1562841 – servlet profileSubmitCMCSimple throws NPE

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1562841 - servlet profileSubmitCMCSimple throws NPE

Summary: servlet profileSubmitCMCSimple throws NPE

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Christina Fu
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1574848
TreeView+	depends on / blocked

Reported:	2018-04-02 17:00 UTC by Geetika Kapoor
Modified:	2020-10-04 21:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:	pki-core-10.5.9-2.el7
Doc Type:	No Doc Update
Doc Text:	Previously, ProfileSubmitCMCServlet missed to handle null auth.instance_id value in the profile so it threw NullPointerException when handling CMC simple requests. Now the problem is fixed.
Clone Of:
Clones:	1574848 (view as bug list)
Environment:
Last Closed:	2018-10-30 11:05:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 3110	0	None	None	None	2020-10-04 21:42:46 UTC
Red Hat Product Errata	RHBA-2018:3195	0	None	None	None	2018-10-30 11:06:49 UTC

Description Geetika Kapoor 2018-04-02 17:00:47 UTC

Description of problem:

Trying to send httpclient request to CA for caSimpleCMCUserCert and this throws NPE.

[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Caught exception in renderFinalError:
java.lang.NullPointerException
    at com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet.process(ProfileSubmitCMCServlet.java:512)
    at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512)

Refer:
-----

1. https://tcms.engineering.redhat.com/case/188137/?from_plan=18814
2. https://tcms.engineering.redhat.com/case/188143/?from_plan=18814
3. https://tcms.engineering.redhat.com/case/188144/?from_plan=18814 ===
this looks useful.
    -- However, in this test case i don't get step 5 completely.


Version-Release number of selected component (if applicable):


How reproducible:

always

Steps to Reproduce:


1. open /usr/share/pki/ca/webapps/ca/WEB-INF/web.xml.

   <servlet>
      <servlet-name>  caProfileSubmitCMCSimple  </servlet-name>
      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
             <init-param><param-name>  GetClientCert  </param-name>
                         <param-value> true       </param-value> </init-param>

2. Restart CA instance.
3.PKCS10Client -d test -p SECret.123 -n "uid=testuser-22,ou=People,dc=example,dc=org"  -a rsa -o abc
4. AtoB abc abcd
5. HttpClient httpclient.cfg
6. Http.cfg file:


[root@nocp1 ~]# cat httpclient.cfg
#host: host name for the http server
#host=csqa4-guest04.idm.lab.eng.rdu.redhat.com
host=nocp1.idm.lab.eng.rdu2.redhat.com

#port: port number
port=20443

#secure: true for secure connection, false for nonsecure connection
#For secure connection, in an ECC setup, must set environment variable
'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command
secure=true

#input: full path for the enrollment request, the content must be in
binary format
input=abcd

#output: full path for the response in binary format
output=abcde

#tokenname: name of token where SSL client authentication cert can be
found (default is internal)
#This parameter will be ignored if secure=false
tokenname=internal

#dbdir: directory for cert8.db, key3.db and secmod.db
#This parameter will be ignored if secure=false
dbdir=/root/test

#clientmode: true for client authentication, false for no client
authentication
#This parameter will be ignored if secure=false
clientmode=true

#password: password for cert8.db
#This parameter will be ignored if secure=false and clientauth=false
password=SECret.123

#nickname: nickname for client certificate
#This parameter will be ignored if clientmode=false
#nickname=PKI CA Administrator
nickname=PKI CA Administrator for Non-TMS-CA

#servlet: servlet name
servlet=/ca/ee/ca/profileSubmitCMCSimple

Actual results:

NPE occurs.

Expected results:

Request should process.


Additional info:

Debug logs for hhtpclient request

[02/Apr/2018:12:29:17][http-bio-20443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not XML {1}, use default authz mgr: {2}.
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not XML {1}, use default authz mgr: {2}.
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCSimple
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: caProfileSubmitCMCSimple start to service.
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Start of ProfileSubmitCMCServlet Input Parameters
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: End of ProfileSubmitCMCServlet Input Parameters
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: start serving
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: SubId=profile
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: profileId caSimpleCMCUserCert
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: authenticator not found
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: set Inputs into Context
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: set sslClientCertProvider
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: in auditSubjectID
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@797ce46b, profileContext=com.netscape.cms.profile.common.ProfileContext@74b5ced1}
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet auditSubjectID: subjectID: null
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event CMC_REQUEST_RECEIVED
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Caught exception in renderFinalError:
java.lang.NullPointerException
    at com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet.process(ProfileSubmitCMCServlet.java:512)
    at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED

Comment 2 Christina Fu 2018-04-17 21:38:29 UTC

issue was caused by missing auth.instance_id in the profile.
Should add that to the profile for fix.

Comment 3 Matthew Harmsen 2018-04-20 02:16:05 UTC

Per RHEL 7.5.z/7.6/8.0 Triage:  7.5.z

cfu: Decided to keep this bug and fix the profile by adding the missing auth id.

Comment 4 Christina Fu 2018-04-20 20:16:08 UTC

commit 203db212a3dce216687dd2aac349fe37d2e92a96 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH, ticket-2992-simpleCMC)
Author: Christina Fu <cfu>
Date:   Thu Apr 19 17:11:34 2018 -0700

    Ticket #2992 servlet profileSubmitCMCSimple throws NPE
    
    This patch addresses the issue that when auth.instance_id is not specified in
    the profile, NPE is thrown.
    Alternative is to add auth.instance_id value, but it's better to leave this
    as manual approval only without changing the functionality.
    
    fixes https://pagure.io/dogtagpki/issue/2992
    
    Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d

Comment 5 Christina Fu 2018-04-20 20:32:54 UTC

Suggested test procedure for QE:

Please note that due to lack of the security provisions like the Full CMC requests, we should just keep the auth.instance_id value empty, which will then require a CA agent to manually approve the request.

1. Run PKCS10Client to generate a PKCS#10 request. e.g.

PKCS10Client -d . -p myPass -n "cn=just me cfu, uid=cfu" -o pkcs10.req.pem

2. Run AtoB to convert the PEM file produced by PKCS10Client above to binary:
AtoB pkcs10.req.pem pkcs10.req

3. Create an HttpClient file as you would normally but pay special attention to:
  - input : the binary request above (e.g. pkcs10.req)
  - clientmode : false if this is a non-agent user; (I think it suffice to just do this)
  - servlet=/ca/ee/ca/profileSubmitCMCSimple?profileId=caECSimpleCMCUserCert
4. run HttpClient against the HttoClient file above
5. as a CA agent, check if the reuqest shows up;
6. manually approves it and see if the cert gets issued.

Please note that although technically it is possible to add auth.instance_id to the profile, as we don't want to encourage auth-approval for simnple CMC for the security reasons above, the above steps for testing should be sufficient.

Comment 9 Christina Fu 2018-06-26 23:03:53 UTC

https://review.gerrithub.io/c/dogtagpki/pki/+/416892

Comment 10 Christina Fu 2018-06-26 23:51:00 UTC

commit f917433fdec8516b52b7f0cbf6895b854e2d3c81 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu>
Date:   Tue Jun 26 15:16:53 2018 -0700

    Ticket 2992 CMC Simple request profiles and CMCResponse to support simple response
    
    This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018.
    
    In addition, CMCResponse has been improved to handle CMC simple response.
    
    fixes https://pagure.io/dogtagpki/issue/2992
    
    Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a

Comment 12 Geetika Kapoor 2018-08-16 12:19:29 UTC

Test Env:

rpm -qa pki-ca
pki-ca-10.5.9-5.el7.noarch

For more test details, Refer https://bugzilla.redhat.com/show_bug.cgi?id=1574848

Comment 14 errata-xmlrpc 2018-10-30 11:05:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195

Note You need to log in before you can comment on or make changes to this bug.