1630469 – CC: tomcatjss: unable to enable OCSP checking from peer AIA extension

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1630469 - CC: tomcatjss: unable to enable OCSP checking from peer AIA extension

Summary: CC: tomcatjss: unable to enable OCSP checking from peer AIA extension

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tomcatjss
Sub Component:
Version:	7.6
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jack Magne
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1631645 1632618 1636564
TreeView+	depends on / blocked

Reported:	2018-09-18 17:35 UTC by Christina Fu
Modified:	2019-06-20 18:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:	tomcatjss-7.2.1-8.el7_6
Doc Type:	No Doc Update
Doc Text:	This is just fixing something that is supposed to work already.
Clone Of:
Clones:	1631645 1632618 1636564 (view as bug list)
Environment:
Last Closed:	2019-06-20 18:52:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Downstream fix for issue. (1.09 KB, patch) 2018-09-20 23:26 UTC, Jack Magne	edewata: review+	Details \| Diff
Upstream version for master , of patch (1.44 KB, patch) 2018-09-21 00:24 UTC, Jack Magne	no flags	Details \| Diff
Revised upstream fix. (1.23 KB, patch) 2018-09-21 01:07 UTC, Jack Magne	no flags	Details \| Diff
Show Obsolete (1) View All

Description Christina Fu 2018-09-18 17:35:41 UTC

This issue was raised by our lab and confirmed by jmagne.

jmagne's tests concluded that our current tomcatjss seems to lack a way to enable ocsp to check its peer's AIA extension instead of the default url set in server.xml.

See the following for detail (under the section "AIA"):
https://docs.google.com/document/d/1TqBV_LR4DSgxS9ZilIrgtLtT9PGEx9BvKJv4qQHsSQ0/edit#

Comment 2 Christina Fu 2018-09-18 17:56:34 UTC

Note: please make sure it can be configured to check for AIA when RHCS is acting as a client and as a server.

Comment 4 Jack Magne 2018-09-20 23:26:28 UTC

Created attachment 1485347 [details]
Downstream fix for issue.

Comment 5 Jack Magne 2018-09-21 00:24:30 UTC

Created attachment 1485353 [details]
Upstream version for master , of patch

Comment 6 Endi Sukma Dewata 2018-09-21 00:37:42 UTC

I think the upstream patch can be simplified as follows:

logger.debug("ocspResponderURL: " + ocspResponderURL);
if (StringUtils.isEmpty(ocspResponderURL)) {
    ocspResponderURL = null;
}

logger.debug("ocspResponderCertNickname: " + ocspResponderCertNickname);
if (StringUtils.isEmpty(ocspResponderCertNickname)) {
    ocspResponderCertNickname = null;
}

if (ocspResponderURL == null && ocspResponderCertNickname != null) {
    throw new Exception("Missing OCSP responder URL");
}

if (ocspResponderURL != null && ocspResponderCertNickname == null) {
    throw new Exception("Missing OCSP responder certificate nickname");
}

It will also provide more descriptive error messages.

Comment 7 Jack Magne 2018-09-21 00:47:08 UTC

I like this version, will test it out and make double sure it does the job.

Comment 8 Jack Magne 2018-09-21 01:07:01 UTC

Created attachment 1485355 [details]
Revised upstream fix.

Comment 9 Jack Magne 2018-09-21 01:15:52 UTC

Commit master / upstream :

commit 84ce990707481556e5ba8070b54e830bc6aef7c7 (HEAD -> master, origin/master, origin/HEAD)
Author: Jack Magne <jmagne>
Date:   Thu Sep 20 18:10:09 2018 -0700

    Fix for Bug 1630469 - CC: tomcatjss: unable to enable OCSP checking from peer AIA extension.
    
    Now the server.xml can be configured to enable ocsp AND leave other settings null, to trigger
    NSS to use the AIA extension to locate the ocsp responder.
    
    ex:
    
     <Connector name="Secure" port="18443" ...
         .....
         enableOCSP="true"  ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10"

Comment 10 Jack Magne 2018-09-21 01:51:17 UTC

Commit downstream / origin/TOMCATJSS_7_2_BRANCH

commit c7e9138d59833ca0b9437fd130d3d9cb2fdf393d
Author: John Magne <jmagne.redhat.com>
Date:   Thu Sep 20 21:35:20 2018 -0400

    Fix for Bug 1630469 - CC: tomcatjss: unable to enable OCSP checking from peer AIA extension.
    
        Now the server.xml can be configured to enable ocsp AND leave other settings null, to trigger
        NSS to use the AIA extension to locate the ocsp responder.
    
        ex:
    
         <Connector name="Secure" port="18443" ...
             .....
             enableOCSP="true"  ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10"

Comment 11 Jack Magne 2018-09-21 01:57:38 UTC

Testing instructions:

In order to test this functionality do the following:

Create a CA
Create a KRA and make sure the AIA extension of each system cert for the KRA points to something like this:

http://test.host.com:8080/ca/ocsp

This is what you get by default if a simple kra install is done and points to the security domain of the CA during pkispawn.

Stop the KRA and reconfigure the Connector of the SSL port in the kra instances "server.xml" file such as this:

<Connector name="Secure" port="18443" ...
             .....
             enableOCSP="true"  ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10"

Note that we have left out the settings for ocspResponderURL and ocspSigingCertNickname, or whatever the actual strings are. This means that ONLY enableOCSP="true" is set. This means that NSS will ultimately be forced to find the ocsp responder url from a given cert's AIA extension, instead of a default value we may have configured here.

Now restart the KRA while putting a tail on teh CA's log.

While the KRA restarts we should observe the CA's internal ocsp responder coming to life, verifying various certs associated with the KRA.


Note: That of course certs can be applied for with the AIA extension pointing to  outboard ocsp responders as well. When we want specific certs to hit specific responders, this is how it should be tested.

Note You need to log in before you can comment on or make changes to this bug.