Bug 489342
Summary: | com.netscape.cms.servlet.common.CMCOutputTemplate.java doesn't support EC | ||
---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | David Stutzman <david.k.stutzman2.ctr> |
Component: | Certificate Manager | Assignee: | Christina Fu <cfu> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 1.0 | CC: | awnuk, benl, jgalipea |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-04 20:08:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 445047 | ||
Attachments: |
Description
David Stutzman
2009-03-09 15:56:21 UTC
I'm attaching the same CMC request base64 encoded. You can paste this one into one of the enrollment web pages. Choose the "Signed CMC-Authenticated User Certificate Enrollment" profile and paste in the contents of this new attachment and you should hit the same error through a different code path. Created attachment 334551 [details] Base64 version of attachment 334549 [details] Created attachment 410076 [details]
add EC key type branch to if block
So I just added 2 lines to the if block that checks for key type to account for EC and now pasting a CMC request into the web form for the "Signed CMC-Authenticated User Certificate Enrollment" profile correctly issues the certificate.
I can add that I have now successfully tested this using the binary CMC servlet interface (https://<ca machine>:9444/ca/ee/ca/profileSubmitCMCFull) and things are working properly there as well. Hi David, I'm finally coming around to this one. It's good that you seemed to have found a fix. However, I have a few questions: 1. The debug messages you have in Description is quite curious. It showed that the code failed CMC_SIGNED_REQUEST_SIG_VERIFY and yet it continued on to run and got to CMCOutputTemplate::getContentInfo(). I'm wondering if you have customized the code or we have something faulty in there. 2. I was trying to find an easier way to reproduce the issue (not having your cert/keys etc.). I turned off authentication and authorization (without changing/fixing CMCOutputTemplate.java, and submitted the base64 encoding you attached. The cert was issued successfully. I wonder if this went through different path. 3. Could you maybe let me know how exactly your request was generated and how it was submitted? thanks, Christina My investigation result shows the following: * The B64 blob pasted into enroll page goes through ProfileSubmitServlet * The binary I submitted via ProfileSubmitCMCServlet Both when bypassing authentication and authorization got through the issuance. Upon closer examination, I found that in order to hit the code in question, the CA has to have an EC signing cert. Yes, sorry, if that wasn't clear in the initial report, but as you mentioned in comment 6 the situation occurs when the CA has an EC signing key. While creating the CMC response, it needs to sign it and the CMCOutputTemplate is only RSA/DSA aware and throws up when it encounters the CA's EC signing key. Also, for any CMC response, it's hard coded to use <Asymmetric alg>withSHA1 as the signature algorithm. Maybe it would be possible to add a setting in CS.cfg to specify the signature algorithm that's used whenever a CMC structure needs to be signed or alternately use the CA's signing certificate sig. alg? Yes, I actually found the problem and filed a separate bug earlier this morning regarding SHA1 used in this situation. I will fix that soon. As for this current bug, I'm nearly at the point of setting up the EC CA. As soon as I verify your fix, I will check it in with problem credit to you per CLA. Thanks! (In reply to comment #8) > Yes, I actually found the problem and filed a separate bug earlier this morning > regarding SHA1 used in this situation. I will fix that soon. > > As for this current bug, I'm nearly at the point of setting up the EC CA. > As soon as I verify your fix, I will check it in with problem credit to you per > CLA. Thanks! ^problem^proper attachment 410076 [details]
+cfu (approved)
[cfu@jaw common]$ svn commit src/com/netscape/cms/servlet/common/CMCOutputTemplate.java Sending src/com/netscape/cms/servlet/common/CMCOutputTemplate.java Transmitting file data . Committed revision 1302 |