Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Cause:
A bug in the DER encoder causes JSS to generate incorrect CRL entries when the revocation reason is "unspecified". This resulted in zero-length integer values, while DER specifies that all integer values must have length at least one.
Result:
JSS will now generate correct DER encodings of CRLs.
Created attachment 1441245[details]
Test case to replicate error
Description of problem:
Creating a CRL entry with a CRL Reason of "unspecified" (which has a value of 0) results in an encoding error due to the way JSS encodes ASN.1 enumerations in DerOutputStream. Instead of encoding the enumeration as 0x0A0100, the value portion of the TLV is omitted and it's encoded as 0x0A00.
From what I can tell from X.690 (https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf), "The encoding of an enumerated value shall be that
of the integer value with which it is associated" and for integers "The encoding of an integer value shall be primitive. The contents octets shall consist of one or more octets."
Version-Release number of selected component (if applicable): 4.4
How reproducible: Always
Steps to Reproduce:
1. Compile and run the attached test case:
% javac -cp ~/.m2/repository/org/mozilla/jss/4.4.0/jss-4.4.0.jar EnumerationZeroTest.java
% java -cp ~/.m2/repository/org/mozilla/jss/4.4.0/jss-4.4.0.jar:. -Djava.library.path=/usr/lib64/jss EnumerationZeroTest
Actual results: The JDK X509CRL class cannot parse the generated CRL due to the way that the CRL reason is encoded. Instead of being encoded as 0x0A0100, it's encoded as 0x0A00.
Full encoded extension: 30090603551d1504020a00 Encoded CRL Reason: 0a00 Reason value: 0
Full encoded extension: 300a0603551d1504030a0101 Encoded CRL Reason: 0a0101 Reason value: 1
The JDK then throws an error when attempting to generate the CRL: "java.security.cert.CRLException: Invalid encoding: zero length Int value"
Expected results: The reason is encoded as 0x0A0100
jss version:
# rpm -qa | grep jss
jss-4.4.6-1.el7.x86_64
tomcatjss-7.2.1-8.el7_6.noarch
pki version:
# rpm -qa | grep pki-*
pki-symkey-10.5.16-2.el7.x86_64
redhat-pki-server-theme-10.5.16-1.el7pki.noarch
pki-kra-10.5.16-2.el7.noarch
pki-tks-10.5.16-2.el7pki.noarch
pki-base-java-10.5.16-2.el7.noarch
pki-ca-10.5.16-2.el7.noarch
pki-ocsp-10.5.16-2.el7pki.noarch
redhat-pki-console-theme-10.5.16-1.el7pki.noarch
pki-tps-10.5.16-2.el7pki.x86_64
pki-tools-10.5.16-2.el7.x86_64
pki-server-10.5.16-2.el7.noarch
pki-console-10.5.16-1.el7pki.noarch
redhat-pki-10.5.16-1.el7pki.noarch
pki-base-10.5.16-2.el7.noarch
Step of reproduction:
# javac -cp /usr/lib64/jss/jss4.jar EnumerationZeroTest.java
# java -cp /usr/lib64/jss/jss4.jar:. -Djava.library.path=/usr/lib64/jss EnumerationZeroTest
Proof of concept:
File has been attached.
Please find the attached test result and let me know if it needs additional test approach.
Compiled the test and analysed that its matching the expected result without generating any exception on jss-4.4.6-1.
Hence marking this bz verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:2219