RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1582323 - DER encoding error for enumerated types with a value of zero
Summary: DER encoding error for enumerated types with a value of zero
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: jss
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alex Scheel
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-24 21:11 UTC by Alex Wood
Modified: 2019-08-06 13:07 UTC (History)
4 users (show)

Fixed In Version: jss-4.4.6-1.el7
Doc Type: Bug Fix
Doc Text:
Cause: A bug in the DER encoder causes JSS to generate incorrect CRL entries when the revocation reason is "unspecified". This resulted in zero-length integer values, while DER specifies that all integer values must have length at least one. Result: JSS will now generate correct DER encodings of CRLs.
Clone Of:
Environment:
Last Closed: 2019-08-06 13:06:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Test case to replicate error (8.17 KB, text/x-csrc)
2018-05-24 21:11 UTC, Alex Wood
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2219 0 None None None 2019-08-06 13:07:03 UTC

Description Alex Wood 2018-05-24 21:11:21 UTC
Created attachment 1441245 [details]
Test case to replicate error

Description of problem:
Creating a CRL entry with a CRL Reason of "unspecified" (which has a value of 0) results in an encoding error due to the way JSS encodes ASN.1 enumerations in DerOutputStream.  Instead of encoding the enumeration as 0x0A0100, the value portion of the TLV is omitted and it's encoded as 0x0A00.

From what I can tell from X.690 (https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf), "The encoding of an enumerated value shall be that 
of the integer value with which it is associated" and for integers "The encoding of an integer value shall be primitive. The contents octets shall consist of one or more octets."


Version-Release number of selected component (if applicable): 4.4


How reproducible: Always


Steps to Reproduce:
1. Compile and run the attached test case:

% javac -cp ~/.m2/repository/org/mozilla/jss/4.4.0/jss-4.4.0.jar EnumerationZeroTest.java                                               

% java -cp ~/.m2/repository/org/mozilla/jss/4.4.0/jss-4.4.0.jar:. -Djava.library.path=/usr/lib64/jss EnumerationZeroTest


Actual results: The JDK X509CRL class cannot parse the generated CRL due to the way that the CRL reason is encoded.  Instead of being encoded as 0x0A0100, it's encoded as 0x0A00.

Full encoded extension: 30090603551d1504020a00  Encoded CRL Reason: 0a00        Reason value: 0
Full encoded extension: 300a0603551d1504030a0101        Encoded CRL Reason: 0a0101      Reason value: 1

The JDK then throws an error when attempting to generate the CRL: "java.security.cert.CRLException: Invalid encoding: zero length Int value"


Expected results: The reason is encoded as 0x0A0100

Comment 2 Matthew Harmsen 2018-06-27 01:17:21 UTC
Moved to RHEL 7.7 due to lack of development resource time.

Comment 3 Alex Scheel 2019-01-14 14:43:13 UTC
This will be present in the RHEL 7.7 rebase due to bz#1659527.

Upstream commit: https://github.com/dogtagpki/jss/commit/fc3197ee80753d6a25956ad8c1d931fa94213661

Comment 8 Pritam Singh 2019-05-03 13:59:34 UTC
jss version:
# rpm -qa | grep jss
jss-4.4.6-1.el7.x86_64
tomcatjss-7.2.1-8.el7_6.noarch

pki version:
# rpm -qa | grep pki-*
pki-symkey-10.5.16-2.el7.x86_64
redhat-pki-server-theme-10.5.16-1.el7pki.noarch
pki-kra-10.5.16-2.el7.noarch
pki-tks-10.5.16-2.el7pki.noarch
pki-base-java-10.5.16-2.el7.noarch
pki-ca-10.5.16-2.el7.noarch
pki-ocsp-10.5.16-2.el7pki.noarch
redhat-pki-console-theme-10.5.16-1.el7pki.noarch
pki-tps-10.5.16-2.el7pki.x86_64
pki-tools-10.5.16-2.el7.x86_64
pki-server-10.5.16-2.el7.noarch
pki-console-10.5.16-1.el7pki.noarch
redhat-pki-10.5.16-1.el7pki.noarch
pki-base-10.5.16-2.el7.noarch

Step of reproduction:

# javac -cp /usr/lib64/jss/jss4.jar EnumerationZeroTest.java
# java -cp /usr/lib64/jss/jss4.jar:. -Djava.library.path=/usr/lib64/jss EnumerationZeroTest

Proof of concept:
File has been attached.

Please find the attached test result and let me know if it needs additional test approach.
Compiled the test and analysed that its matching the expected result without generating any exception on jss-4.4.6-1.

Hence marking this bz verified.

Comment 10 errata-xmlrpc 2019-08-06 13:06:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2219


Note You need to log in before you can comment on or make changes to this bug.