1)All the above tasks were carried out on a Fedora 8(on a Virtual Machine)
(2) Observed transaction, system and debug logs in /var/lib/pki-ocsp, /var/lib/pki-ca, I noticed nothing alarming.
(3) Tried with a couple of other revoked certificates, but noticed the same behaviour.
Comment 1 Kashyap Chamarthy 2008-10-24 09:10:43 UTC 
Created attachment 321391 [details]
OCSPClient query exception screenshot
Comment 2 Andrew Wnuk 2009-05-12 01:06:26 UTC 
Tests on OCSP:
1. Test for revoked certificate:
--------------------------------
OCSPClient a-f8.sjc.redhat.com 11180 ./db caCert 10 res_ocsp.txt 1 '/ocsp/ee/ocsp'
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQo=
CertID.serialNumber=10
CertStatus=Revoked
Success: Output res_ocsp.txt

2. Test for valid certificate: 
------------------------------
OCSPClient a-f8.sjc.redhat.com 11180 ./db caCert 9 res_ocsp.txt 1 '/ocsp/ee/ocsp'
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQk=
CertID.serialNumber=9
CertStatus=Good
Success: Output res_ocsp.txt

Tests on CA-OCSP:
1. Test for revoked certificate:
--------------------------------
OCSPClient a-f8.sjc.redhat.com 9180 ./db caCert 10 res_10.txt 1 '/ca/ocsp'
URI: /ca/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQo=
CertID.serialNumber=10
CertStatus=Revoked
Success: Output res_10.txt

2. Test for valid certificate: 
------------------------------
OCSPClient a-f8.sjc.redhat.com 9180 ./db caCert 9 res_10.txt 1 '/ca/ocsp'
URI: /ca/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQk=
CertID.serialNumber=9
CertStatus=Good
Success: Output res_10.txt
Comment 3 Kashyap Chamarthy 2009-05-12 11:30:20 UTC 
thanks Andrew. I was using the agent port(11443), instead of ee port(11180). It works for me too..

--kashyap