Bug 441801 - pkiconsole doesn't import trusted certificate
pkiconsole doesn't import trusted certificate
Status: CLOSED WONTFIX
Product: Dogtag Certificate System
Classification: Community
Component: Console (Show other bugs)
1.0
All Linux
medium Severity low
: 1.0
: ---
Assigned To: Andrew Wnuk
Chandrasekar Kannan
:
Depends On:
Blocks: 445047
  Show dependency treegraph
 
Reported: 2008-04-10 04:38 EDT by Jonathan Barber
Modified: 2015-01-04 18:31 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-06 14:50:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
CA cert that fails to import (2.73 KB, text/plain)
2008-04-10 04:38 EDT, Jonathan Barber
no flags Details

  None (edit)
Description Jonathan Barber 2008-04-10 04:38:52 EDT
Description of problem:
When adding a trusted CA certificate chain (consisting of a single self signed
cert) the pkiconsole fails with error message "Certificate Error: Failed to decode"

Additionaly, PrettyPrintCert raises an exception:
# PrettyPrintCert lifesci-cacert.pem
PrettyPrintCert:  Error encountered on parsing certificate :
java.security.cert.CertificateParsingException: java.io.IOException:
java.io.IOException:
IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No
data available in passed DER encoded value.
null

the tool "pp" displays the certificate correctly, and certutil can import it
into the certificate database.

Suggests a bug in the java code?

Version-Release number of selected component (if applicable):
pki-java-tools-1.0.0-1.fc8
pki-console-1.0.0-1.fc8

How reproducible:
Always.

Steps to Reproduce:
1. Run above PrettyPrintCert with the attached certificate
  
Actual results:
Nothing

Expected results:
Certificate to be imported into the DB.

Additional info:
Comment 1 Jonathan Barber 2008-04-10 04:38:52 EDT
Created attachment 301953 [details]
CA cert that fails to import
Comment 2 Jonathan Barber 2008-04-10 04:52:45 EDT
# java -version
java version "1.7.0"
IcedTea Runtime Environment (build 1.7.0-b21)
IcedTea Client VM (build 1.7.0-b21, mixed mode)
Comment 3 Jonathan Barber 2008-04-10 04:59:07 EDT
pp reports of the cert that:

            Name: Certificate Issuer Alt Name
            Error: Parsing extension: Certificate extension value is invalid.
            Data: Sequence {
            }

openssl shows:
             X509v3 Issuer Alternative Name:
                <EMPTY>

I guess this is where the uncaught exception in the java is coming from.
Comment 8 Andrew Wnuk 2008-10-09 20:31:37 EDT
1. Fix provided in 439027 is addressing the issue related to importing
   trusted CA certificate chain via CA console.
2. Attached certificate does not comply with RFC 5280 therefore is rejected.
   RFC 5280 (http://www.ietf.org/rfc/rfc5280.txt):
     4.2.1.7.  Issuer Alternative Name
       ...
       IssuerAltName ::= GeneralNames
       GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   dumpasn1 output:
     ...
     1327    3:           OBJECT IDENTIFIER issuerAltName (2 5 29 18)
              :             (X.509 id-ce (2 5 29))
     1332    2:           OCTET STRING, encapsulates {
     1334    0:             SEQUENCE {}
              :             }
              :           }


PrettyPrintCert should gracefully handle IssuerAltName containing no GeneralName.
Comment 10 Jenny Galipeau 2009-06-11 15:06:43 EDT
1. Console errors importing attached CA certificate Certificate Error: Failed to decode.

2. PrettyPrintCert still throws exception.

[root@qe-blade-11 jgalipea]# PrettyPrintCert cert 
PrettyPrintCert:  Error encountered on parsing certificate :
java.security.cert.CertificateParsingException: java.io.IOException: java.io.IOException: IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No data available in passed DER encoded value.
null
Comment 11 Chandrasekar Kannan 2009-06-25 15:31:11 EDT
this needs to be in new state for the developer to pick it up

Note You need to log in before you can comment on or make changes to this bug.