Hide Forgot
This bug has been copied from bug #1562841 and has been proposed to be backported to 7.5 z-stream (EUS).
Christina Fu 2018-04-20 16:16:08 EDT commit 203db212a3dce216687dd2aac349fe37d2e92a96 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH, ticket-2992-simpleCMC) Author: Christina Fu <cfu> Date: Thu Apr 19 17:11:34 2018 -0700 Ticket #2992 servlet profileSubmitCMCSimple throws NPE This patch addresses the issue that when auth.instance_id is not specified in the profile, NPE is thrown. Alternative is to add auth.instance_id value, but it's better to leave this as manual approval only without changing the functionality. fixes https://pagure.io/dogtagpki/issue/2992 Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d
Christina Fu 2018-04-20 16:32:54 EDT Suggested test procedure for QE: Please note that due to lack of the security provisions like the Full CMC requests, we should just keep the auth.instance_id value empty, which will then require a CA agent to manually approve the request. 1. Run PKCS10Client to generate a PKCS#10 request. e.g. PKCS10Client -d . -p myPass -n "cn=just me cfu, uid=cfu" -o pkcs10.req.pem 2. Run AtoB to convert the PEM file produced by PKCS10Client above to binary: AtoB pkcs10.req.pem pkcs10.req 3. Create an HttpClient file as you would normally but pay special attention to: - input : the binary request above (e.g. pkcs10.req) - clientmode : false if this is a non-agent user; (I think it suffice to just do this) - servlet=/ca/ee/ca/profileSubmitCMCSimple?profileId=caECSimpleCMCUserCert 4. run HttpClient against the HttoClient file above 5. as a CA agent, check if the reuqest shows up; 6. manually approves it and see if the cert gets issued. Please note that although technically it is possible to add auth.instance_id to the profile, as we don't want to encourage auth-approval for simnple CMC for the security reasons above, the above steps for testing should be sufficient.
Hi Christina, While testing i did the same like you have mentioned. 1. Run PKCS10Client to generate a PKCS#10 request. e.g. PKCS10Client -d /root/ECC_setup/nssdb/ -p SECret.123 -a ec -c nistp256 -o pkcs10.req.ecc -n "cn=audittesting,uid=testing" 2. Run AtoB to convert the PEM file produced by PKCS10Client above to binary: AtoB pkcs10.req.ecc binary 3. Create an HttpClient file and attributes are: secure=true input=binary output=cmc.role_p10-ec.resp.binary tokenname=internal dbdir=/root/ECC_setup/nssdb clientmode=true password=SECret.123 nickname=PKI CA Administrator servlet=/ca/ee/ca/profileSubmitCMCSimple?profileId=caECSimpleCMCUserCert 4. run HttpClient against the HttoClient file above [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: ProfileSubmitServlet: profile: caECSimpleCMCUserCert [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: Input Parameters: [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - isRenewal: false [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - remoteHost: 10.67.116.128 [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - profileId: caECSimpleCMCUserCert [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - cert_request: (sensitive) [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CAProcessor: - remoteAddr: 10.67.116.128 [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollmentProcessor: isRenewal false [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollmentProcessor: profileId caECSimpleCMCUserCert [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollmentProcessor: set Inputs into profile Context [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollmentProcessor: set sslClientCertProvider [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: createRequests: begins [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: createRequests: request type is null [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: Repository: in getNextSerialNumber. [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: Repository: checkRange mLastSerialNo=76 [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: Repository: getNextSerialNumber: returning retSerial 76 [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: createEnrollmentRequest 76 [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CertProcessor: profileSetid=cmcUserCertSet [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CertProcessor: request 76 [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CertProcessor: populating request inputs [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CMCCertReqInput: populate: begins [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: getPKIDataFromCMCblob: starts [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: EnrollProfile: getPKIDataFromCMCblob: org.mozilla.jss.asn1.InvalidBERException: SEQUENCE(item #0) >> Missing item #0: found UNIVERSAL 16 Invalid Request at com.netscape.cms.profile.common.EnrollProfile.getPKIDataFromCMCblob(EnrollProfile.java:637) at com.netscape.cms.profile.input.CMCCertReqInput.populate(CMCCertReqInput.java:105) at com.netscape.cms.profile.common.BasicProfile.populateInput(BasicProfile.java:1090) at com.netscape.cms.profile.common.EnrollProfile.populateInput(EnrollProfile.java:2574) at com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:374) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:244) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:129) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: org.mozilla.jss.asn1.InvalidBERException: SEQUENCE(item #0) >> Missing item #0: found UNIVERSAL 16 at org.mozilla.jss.asn1.SEQUENCE$Template.decode(SEQUENCE.java:357) at org.mozilla.jss.pkix.cms.ContentInfo$Template.decode(ContentInfo.java:220) at org.mozilla.jss.pkix.cms.ContentInfo$Template.decode(ContentInfo.java:213) at com.netscape.cms.profile.common.EnrollProfile.getPKIDataFromCMCblob(EnrollProfile.java:612) ... 56 more [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: ProfileSubmitServlet: error in processing request: Invalid Request [12/Jun/2018:07:12:16][http-bio-20443-exec-16]: CMSServlet: curDate=Tue Jun 12 07:12:16 EDT 2018 id=caProfileSubmit time=11
earlier when I raised this issue , It failed with NPE and now I am seeing a different issue which says invalid request.It could be possible that Above request has issues Earlier: ======= 1. open /usr/share/pki/ca/webapps/ca/WEB-INF/web.xml. <servlet> <servlet-name> caProfileSubmitCMCSimple </servlet-name> <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> <init-param><param-name> GetClientCert </param-name> <param-value> *true * </param-value> </init-param> 2. Restart CA instance. 3.PKCS10Client -d test -p SECret.123 -n "uid=testuser-22,ou=People,dc=example,dc=org" -a rsa -o abc 4. AtoB abc abcd 5. HttpClient httpclient.cfg 6. Http.cfg file: [root@nocp1 ~]# cat httpclient.cfg #host: host name for the http server #host=csqa4-guest04.idm.lab.eng.rdu.redhat.com host=nocp1.idm.lab.eng.rdu2.redhat.com #port: port number port=20443 #secure: true for secure connection, false for nonsecure connection #For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command secure=true #input: full path for the enrollment request, the content must be in binary format input=abcd #output: full path for the response in binary format output=abcde #tokenname: name of token where SSL client authentication cert can be found (default is internal) #This parameter will be ignored if secure=false tokenname=internal #dbdir: directory for cert8.db, key3.db and secmod.db #This parameter will be ignored if secure=false dbdir=/root/test #clientmode: true for client authentication, false for no client authentication #This parameter will be ignored if secure=false clientmode=true #password: password for cert8.db #This parameter will be ignored if secure=false and clientauth=false password=SECret.123 #nickname: nickname for client certificate #This parameter will be ignored if clientmode=false #nickname=PKI CA Administrator nickname=PKI CA Administrator for Non-TMS-CA #servlet: servlet name servlet=/ca/ee/ca/profileSubmitCMCSimple 7. Debug logs: [02/Apr/2018:12:29:17][http-bio-20443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not XML {1}, use default authz mgr: {2}. [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitCMCSimple is LDAP based, not XML {1}, use default authz mgr: {2}. [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCSimple [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: caProfileSubmitCMCSimple start to service. [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Start of ProfileSubmitCMCServlet Input Parameters [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: End of ProfileSubmitCMCServlet Input Parameters [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: start serving [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: SubId=profile [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: profileId caSimpleCMCUserCert [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: authenticator not found [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: set Inputs into Context [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: ProfileSubmitCMCServlet: set sslClientCertProvider [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: in auditSubjectID [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@797ce46b, profileContext=com.netscape.cms.profile.common.ProfileContext@74b5ced1} [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: CMSServlet auditSubjectID: subjectID: null [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event CMC_REQUEST_RECEIVED [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: Caught exception in renderFinalError: java.lang.NullPointerException at com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet.process(ProfileSubmitCMCServlet.java:512) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:512) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) [02/Apr/2018:12:29:18][http-bio-20443-exec-1]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED
Since it is seen by everyone, marking this bug as "assigned"
https://review.gerrithub.io/c/dogtagpki/pki/+/416891
commit cf1b83ed6e7be07636c3deac770d586433d80f9e (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH) Author: Christina Fu <cfu> Date: Tue Jun 26 15:16:53 2018 -0700 Ticket 2992 CMC Simple request profiles and CMCResponse to support simple response This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018. In addition, CMCResponse has been improved to handle CMC simple response. fixes https://pagure.io/dogtagpki/issue/2992 Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a
Test procedure: Profiles caECSimpleCMCUserCert.cfg and caSimpleCMCUserCert.cfg have now been fixed so that by default authentication is by agents auth.instance_id=AgentCertAuth That means from instruction in comment #3, for HttpClient, if using the default profiles, you should use ssl client auth and provide an agent cert to submit instead. You might also notice that CMCResponse now tells users if its full response or simple response. A simple response would print out the certs but no CMC status.
Testing Environment: ==================== # rpm -qa pki-* jss* nss* tomcat* pki-console-10.5.1-5.el7pki.noarch pki-base-10.5.1-14.el7_5.noarch pki-symkey-10.5.1-14.el7_5.x86_64 pki-usgov-dod-cacerts-0.0.6-4.el7.noarch tomcat-7.0.76-6.el7.noarch pki-server-10.5.1-14.el7_5.noarch pki-base-java-10.5.1-14.el7_5.noarch pki-kra-10.5.1-14.el7_5.noarch tomcat-servlet-3.0-api-7.0.76-6.el7.noarch pki-core-debuginfo-10.5.1-14.el7_5.x86_64 tomcat-el-2.2-api-7.0.76-6.el7.noarch pki-ca-10.5.1-14.el7_5.noarch tomcat-jsp-2.2-api-7.0.76-6.el7.noarch pki-tools-10.5.1-14.el7_5.x86_64 tomcatjss-7.2.1-7.el7_5.noarch tomcat-lib-7.0.76-6.el7.noarch jss-4.4.0-13.el7_5.x86_64 pki-javadoc-10.5.1-14.el7_5.noarch Test Steps: ========== 1. Generate csr. PKCS10Client -d test -p SECret.123 -n "uid=testuser-22,ou=People,dc=example,dc=org" -a rsa -o abc 2. Run AtoB. AtoB abc abcd 3. Run HttpClient. HttpClient httpclient.cfg host=nocp4.idm.lab.eng.rdu2.redhat.com port=28443 secure=true input=abcd output=abcd.resp tokenname=internal dbdir=/root/subca-db/ clientmode=true password=SECret.123 nickname=PKI CA Administrator servlet=/ca/ee/ca/profileSubmitCMCSimple 4. Run CMCResponse. Test Case 1: Run CMCResponse ============================ # CMCResponse -i abcd.resp ........ CMC Simple Response. Result: Works as expected Test Case 2: When we run CMCResponse with -o option and tried to save in file. ============================================================================= CMCResponse -i abcd.resp -o abc.txt CMC Simple Response. Exception in thread "main" java.lang.NullPointerException at netscape.security.pkcs.ContentInfo.encode(ContentInfo.java:127) at netscape.security.pkcs.PKCS7.encodeSignedData(PKCS7.java:332) at netscape.security.pkcs.PKCS7.encodeSignedData(PKCS7.java:292) at netscape.security.pkcs.PKCS7.getBytes(PKCS7.java:485) at netscape.security.pkcs.PKCS7.toPEMString(PKCS7.java:493) at com.netscape.cmstools.CMCResponse.main(CMCResponse.java:408) Result: Seeing NPE
I couldn't see this issue in CMCFullResponse. Do you think it could be because of below header which i couldn't find in CMCSimple. Number of controls is 1 Control #0: CMCStatusInfoV2 OID: {1 3 6 1 5 5 7 7 25} BodyList: 1 Status: SUCCESS CMC Full Response.
Another point , here we are not doing CMCRequest we are using AtoB so not sure if CMCResponse will still holds good. RFC(rfc5272) says "Controls are carried as part of both Full PKI Requests and Responses." so control part will never be there for simple.
A simple CMC response is just PKCS #7, so adding -o has no value to it as you already have the p7 in a file. However, if you wish, you could file a separate bug against CMCResponse. Regarding your quote of rfc5272 on "Controls are carried as part of both Full PKI Requests and Responses," unless I missed something, I'm not certain what you were getting at. Both our CMC full requests and responses have controls. I'm not sure why you were looking for controls in a simple CMC response. It's just PKCS#7. No controls. It is as described in RFC5272.
Yeah simple CMC Response doesn't have controls.We can probably add that -o holds good only for Full PKI Response in man page of CMCResponse because even any user can get into this NPE . I will raise a low prioirty bug and if you think making a man page change would do we can possibly convert it into man page bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2306