Bug 1562841
| Summary: | servlet profileSubmitCMCSimple throws NPE | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Geetika Kapoor <gkapoor> | |
| Component: | pki-core | Assignee: | Christina Fu <cfu> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.5 | CC: | cfu, mharmsen, msauton | |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.5.9-2.el7 | Doc Type: | No Doc Update | |
| Doc Text: |
Previously, ProfileSubmitCMCServlet missed to handle null auth.instance_id value in the profile so it threw NullPointerException when handling CMC simple requests.
Now the problem is fixed.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1574848 (view as bug list) | Environment: | ||
| Last Closed: | 2018-10-30 11:05:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1574848 | |||
issue was caused by missing auth.instance_id in the profile. Should add that to the profile for fix. Per RHEL 7.5.z/7.6/8.0 Triage: 7.5.z cfu: Decided to keep this bug and fix the profile by adding the missing auth id. commit 203db212a3dce216687dd2aac349fe37d2e92a96 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH, ticket-2992-simpleCMC)
Author: Christina Fu <cfu>
Date: Thu Apr 19 17:11:34 2018 -0700
Ticket #2992 servlet profileSubmitCMCSimple throws NPE
This patch addresses the issue that when auth.instance_id is not specified in
the profile, NPE is thrown.
Alternative is to add auth.instance_id value, but it's better to leave this
as manual approval only without changing the functionality.
fixes https://pagure.io/dogtagpki/issue/2992
Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d
Suggested test procedure for QE: Please note that due to lack of the security provisions like the Full CMC requests, we should just keep the auth.instance_id value empty, which will then require a CA agent to manually approve the request. 1. Run PKCS10Client to generate a PKCS#10 request. e.g. PKCS10Client -d . -p myPass -n "cn=just me cfu, uid=cfu" -o pkcs10.req.pem 2. Run AtoB to convert the PEM file produced by PKCS10Client above to binary: AtoB pkcs10.req.pem pkcs10.req 3. Create an HttpClient file as you would normally but pay special attention to: - input : the binary request above (e.g. pkcs10.req) - clientmode : false if this is a non-agent user; (I think it suffice to just do this) - servlet=/ca/ee/ca/profileSubmitCMCSimple?profileId=caECSimpleCMCUserCert 4. run HttpClient against the HttoClient file above 5. as a CA agent, check if the reuqest shows up; 6. manually approves it and see if the cert gets issued. Please note that although technically it is possible to add auth.instance_id to the profile, as we don't want to encourage auth-approval for simnple CMC for the security reasons above, the above steps for testing should be sufficient. commit f917433fdec8516b52b7f0cbf6895b854e2d3c81 (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu>
Date: Tue Jun 26 15:16:53 2018 -0700
Ticket 2992 CMC Simple request profiles and CMCResponse to support simple response
This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018.
In addition, CMCResponse has been improved to handle CMC simple response.
fixes https://pagure.io/dogtagpki/issue/2992
Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a
Test Env: rpm -qa pki-ca pki-ca-10.5.9-5.el7.noarch For more test details, Refer https://bugzilla.redhat.com/show_bug.cgi?id=1574848 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3195 |
Description of problem: Trying to send httpclient request to CA for caSimpleCMCUserCert and this throws NPE. [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Caught exception in renderFinalError: java.lang.NullPointerException at com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet.process(ProfileSubmitCMCServlet.java:512) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512) Refer: ----- 1. https://tcms.engineering.redhat.com/case/188137/?from_plan=18814 2. https://tcms.engineering.redhat.com/case/188143/?from_plan=18814 3. https://tcms.engineering.redhat.com/case/188144/?from_plan=18814 === this looks useful. -- However, in this test case i don't get step 5 completely. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. open /usr/share/pki/ca/webapps/ca/WEB-INF/web.xml. <servlet> <servlet-name> caProfileSubmitCMCSimple </servlet-name> <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> <init-param><param-name> GetClientCert </param-name> <param-value> true </param-value> </init-param> 2. Restart CA instance. 3.PKCS10Client -d test -p SECret.123 -n "uid=testuser-22,ou=People,dc=example,dc=org" -a rsa -o abc 4. AtoB abc abcd 5. HttpClient httpclient.cfg 6. Http.cfg file: [root@nocp1 ~]# cat httpclient.cfg #host: host name for the http server #host=csqa4-guest04.idm.lab.eng.rdu.redhat.com host=nocp1.idm.lab.eng.rdu2.redhat.com #port: port number port=20443 #secure: true for secure connection, false for nonsecure connection #For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command secure=true #input: full path for the enrollment request, the content must be in binary format input=abcd #output: full path for the response in binary format output=abcde #tokenname: name of token where SSL client authentication cert can be found (default is internal) #This parameter will be ignored if secure=false tokenname=internal #dbdir: directory for cert8.db, key3.db and secmod.db #This parameter will be ignored if secure=false dbdir=/root/test #clientmode: true for client authentication, false for no client authentication #This parameter will be ignored if secure=false clientmode=true #password: password for cert8.db #This parameter will be ignored if secure=false and clientauth=false password=SECret.123 #nickname: nickname for client certificate #This parameter will be ignored if clientmode=false #nickname=PKI CA Administrator nickname=PKI CA Administrator for Non-TMS-CA #servlet: servlet name servlet=/ca/ee/ca/profileSubmitCMCSimple Actual results: NPE occurs. Expected results: Request should process. Additional info: Debug logs for hhtpclient request [02/Apr/2018:12:29:17][http-bio-20443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not XML {1}, use default authz mgr: {2}. [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not XML {1}, use default authz mgr: {2}. [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCSimple [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: caProfileSubmitCMCSimple start to service. [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Start of ProfileSubmitCMCServlet Input Parameters [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: End of ProfileSubmitCMCServlet Input Parameters [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: start serving [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: SubId=profile [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: profileId caSimpleCMCUserCert [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: authenticator not found [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: set Inputs into Context [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: set sslClientCertProvider [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: in auditSubjectID [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@797ce46b, profileContext=com.netscape.cms.profile.common.ProfileContext@74b5ced1} [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet auditSubjectID: subjectID: null [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event CMC_REQUEST_RECEIVED [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Caught exception in renderFinalError: java.lang.NullPointerException at com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet.process(ProfileSubmitCMCServlet.java:512) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED