1664435 – Error instantiating class for challenge_password with SCEP request

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1664435 - Error instantiating class for challenge_password with SCEP request

Summary: Error instantiating class for challenge_password with SCEP request

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.4
Assignee:	Christina Fu
QA Contact:	PKI QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-08 19:09 UTC by Rob Crittenden
Modified:	2021-05-18 15:25 UTC (History)
CC List:	10 users (show)
Fixed In Version:	pki-core-10.6-8040020210209003343.d4d99205
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:25:13 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
debug log showing full request (45.26 KB, text/plain) 2019-01-08 19:09 UTC, Rob Crittenden	no flags	Details
View All

Description Rob Crittenden 2019-01-08 19:09:03 UTC

Description of problem:

Unable to issue a certificate over SCEP.

2019-01-08 14:01:17 [http-nio-8080-exec-11] FINE: failed to unwrap PKCS10 java.io.IOException: java.security.cert.CertificateException: Error instantiating class for challenge_password java.lang.ClassNotFoundException: com.netscape.cms.servlet.cert.scep.ChallengePassword

I don't know if this is a misconfiguration, bad signing or something else.

Version-Release number of selected component (if applicable):
pki-ca-10.6.8-3.fc28.noarch

Steps to Reproduce:
1. ipa-server-install
2. configure SCEP per https://www.dogtagpki.org/wiki/SCEP_Setup but set 
ca.scep.allowedEncryptionAlgorithms=DES,DES3
ca.scep.allowedHashAlgorithms=SHA256,SHA512,MD5
ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES
ca.scep.hashAlgorithm=MD5
3. Issue a request using https://www.dogtagpki.org/wiki/SSCEP

Actual results:

2019-01-08 14:01:17 [http-nio-8080-exec-11] FINE: failed to unwrap PKCS10 java.io.IOException: java.security.cert.CertificateException: Error instantiating class for challenge_password java.lang.ClassNotFoundException: com.netscape.cms.servlet.cert.scep.ChallengePassword
2019-01-08 14:01:17 [http-nio-8080-exec-11] FINE: ServletException javax.servlet.ServletException: Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: java.security.cert.CertificateException: Error instantiating class for challenge_password java.lang.ClassNotFoundException: com.netscape.cms.servlet.cert.scep.ChallengePassword

Note that there are a bunch of tracebacks, some of which are expected and fine due to dogtag not completely implementing the SCEP protocol (GetCACaps, GetCACertChain). This has not proven to be a source of problems in the past.

Comment 1 Rob Crittenden 2019-01-08 19:09:54 UTC

Created attachment 1519264 [details]
debug log showing full request

Comment 2 Ben Cotton 2019-05-02 20:03:39 UTC

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 3 Pavel 2019-09-06 09:45:11 UTC

I have the same issue.
Fedora 29. 
pki-server-10.8.0-0.1.fc30.noarch

Is there a chance for sorting it out ?

Comment 4 Ben Cotton 2019-10-31 18:52:17 UTC

This message is a reminder that Fedora 29 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '29'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 29 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Rob Crittenden 2020-02-27 19:35:42 UTC

Still reproducible in F30 with pki-ca-10.7.3-3.fc30.noarch

Some people have inquired about enabling SCEP on an IPA master and is failure a blocker for that.

Comment 7 Ben Cotton 2020-11-03 15:07:08 UTC

This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Rob Crittenden 2020-11-03 16:24:36 UTC

Still occurring with pki-ca-10.10.0-0.2.beta1.20201023203338UTC.42ab987a.fc32

Comment 9 Christina Fu 2020-12-16 23:57:24 UTC

I ran into this too.

This might have to do with how PKCS10Attribute was moved from pki netscape.security.pkcs.PKCS10Attributes into jss org.mozilla.jss.netscape.security.pkcs.PKCS10Attributes

However, oddly, I received PRs for review in the SCEP area for the master branch in just 3 months ago... that makes me wonder how the person not run into this.
We'll investigate.

Comment 10 Christina Fu 2020-12-17 00:15:13 UTC

OK, I think we just need to move ChallengePassword.java into JSS.  Looks straightforward enough.
Let's see if Alex wants to do that for us ;-)...

Comment 11 Christina Fu 2020-12-17 00:17:14 UTC

(In reply to Christina Fu from comment #10)
> OK, I think we just need to move ChallengePassword.java into JSS.  Looks
> straightforward enough.
> Let's see if Alex wants to do that for us ;-)...

I could fix the pki side of the code if Alex could provide ChallengePassword in JSS.  Thanks!

Comment 13 Christina Fu 2020-12-21 20:42:55 UTC

commit f667467785b1c27fe0721d8d16b72fddc331b76a (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu>
Date:   Wed Dec 16 18:53:31 2020 -0800

    Bug1664435-SCEP ChallengePassword Class not found
    
    This patch, together with the fix for "Bug1908541 jss broke SCEP - missing PasswordChallenge class", addresses the issue where  the class PasswordChallenge cannot be loaded due to Class Loader differences.
      jss is installed in the common CL (/usr/share/pki/server/common/lib/jss4.jar)
      the servlet classes are in webapp CL (/usr/share/pki/server/webapps/pki/WEB-INF/lib/pki-cms.jar)
    
    In addition, this patch adds the upgrade sscript for the new path of ChallengePassword class which has been moved from pki into JSS.
    
    fixes https://bugzilla.redhat.com/show_bug.cgi?id=1664435

Comment 15 Alex Scheel 2020-12-21 21:29:35 UTC

Moved to RHEL. Fedora users: this will be addressed in the upcoming PKI release.

Comment 20 Endi Sukma Dewata 2021-02-08 21:32:36 UTC

Additional fix for v10.10 branch:
* https://github.com/dogtagpki/pki/commit/042e2b704d27924590b86d776fae19b4eb65fa19

Comment 22 shalini 2021-02-19 09:21:40 UTC

Verified the BZ on Nightly compose with following RHEL bits:

 pki-ca                            noarch  10.10.4-1.module+el8.4.0+9861+7cddd5b6        RHEL8.4-Appstream  1.0 M
 pki-kra                           noarch  10.10.4-1.module+el8.4.0+9861+7cddd5b6        RHEL8.4-Appstream  203 k
 jss                               x86_64  4.8.1-1.module+el8.4.0+9456+88377f87          RHEL8.4-Appstream  1.2 M

Successful pipeline execution:
test_pki_ca_scep_enrollment_bz_1664435_1908541: https://gitlab.cee.redhat.com/skhandel/pki-pytest-ansible/-/jobs/2990983

Marking the BZ verified.

Comment 25 errata-xmlrpc 2021-05-18 15:25:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1775

Note You need to log in before you can comment on or make changes to this bug.