Hide Forgot
Description of problem: Missing CN in user signing cert would cause error in cmc user-signed case. If the certificate subject is missing "CN" cmc user-signed case doesn't work. Version-Release number of selected component (if applicable): pki-ca-10.4.1-11.el7.noarch How reproducible: always Steps to Reproduce: 1. Use a certificate without CN and try to use it for signing in cmc user-signed 2. 3. Actual results: 1. certificate signing doesn't happen. 2. HttpClient output failed with NPE . Expected results: Certificate should be generated with any valid subject dn Additional info: Test Result: =========== [root@pki1 certs_db]# HttpClient user-signed/HttpClient-cmc-crmf.self.cfg Total number of bytes read = 3425 after SSLSocket created, thread token is NSS FIPS 140-2 User Private Key client cert is not null handshake happened writing to socket Total number of bytes read = 234 PEhUTUw+CjxCT0RZIEJHQ09MT1I9d2hpdGU+CjxQPgpUaGUgQ2VydGlmaWNhdGUg U3lzdGVtIGhhcyBlbmNvdW50ZXJlZCBhbiB1bnJlY292ZXJhYmxlIGVycm9yLgo8 UD4KRXJyb3IgTWVzc2FnZTo8QlI+CjxJPmphdmEubGFuZy5OdWxsUG9pbnRlckV4 Y2VwdGlvbjwvST4KPFA+ClBsZWFzZSBjb250YWN0IHlvdXIgbG9jYWwgYWRtaW5p c3RyYXRvciBmb3IgYXNzaXN0YW5jZS4KPC9CT0RZPgo8L0hUTUw+Cg0K The response in binary format is stored in user-signed/cmc.self.Resp [root@pki1 certs_db]# cat user-signed/cmc.self.Resp <HTML> <BODY BGCOLOR=white> <P> The Certificate System has encountered an unrecoverable error. <P> Error Message:<BR> <I>java.lang.NullPointerException</I> <P> Please contact your local administrator for assistance. </BODY> </HTML> Configuration files: =========== cmc.config: [root@pki1 certs_db]# cat user-signed/cmc.self.cfg #numRequests: Total number of PKCS10 requests or CRMF requests. numRequests=1 #input: full path for the PKCS10 request or CRMF request, #the content must be in Base-64 encoded format #Multiple files are supported. They must be separated by space. input=user-signed/pkcs10.req #output: full path for the CMC request in binary format output=user-signed/cmc.self.req #tokenname: name of token where agent signing cert can be found (default is internal) tokenname=internal #request.selfSign=true #nickname: nickname for agent certificate which will be used #to sign the CMC full request. nickname=pkipinmanager #nickname=test13 #nickname=PKI CA Administrator #nickname=revoke1 #dbdir: directory for cert8.db, key3.db and secmod.db dbdir=/opt/rhqa_pki/certs_db/ #password: password for cert8.db which stores the agent #certificate password=SECret.123 #format: request format, either pkcs10 or crmf format=pkcs10 #identityProofV2.enable: if true, then the request will contain #this control. Otherwise, false. #Note that if both identityProof and identityProofV2 # are enabled, identityProofV2 takes precedence; Only one of them can be active at a time #Supported hashAlg are: # SHA-1, SHA-256, SHA-384, and SHA-512 #Supported macAlg are: # SHA-1-HMAC, SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC identityProofV2.enable=false identityProofV2.hashAlg=SHA-512 identityProofV2.macAlg=SHA-512-HMAC #identityProofV2.sharedSecret: Shared Secret witness.sharedSecret=testing popLinkWitnessV2.enable=true popLinkWitnessV2.keyGenAlg=SHA-512 popLinkWitnessV2.macAlg=SHA-512-HMAC request.privKeyId=-4649a706aa2b309d2f1d139e4e000eae612eb04e #identification works with identityProofV2 identification.enable=true identification=testuser HttpClient config: [root@pki1 certs_db]# cat user-signed/HttpClient-cmc-crmf.self.cfg #host: host name for the http server host=csqa4-guest04.idm.lab.eng.rdu.redhat.com #port: port number port=25443 #secure: true for secure connection, false for nonsecure connection #For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command secure=true #input: full path for the enrollment request, the content must be in binary format input=user-signed/cmc.self.req #output: full path for the response in binary format output=user-signed/cmc.self.Resp #tokenname: name of token where SSL client authentication cert can be found (default is internal) #This parameter will be ignored if secure=false tokenname=internal #dbdir: directory for cert8.db, key3.db and secmod.db #This parameter will be ignored if secure=false dbdir=/opt/rhqa_pki/certs_db #clientmode: true for client authentication, false for no client authentication #This parameter will be ignored if secure=false clientmode=true #password: password for cert8.db #This parameter will be ignored if secure=false and clientauth=false password=SECret.123 #nickname: nickname for client certificate #This parameter will be ignored if clientmode=false nickname=pkipinmanager #servlet: servlet name servlet=/ca/ee/ca/profileSubmitUserSignedCMCFull
I'm able to reproduce this issue.
committed upstream: https://pagure.io/dogtagpki/issue/2788#comment-455507
Testing done with cert subject dn: Certificate: Data: Version: 3 (0x2) Serial Number: 145764544 (0x8b030c0) Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=gkapoor_RHCS_75_ssl,O=SECure-Ds" Validity: Not Before: Sun Feb 11 22:01:58 2018 Not After : Fri Aug 10 21:01:58 2018 Subject: "UID=sslauth,OU=People" Passes cases: 1. self signed 2. User Signed
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925