Bug 441801 - pkiconsole doesn't import trusted certificate
Summary: pkiconsole doesn't import trusted certificate
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Console
Version: 1.0
Hardware: All
OS: Linux
medium
low
Target Milestone: 1.0
Assignee: Andrew Wnuk
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 445047
TreeView+ depends on / blocked
 
Reported: 2008-04-10 08:38 UTC by Jonathan Barber
Modified: 2015-01-04 23:31 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-11-06 19:50:12 UTC
Embargoed:

Attachments (Terms of Use)
CA cert that fails to import (2.73 KB, text/plain)
2008-04-10 08:38 UTC, Jonathan Barber 		no flags Details
View All

Description Jonathan Barber 2008-04-10 08:38:52 UTC 
Description of problem:
When adding a trusted CA certificate chain (consisting of a single self signed
cert) the pkiconsole fails with error message "Certificate Error: Failed to decode"

Additionaly, PrettyPrintCert raises an exception:
# PrettyPrintCert lifesci-cacert.pem
PrettyPrintCert:  Error encountered on parsing certificate :
java.security.cert.CertificateParsingException: java.io.IOException:
java.io.IOException:
IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No
data available in passed DER encoded value.
null

the tool "pp" displays the certificate correctly, and certutil can import it
into the certificate database.

Suggests a bug in the java code?

Version-Release number of selected component (if applicable):
pki-java-tools-1.0.0-1.fc8
pki-console-1.0.0-1.fc8

How reproducible:
Always.

Steps to Reproduce:
1. Run above PrettyPrintCert with the attached certificate
  
Actual results:
Nothing

Expected results:
Certificate to be imported into the DB.

Additional info:
Comment 1 Jonathan Barber 2008-04-10 08:38:52 UTC 
Created attachment 301953 [details]
CA cert that fails to import
Comment 2 Jonathan Barber 2008-04-10 08:52:45 UTC 
# java -version
java version "1.7.0"
IcedTea Runtime Environment (build 1.7.0-b21)
IcedTea Client VM (build 1.7.0-b21, mixed mode)
Comment 3 Jonathan Barber 2008-04-10 08:59:07 UTC 
pp reports of the cert that:

            Name: Certificate Issuer Alt Name
            Error: Parsing extension: Certificate extension value is invalid.
            Data: Sequence {
            }

openssl shows:
             X509v3 Issuer Alternative Name:
                <EMPTY>

I guess this is where the uncaught exception in the java is coming from.
Comment 8 Andrew Wnuk 2008-10-10 00:31:37 UTC 
1. Fix provided in 439027 is addressing the issue related to importing
   trusted CA certificate chain via CA console.
2. Attached certificate does not comply with RFC 5280 therefore is rejected.
   RFC 5280 (http://www.ietf.org/rfc/rfc5280.txt):
     4.2.1.7.  Issuer Alternative Name
       ...
       IssuerAltName ::= GeneralNames
       GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   dumpasn1 output:
     ...
     1327    3:           OBJECT IDENTIFIER issuerAltName (2 5 29 18)
              :             (X.509 id-ce (2 5 29))
     1332    2:           OCTET STRING, encapsulates {
     1334    0:             SEQUENCE {}
              :             }
              :           }


PrettyPrintCert should gracefully handle IssuerAltName containing no GeneralName.
Comment 10 Jenny Severance 2009-06-11 19:06:43 UTC 
1. Console errors importing attached CA certificate Certificate Error: Failed to decode.

2. PrettyPrintCert still throws exception.

[root@qe-blade-11 jgalipea]# PrettyPrintCert cert 
PrettyPrintCert:  Error encountered on parsing certificate :
java.security.cert.CertificateParsingException: java.io.IOException: java.io.IOException: IssuerAlternativeNameExtensionnetscape.security.x509.GeneralNamesException: No data available in passed DER encoded value.
null
Comment 11 Chandrasekar Kannan 2009-06-25 19:31:11 UTC 
this needs to be in new state for the developer to pick it up
Note You need to log in before you can comment on or make changes to this bug.