1574848 – servlet profileSubmitCMCSimple throws NPE [rhel-7.5.z]

Bug 1574848 - servlet profileSubmitCMCSimple throws NPE [rhel-7.5.z]

Summary: servlet profileSubmitCMCSimple throws NPE [rhel-7.5.z]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Christina Fu
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:	1562841
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-04 07:23 UTC by Oneata Mircea Teodor
Modified:	2018-09-20 10:59 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pki-core-10.5.1-14.el7_5
Doc Type:	Bug Fix
Doc Text:	Previously, if the auth.instance_id parameter was not set in a profile used with the ProfileSubmitCMCSimple servlet, requesting a certificate failed and Certificate System logged a NullPointerException error. The problem has been fixed. As a result, requesting a certificate now works correctly when auth.instance_id is not set in a profile with the ProfileSubmitCMCSimple servlet.
Clone Of:	1562841
Environment:
Last Closed:	2018-08-16 14:20:17 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:2306	0	None	None	None	2018-08-16 14:20:37 UTC

Description Oneata Mircea Teodor 2018-05-04 07:23:29 UTC

This bug has been copied from bug #1562841 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-05-04 22:14:14 UTC

Christina Fu 2018-04-20 16:16:08 EDT

commit 203db212a3dce216687dd2aac349fe37d2e92a96 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH, ticket-2992-simpleCMC)
Author: Christina Fu <cfu>
Date:   Thu Apr 19 17:11:34 2018 -0700

    Ticket #2992 servlet profileSubmitCMCSimple throws NPE
    
    This patch addresses the issue that when auth.instance_id is not specified in
    the profile, NPE is thrown.
    Alternative is to add auth.instance_id value, but it's better to leave this
    as manual approval only without changing the functionality.
    
    fixes https://pagure.io/dogtagpki/issue/2992
    
    Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d

Comment 3 Matthew Harmsen 2018-05-21 20:39:27 UTC

 Christina Fu 2018-04-20 16:32:54 EDT

Suggested test procedure for QE:

Please note that due to lack of the security provisions like the Full CMC requests, we should just keep the auth.instance_id value empty, which will then require a CA agent to manually approve the request.

1. Run PKCS10Client to generate a PKCS#10 request. e.g.

PKCS10Client -d . -p myPass -n "cn=just me cfu, uid=cfu" -o pkcs10.req.pem

2. Run AtoB to convert the PEM file produced by PKCS10Client above to binary:
AtoB pkcs10.req.pem pkcs10.req

3. Create an HttpClient file as you would normally but pay special attention to:
  - input : the binary request above (e.g. pkcs10.req)
  - clientmode : false if this is a non-agent user; (I think it suffice to just do this)
  - servlet=/ca/ee/ca/profileSubmitCMCSimple?profileId=caECSimpleCMCUserCert
4. run HttpClient against the HttoClient file above
5. as a CA agent, check if the reuqest shows up;
6. manually approves it and see if the cert gets issued.

Please note that although technically it is possible to add auth.instance_id to the profile, as we don't want to encourage auth-approval for simnple CMC for the security reasons above, the above steps for testing should be sufficient.

Comment 7 Geetika Kapoor 2018-06-12 11:18:07 UTC

Hi Christina,

While testing i did the same like you have mentioned.

1. Run PKCS10Client to generate a PKCS#10 request. e.g.

PKCS10Client -d /root/ECC_setup/nssdb/ -p SECret.123 -a ec -c nistp256  -o pkcs10.req.ecc -n "cn=audittesting,uid=testing"

2. Run AtoB to convert the PEM file produced by PKCS10Client above to binary:
AtoB pkcs10.req.ecc binary

3. Create an HttpClient file and attributes are:

secure=true
input=binary
output=cmc.role_p10-ec.resp.binary
tokenname=internal
dbdir=/root/ECC_setup/nssdb
clientmode=true
password=SECret.123
nickname=PKI CA Administrator
servlet=/ca/ee/ca/profileSubmitCMCSimple?profileId=caECSimpleCMCUserCert
4. run HttpClient against the HttoClient file above
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: ProfileSubmitServlet: profile: caECSimpleCMCUserCert
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: Input Parameters:
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - isRenewal: false
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - remoteHost: 10.67.116.128
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - profileId: caECSimpleCMCUserCert
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - cert_request: (sensitive)
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - remoteAddr: 10.67.116.128
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollmentProcessor: isRenewal false
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollmentProcessor: profileId caECSimpleCMCUserCert
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollmentProcessor: set Inputs into profile Context
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollmentProcessor: set sslClientCertProvider
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: createRequests: begins
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: createRequests:  request type is null
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: Repository: in getNextSerialNumber. 
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: Repository: checkRange  mLastSerialNo=76
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: Repository: getNextSerialNumber: returning retSerial 76
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: createEnrollmentRequest 76
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CertProcessor: profileSetid=cmcUserCertSet
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CertProcessor: request 76
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CertProcessor: populating request inputs
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CMCCertReqInput: populate: begins
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: getPKIDataFromCMCblob: starts
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: getPKIDataFromCMCblob: org.mozilla.jss.asn1.InvalidBERException: SEQUENCE(item #0) >> Missing item #0: found UNIVERSAL 16
Invalid Request
	at com.netscape.cms.profile.common.EnrollProfile.getPKIDataFromCMCblob(EnrollProfile.java:637)
	at com.netscape.cms.profile.input.CMCCertReqInput.populate(CMCCertReqInput.java:105)
	at com.netscape.cms.profile.common.BasicProfile.populateInput(BasicProfile.java:1090)
	at com.netscape.cms.profile.common.EnrollProfile.populateInput(EnrollProfile.java:2574)
	at com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:374)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:244)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:129)
	at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
	at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.mozilla.jss.asn1.InvalidBERException: SEQUENCE(item #0) >> Missing item #0: found UNIVERSAL 16
	at org.mozilla.jss.asn1.SEQUENCE$Template.decode(SEQUENCE.java:357)
	at org.mozilla.jss.pkix.cms.ContentInfo$Template.decode(ContentInfo.java:220)
	at org.mozilla.jss.pkix.cms.ContentInfo$Template.decode(ContentInfo.java:213)
	at com.netscape.cms.profile.common.EnrollProfile.getPKIDataFromCMCblob(EnrollProfile.java:612)
	... 56 more
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: ProfileSubmitServlet: error in processing request: Invalid Request
[12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CMSServlet: curDate=Tue Jun 12 07:12:16 EDT 2018 id=caProfileSubmit time=11

Comment 8 Geetika Kapoor 2018-06-12 11:43:37 UTC

earlier when I raised this issue , It failed with NPE and now I am seeing a different issue which says invalid request.It could be possible that Above request has issues 

Earlier:
=======
1. open /usr/share/pki/ca/webapps/ca/WEB-INF/web.xml.

   <servlet>
      <servlet-name>  caProfileSubmitCMCSimple  </servlet-name>
      <servlet-class>
com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
             <init-param><param-name>  GetClientCert  </param-name>
                         <param-value> *true *      </param-value>
</init-param>

2. Restart CA instance.
3.PKCS10Client -d test -p SECret.123 -n
"uid=testuser-22,ou=People,dc=example,dc=org"  -a rsa -o abc
4. AtoB abc abcd
5. HttpClient httpclient.cfg
6. Http.cfg file:


[root@nocp1 ~]# cat httpclient.cfg
#host: host name for the http server
#host=csqa4-guest04.idm.lab.eng.rdu.redhat.com
host=nocp1.idm.lab.eng.rdu2.redhat.com

#port: port number
port=20443

#secure: true for secure connection, false for nonsecure connection
#For secure connection, in an ECC setup, must set environment variable
'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command
secure=true

#input: full path for the enrollment request, the content must be in
binary format
input=abcd

#output: full path for the response in binary format
output=abcde

#tokenname: name of token where SSL client authentication cert can be
found (default is internal)
#This parameter will be ignored if secure=false
tokenname=internal

#dbdir: directory for cert8.db, key3.db and secmod.db
#This parameter will be ignored if secure=false
dbdir=/root/test

#clientmode: true for client authentication, false for no client
authentication
#This parameter will be ignored if secure=false
clientmode=true

#password: password for cert8.db
#This parameter will be ignored if secure=false and clientauth=false
password=SECret.123

#nickname: nickname for client certificate
#This parameter will be ignored if clientmode=false
#nickname=PKI CA Administrator
nickname=PKI CA Administrator for Non-TMS-CA

#servlet: servlet name
servlet=/ca/ee/ca/profileSubmitCMCSimple



7. Debug logs:

[02/Apr/2018:12:29:17][http-bio-20443-exec-1]: SignedAuditLogger: event
ACCESS_SESSION_ESTABLISH
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode,
authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not
XML {1}, use default authz mgr: {2}.
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode,
authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not
XML {1}, use default authz mgr: {2}.
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet:service() uri
= /ca/ee/ca/profileSubmitCMCSimple
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet:
caProfileSubmitCMCSimple start to service.
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Start of
ProfileSubmitCMCServlet Input Parameters
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: End of
ProfileSubmitCMCServlet Input Parameters
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet:
start serving
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet:
SubId=profile
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet:
profileId caSimpleCMCUserCert
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet:
authenticator not found
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet:
set Inputs into Context
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet:
set sslClientCertProvider
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: in auditSubjectID
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet:
auditSubjectID auditContext
{sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@797ce46b,
profileContext=com.netscape.cms.profile.common.ProfileContext@74b5ced1}
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet
auditSubjectID: subjectID: null
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event
CMC_REQUEST_RECEIVED
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Caught exception in
renderFinalError:
java.lang.NullPointerException
    at
com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet.process(ProfileSubmitCMCServlet.java:512)
    at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
    at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
    at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
    at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
    at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
    at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
    at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
[02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event
ACCESS_SESSION_TERMINATED

Comment 9 Geetika Kapoor 2018-06-12 18:07:31 UTC

Since it is seen by everyone, marking this bug as "assigned"

Comment 11 Christina Fu 2018-06-26 22:23:03 UTC

https://review.gerrithub.io/c/dogtagpki/pki/+/416891

Comment 12 Christina Fu 2018-06-26 22:57:29 UTC

commit cf1b83ed6e7be07636c3deac770d586433d80f9e (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date:   Tue Jun 26 15:16:53 2018 -0700

    Ticket 2992 CMC Simple request profiles and CMCResponse to support simple response
    
    This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018.
    
    In addition, CMCResponse has been improved to handle CMC simple response.
    
    fixes https://pagure.io/dogtagpki/issue/2992
    
    Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a

Comment 13 Christina Fu 2018-06-26 23:09:17 UTC

Test procedure:
Profiles caECSimpleCMCUserCert.cfg and caSimpleCMCUserCert.cfg have now been fixed so that by default authentication is by agents
auth.instance_id=AgentCertAuth

That means from instruction in comment #3, for HttpClient, if using the default profiles, you should use ssl client auth and provide an agent cert to submit instead.

You might also notice that CMCResponse now tells users if its full response or simple response.  A simple response would print out the certs but no CMC status.

Comment 15 Geetika Kapoor 2018-07-18 17:10:34 UTC

Testing Environment:
====================
# rpm -qa pki-* jss* nss* tomcat*
pki-console-10.5.1-5.el7pki.noarch
pki-base-10.5.1-14.el7_5.noarch
pki-symkey-10.5.1-14.el7_5.x86_64
pki-usgov-dod-cacerts-0.0.6-4.el7.noarch
tomcat-7.0.76-6.el7.noarch
pki-server-10.5.1-14.el7_5.noarch
pki-base-java-10.5.1-14.el7_5.noarch
pki-kra-10.5.1-14.el7_5.noarch
tomcat-servlet-3.0-api-7.0.76-6.el7.noarch
pki-core-debuginfo-10.5.1-14.el7_5.x86_64
tomcat-el-2.2-api-7.0.76-6.el7.noarch
pki-ca-10.5.1-14.el7_5.noarch
tomcat-jsp-2.2-api-7.0.76-6.el7.noarch
pki-tools-10.5.1-14.el7_5.x86_64
tomcatjss-7.2.1-7.el7_5.noarch
tomcat-lib-7.0.76-6.el7.noarch
jss-4.4.0-13.el7_5.x86_64
pki-javadoc-10.5.1-14.el7_5.noarch

Test Steps:
==========

1. Generate csr.

PKCS10Client -d test -p SECret.123 -n "uid=testuser-22,ou=People,dc=example,dc=org"  -a rsa -o abc

2. Run AtoB.

AtoB abc abcd

3. Run HttpClient.

HttpClient httpclient.cfg

host=nocp4.idm.lab.eng.rdu2.redhat.com
port=28443
secure=true

input=abcd
output=abcd.resp
tokenname=internal
dbdir=/root/subca-db/
clientmode=true
password=SECret.123
nickname=PKI CA Administrator

servlet=/ca/ee/ca/profileSubmitCMCSimple

4. Run CMCResponse.

Test Case 1: Run CMCResponse 
============================

# CMCResponse -i abcd.resp 
........

CMC Simple Response.

Result: Works as expected


Test Case 2: When we run CMCResponse with -o option and tried to save in file.
=============================================================================

CMCResponse -i abcd.resp -o abc.txt

CMC Simple Response.
Exception in thread "main" java.lang.NullPointerException
	at netscape.security.pkcs.ContentInfo.encode(ContentInfo.java:127)
	at netscape.security.pkcs.PKCS7.encodeSignedData(PKCS7.java:332)
	at netscape.security.pkcs.PKCS7.encodeSignedData(PKCS7.java:292)
	at netscape.security.pkcs.PKCS7.getBytes(PKCS7.java:485)
	at netscape.security.pkcs.PKCS7.toPEMString(PKCS7.java:493)
	at com.netscape.cmstools.CMCResponse.main(CMCResponse.java:408)

Result: Seeing NPE

Comment 16 Geetika Kapoor 2018-07-18 17:20:47 UTC

I couldn't see this issue in CMCFullResponse.
Do you think it could be because of below header which i couldn't find in CMCSimple.

Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   Status: SUCCESS
CMC Full Response.

Comment 17 Geetika Kapoor 2018-07-18 17:29:43 UTC

Another point , here we are not doing CMCRequest we are using AtoB so not sure if CMCResponse will still holds good.

RFC(rfc5272) says "Controls are carried as part of both Full PKI Requests and Responses." so control part will never be there for simple.

Comment 18 Christina Fu 2018-07-18 19:02:16 UTC

A simple CMC response is just PKCS #7, so adding -o has no value to it as you already have the p7 in a file.  However, if you wish, you could file a separate bug against CMCResponse.

Regarding your quote of rfc5272 on "Controls are carried as part of both Full PKI Requests and Responses," unless I missed something, I'm not certain what you were getting at.
Both our CMC full requests and responses have controls.

I'm not sure why you were looking for controls in a simple CMC response.  It's just PKCS#7.  No controls.  It is as described in RFC5272.

Comment 19 Geetika Kapoor 2018-07-19 10:11:01 UTC

Yeah simple CMC Response doesn't have controls.We can probably add that -o holds good only for Full PKI Response in man page of CMCResponse because even any user can get into this NPE .
I will raise a low prioirty bug and if you think making a man page change would do we can possibly convert it into man page bug.

Comment 21 errata-xmlrpc 2018-08-16 14:20:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2306

Note You need to log in before you can comment on or make changes to this bug.