Bug 439052 - CMC CRMF requests cause exception in logging: Unmatched braces in the pattern
CMC CRMF requests cause exception in logging: Unmatched braces in the pattern
Product: Dogtag Certificate System
Classification: Community
Component: Certificate Manager (Show other bugs)
x86_64 Linux
medium Severity low
: 1.0
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2008-03-26 14:18 EDT by David Stutzman
Modified: 2015-01-05 20:18 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:27:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
agent certificate that signed CMC request (1.33 KB, text/plain)
2008-03-26 14:18 EDT, David Stutzman
no flags Details
sub-ca that signed agent cert (1.58 KB, application/x-x509-ca-cert)
2008-03-26 14:19 EDT, David Stutzman
no flags Details
root ca that signed sub-ca (1.23 KB, application/x-x509-ca-cert)
2008-03-26 14:20 EDT, David Stutzman
no flags Details
cmc request, base64 encoded, you can paste this into the form in ee interface to kick off error (2.56 KB, text/plain)
2008-03-26 14:22 EDT, David Stutzman
no flags Details
debug log from CA during the problematic CMC request processing (8.54 KB, text/plain)
2008-04-01 07:16 EDT, David Stutzman
no flags Details
another bad one with the name requested (Christopher) (2.55 KB, text/plain)
2008-04-03 14:08 EDT, David Stutzman
no flags Details
a good request (Christohpe) (2.55 KB, text/plain)
2008-04-03 14:08 EDT, David Stutzman
no flags Details
fix (2.51 KB, application/octet-stream)
2008-04-04 13:25 EDT, Christina Fu
no flags Details
try again... to make it recognized as text file (2.51 KB, patch)
2008-04-04 14:15 EDT, Christina Fu
no flags Details | Diff

  None (edit)
Description David Stutzman 2008-03-26 14:18:52 EDT
Description of problem:
When I submit some CMC requests to the CA, I get an error that appears to be
audit log related. 

Version-Release number of selected component (if applicable):
Dogtag 1.0.0

How reproducible:

Steps to Reproduce:
1. Go to the end-entity url for the CA instance in question (e.g.,
2. Choose the Signed CMC-Authenticated User Certificate Enrollment profile
3. Paste in my problematic CMC request (attached) and submit it
4. error will be presented on the following page
Actual results:
The next page shows the following text after pressing submit:
"The Certificate System has encountered an unrecoverable error.

Error Message:
java.lang.IllegalArgumentException: Unmatched braces in the pattern.

Please contact your local administrator for assistance."

The CA does not appear to issue a certificate for the request.

Here's the stack trace from catalina.out:
Mar 26, 2008 1:58:39 PM org.apache.catalina.core.ApplicationContext log
INFO: caProfileSubmit: java.lang.IllegalArgumentException: Unmatched braces in
the pattern.
        at java.text.MessageFormat.applyPattern(MessageFormat.java:494)
        at java.text.MessageFormat.<init>(MessageFormat.java:368)
        at com.netscape.cms.logging.LogFile.logEvt2String(LogFile.java:1050)
        at com.netscape.cms.logging.LogFile.log(LogFile.java:1029)
        at com.netscape.cms.logging.RollingLogFile.log(RollingLogFile.java:458)
        at com.netscape.cmscore.logging.LogQueue.log(LogQueue.java:104)
        at com.netscape.cmscore.logging.Logger.log(Logger.java:205)
        at com.netscape.cmscore.logging.Logger.log(Logger.java:127)
        at com.netscape.cms.authentication.CMCAuth.audit(CMCAuth.java:994)
        at com.netscape.cms.authentication.CMCAuth.authenticate(CMCAuth.java:617)
        at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:482)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
        at java.lang.Thread.run(Thread.java:675)

Expected results:
no error, certificate issued

Additional info:
Comment 1 David Stutzman 2008-03-26 14:18:52 EDT
Created attachment 299207 [details]
agent certificate that signed CMC request
Comment 2 David Stutzman 2008-03-26 14:19:49 EDT
Created attachment 299208 [details]
sub-ca that signed agent cert
Comment 3 David Stutzman 2008-03-26 14:20:31 EDT
Created attachment 299209 [details]
root ca that signed sub-ca
Comment 4 David Stutzman 2008-03-26 14:22:12 EDT
Created attachment 299210 [details]
cmc request, base64 encoded, you can paste this into the form in ee interface to kick off error
Comment 5 Christina Fu 2008-03-31 18:00:18 EDT
Hi, I tried successfully in enrolling for a signed CMC request on my development
machine, both with an agent cert off of a root CA, and with an agent cert off of
a subordinate CA.  In other words, I could not reproduce your problem.
In order to help you further, I need a few more pieces of information just to
see if I can reproduce the problem you are seeing:

1. Did you customize the CS.cfg, especially in regard to auditing?  If so,
please attach a copy of your CS.cfg
2. How did you generate the CMC request?  Please list step by step procedure.
3. Please supply more debug log messages surrounding the error, to give me more
context on where the error occured.
4. Did you modify the CMC enrollment profile?  If you did, please attach the new
Comment 6 David Stutzman 2008-04-01 07:16:06 EDT
1. I haven't manually edited CS.cfg
2. CMC requests were created with a java application (we wrote) using JSS
libraries.  I'd be happy to send you the code for the request generation, but
I'd prefer not to post it on here publicly.
3. logs: <see below>
4. No,  The only thing I did to the CA was enroll it as a sub-ca to our root,
add another sub-ca (a "peer" of this one) that my agent certificate was issued
from and added myself and my cert as an agent so I could authenticate.  The ee
webpage I reference in the original bug report and below uses the caCMCUserCert
profile.  We use the caProfileSubmitCMCFull servlet (defined in
/var/lib/pki-<instance>/webapps/ca/WEB-INF/web.xml) which uses the
caFullCMCUserCert profile by default.

I could have been a little more complete in my description.  We have an
application that generates keys and certificate requests, inserts the CSRs into
agent-signed CMC requests, sends them to the CMC servlet and parses the CMC
responses from the CA.  For the vast majority of requests we send, everything
works fine.  There are just a few that seem to consistently cause this error to
occur.  As I said above, in operation we don't use the 'Signed CMC-Authenticated
User Certificate Enrollment" webpage and paste in the Base64, however, the same
result is obtained (the error).  I attached a sample CMC request along with the
certs needed to be added to the CA to allow the agent to be added so my specific
request could be tested.  If you guys want/need, I can give you more requests
that cause the same problem.  As far as we can see, it's just slight variations
in the DN that cause the problem and we're only using ascii characters, numbers,
periods, commas, and equal signs in the DNs.  For example:
CN=XBaron.Christopher.G.1111111115,OU=USA,OU=PKI,OU=DoD,O=U.S. Government,C=US
CN=XBaron.Christophe.G.1111111115,OU=USA,OU=PKI,OU=DoD,O=U.S. Government,C=US
As you can see the only difference is the r at the end of the first name being
there or not.  The first DN will cause the unmatched braces error, the second
will not.  Length doesn't appear to be the issue as I just tested one
successfully with a 72 char CN vs the 31 that the XBaron example above has.

I've added new attachment for the debug log at the time of issuance.
- access log has the following lines for that time: - - [01/Apr/2008:06:55:37 -0400] "POST /ca/ee/ca/profileSubmit
HTTP/1.1" 200 272 - - [01/Apr/2008:06:55:37 -0400] "GET /favicon.ico HTTP/1.1" 404 988 - - [01/Apr/2008:06:55:37 -0400] "GET /favicon.ico HTTP/1.1" 404 988
- system has the following line
5637.http-9443-Processor25 - [01/Apr/2008:06:55:37 EDT] [6] [3] Agent
authentication cannot evaluate the revocation status.
- the signed audit log doesn't have anything for that time as that is where the
error is occurring.  The signed audit log uses a lot of braces in it.
- the only things in catalina.out besides the stacktraces for the unmatched
braces are the tomcat startup messages

As I said before, I can generate up sample signed CMC requests, both good and
bad, if you would like them for testing.  If you want more, let me know if you
prefer base64 or DER encoding.

I don't know what tools you have available, but I typically parse the binary CMC
request using Peter Gutman's dumpasn1 utility
(http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c).  You can convert the
attached base64 request to binary using openssl (openssl base64 -d -in cmc.b64
-out cmc.bin).
Comment 7 David Stutzman 2008-04-01 07:16:56 EDT
Created attachment 299878 [details]
debug log from CA during the problematic CMC request processing
Comment 8 Christina Fu 2008-04-03 13:02:09 EDT
Can you also give me the base-64 encoded cmc request that works (the one with
one less letter, "Christophe") just for me to compare with?
I was able to see the error(s) with your other CMC request, but with my own CMC
generation tool, with the same subject DN, I can't reproduce that.
Comment 9 David Stutzman 2008-04-03 14:08:29 EDT
Created attachment 300294 [details]
another bad one with the name requested (Christopher)
Comment 10 David Stutzman 2008-04-03 14:08:58 EDT
Created attachment 300295 [details]
a good request (Christohpe)
Comment 11 Christina Fu 2008-04-04 13:25:17 EDT
Created attachment 301315 [details]

note that this problem only affected CMC CRMF enrollment requests. This fix
fixes this.
Comment 12 Jack Magne 2008-04-04 13:30:00 EDT
id: 301315 jmagne+
Comment 13 Christina Fu 2008-04-04 13:41:53 EDT
[cfu@jaw pki]$ svn status | grep -v ^$ | grep -v ^P | grep -v ^X
M      linux/common/pki-common.spec
M      base/common/src/com/netscape/cms/authentication/CMCAuth.java
[cfu@jaw pki]$ svn commit
Sending        base/common/src/com/netscape/cms/authentication/CMCAuth.java
Sending        linux/common/pki-common.spec
Transmitting file data ..
Committed revision 16.
Comment 14 Christina Fu 2008-04-04 14:15:20 EDT
Created attachment 301317 [details]
try again... to make it recognized as text file
Comment 15 Matthew Harmsen 2008-04-04 15:34:30 EDT
The following new packages have been pushed:

32-bit RPMS:


64-bit RPMS:



Comment 16 David Stutzman 2008-04-07 07:05:34 EDT
I tested the new rpm this morning doing both the "cut and paste" and using our
application going straight to the CMC servlet and both worked fine with the
entries that were previously *always* giving us errors.
Comment 17 Chandrasekar Kannan 2008-08-26 20:27:29 EDT
Bug already MODIFIED. setting target CS8.0 and marking screened+

Note You need to log in before you can comment on or make changes to this bug.