Bug 489342

Summary: com.netscape.cms.servlet.common.CMCOutputTemplate.java doesn't support EC
Product: [Retired] Dogtag Certificate System Reporter: David Stutzman <david.k.stutzman2.ctr>
Component: Certificate ManagerAssignee: Christina Fu <cfu>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: awnuk, benl, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-04 20:08:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 445047    
Attachments:
Description Flags
DER encoded CMC enrollment request containing a CRMF certificate request with a P384 EC key. The SignerInfo of the CMC request was created with RSA credentials
none
Base64 version of attachment 334549
none
add EC key type branch to if block none

Description David Stutzman 2009-03-09 15:56:21 UTC 
Created attachment 334549 [details]
DER encoded CMC enrollment request containing a CRMF certificate request with a P384 EC key.  The SignerInfo of the CMC request was created with RSA credentials

Description of problem:
I sent a binary CMC request to the cmc servlet and received an error, I tracked the problem to the com.netscape.cms.servlet.common.CMCOutputTemplate.java class which doesn't seem to support EC keys as it has an if/else block that checks for DSA and RSA then throws an error.

Version-Release number of selected component (if applicable):
svn HEAD

Steps to Reproduce:
1. send the bytes included in the attachment which is a binary CMC request to the cmc servlet: https://<ca>:<port>/ca/ee/ca/profileSubmitCMCFull
2. the following shows up in debug log:
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCFull
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMSServlet: caProfileSubmitCMCFull start to service.
[09/Mar/2009:11:33:37][http-9443-Processor25]: Start of Input Parameters
[09/Mar/2009:11:33:37][http-9443-Processor25]: End of Input Parameters
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: start serving
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: SubId=profile
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: profileId caFullCMCUserCert
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: authenticator CMCAuth found
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmistServlet: set Inputs into Context
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: set sslClientCertProvider
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMCAuth: start checking signature
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMCAuth: verifying signature with public key
[09/Mar/2009:11:33:37][http-9443-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent pre-approved CMC request signature verification
[09/Mar/2009:11:33:37][http-9443-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent pre-approved CMC request signature verification
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMCOutputTemplate::getContentInfo() - signAlg is unsupported!
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: authentication error Invalid Credential.
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMSServlet: curDate=Mon Mar 09 11:33:37 EDT 2009 id=caProfileSubmitCMCFull time=11
3. the offending if/else block in the CMCOutputTemplate.java (
https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java):
CryptoManager.getInstance().findPrivKeyByCert(x509CAcert);
org.mozilla.jss.crypto.PrivateKey.Type keyType = privKey.getType();

if( keyType.equals( org.mozilla.jss.crypto.PrivateKey.RSA ) ) {
     signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest;
} else if( keyType.equals( org.mozilla.jss.crypto.PrivateKey.DSA ) ) {
     signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest;
} else {
     CMS.debug( "CMCOutputTemplate::getContentInfo() - "
                 + "signAlg is unsupported!" );
     return null;
}
Comment 1 David Stutzman 2009-03-09 16:02:59 UTC 
I'm attaching the same CMC request base64 encoded.  You can paste this one into one of the enrollment web pages.  Choose the "Signed CMC-Authenticated User Certificate Enrollment" profile and paste in the contents of this new attachment and you should hit the same error through a different code path.
Comment 2 David Stutzman 2009-03-09 16:03:49 UTC 
Created attachment 334551 [details]
Base64 version of attachment 334549 [details]
Comment 3 David Stutzman 2010-04-29 11:47:41 UTC 
Created attachment 410076 [details]
add EC key type branch to if block

So I just added 2 lines to the if block that checks for key type to account for EC and now pasting a CMC request into the web form for the "Signed CMC-Authenticated User Certificate Enrollment" profile correctly issues the certificate.
Comment 4 David Stutzman 2010-08-23 14:15:08 UTC 
I can add that I have now successfully tested this using the binary CMC servlet interface (https://<ca machine>:9444/ca/ee/ca/profileSubmitCMCFull) and things are working properly there as well.
Comment 5 Christina Fu 2010-09-14 19:57:43 UTC 
Hi David, I'm finally coming around to this one.
It's good that you seemed to have found a fix.  However, I have a few questions:
1. The debug messages you have in Description is quite curious. It showed that the code failed CMC_SIGNED_REQUEST_SIG_VERIFY and yet it continued on to run and got to CMCOutputTemplate::getContentInfo().  I'm wondering if you have customized the code or we have something faulty in there.
2. I was trying to find an easier way to reproduce the issue (not having your cert/keys etc.). I turned off authentication and authorization (without changing/fixing CMCOutputTemplate.java, and submitted the base64 encoding you attached.  The cert was issued successfully.  I wonder if this went through different path.
3. Could you maybe let me know how exactly your request was generated and how it was submitted?

thanks,
Christina
Comment 6 Christina Fu 2010-09-16 05:46:04 UTC 
My investigation result shows the following:
* The B64 blob pasted into enroll page goes through ProfileSubmitServlet
* The binary I submitted via ProfileSubmitCMCServlet

Both when bypassing authentication and authorization got through the issuance.
Upon closer examination, I found that in order to hit the code in question, the CA has to have an EC signing cert.
Comment 7 David Stutzman 2010-09-16 17:12:22 UTC 
Yes, sorry, if that wasn't clear in the initial report, but as you mentioned in comment 6 the situation occurs when the CA has an EC signing key.  
While creating the CMC response, it needs to sign it and the CMCOutputTemplate is only RSA/DSA aware and throws up when it encounters the CA's EC signing key.  Also, for any CMC response, it's hard coded to use <Asymmetric alg>withSHA1 as the signature algorithm.  Maybe it would be possible to add a setting in CS.cfg to specify the signature algorithm that's used whenever a CMC structure needs to be signed or alternately use the CA's signing certificate sig. alg?
Comment 8 Christina Fu 2010-09-16 17:24:20 UTC 
Yes, I actually found the problem and filed a separate bug earlier this morning regarding SHA1 used in this situation.  I will fix that soon.

As for this current bug, I'm nearly at the point of setting up the EC CA.
As soon as I verify your fix, I will check it in with problem credit to you per CLA.  Thanks!
Comment 9 Christina Fu 2010-09-16 17:25:25 UTC 
(In reply to comment #8)
> Yes, I actually found the problem and filed a separate bug earlier this morning
> regarding SHA1 used in this situation.  I will fix that soon.
> 
> As for this current bug, I'm nearly at the point of setting up the EC CA.
> As soon as I verify your fix, I will check it in with problem credit to you per
> CLA.  Thanks!

^problem^proper
Comment 10 Christina Fu 2010-09-16 21:58:46 UTC 
attachment 410076 [details]
+cfu (approved)
Comment 12 Christina Fu 2010-09-16 22:16:25 UTC 
[cfu@jaw common]$ svn commit src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
Sending        src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
Transmitting file data .
Committed revision 1302