Bug 454559 - OCSP returns a nullpointer exception if the request is not provided as a parameter in the GET operation
OCSP returns a nullpointer exception if the request is not provided as a para...
Status: ASSIGNED
Product: Dogtag Certificate System
Classification: Community
Component: OCSP Responder (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Matthew Harmsen
:
Depends On:
Blocks: 445047
  Show dependency treegraph
 
Reported: 2008-07-08 19:38 EDT by Matthew Harmsen
Modified: 2015-06-03 10:36 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
DOGTAG 1.0: pki-common-1.0.0-ocsp-null-get.patch (1.70 KB, text/plain)
2008-07-08 19:40 EDT, Matthew Harmsen
no flags Details
Dogtag spec file changes for pki-common (1002 bytes, text/plain)
2008-07-08 20:34 EDT, Matthew Harmsen
no flags Details

  None (edit)
Description Matthew Harmsen 2008-07-08 19:38:03 EDT
If the OCSP client just submits an OCSP request via the GET method without
submitting the request along, the server will yield a NullPointerException.
Comment 1 Matthew Harmsen 2008-07-08 19:40:54 EDT
Created attachment 311325 [details]
DOGTAG 1.0:  pki-common-1.0.0-ocsp-null-get.patch
Comment 2 Andrew Wnuk 2008-07-08 19:43:51 EDT
attachment (id=311325) +awnuk
Comment 3 Matthew Harmsen 2008-07-08 20:09:05 EDT
Checking into trunk:

svn status
M      base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java

svn commit base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java
Sending        base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java
Transmitting file data .
Committed revision 65.
Comment 4 Matthew Harmsen 2008-07-08 20:34:32 EDT
Created attachment 311332 [details]
Dogtag spec file changes for pki-common
Comment 5 Andrew Wnuk 2008-07-08 20:36:25 EDT
attachment (id=311332) +awnuk
Comment 6 Matthew Harmsen 2008-07-08 20:41:09 EDT
Checking into trunk:

svn status
M      linux/common/pki-common.spec

svn commit linux/common/pki-common.spec
Sending        linux/common/pki-common.spec
Transmitting file data .
Committed revision 66.
Comment 7 Chandrasekar Kannan 2008-08-26 20:29:24 EDT
Bug already MODIFIED. setting target CS8.0 and marking screened+
Comment 8 Kashyap Chamarthy 2009-06-21 09:33:07 EDT
--------------------------------
OCSP client
[root@pkiserv export]# OCSPClient pkiserv.pnq.redhat.com 11180 /var/lib/pki-ca/alias/ 'caSigningCert cert-pki-ca' 15 /export/ocspbin 1 
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
sA2M01FNxjpKfqWl74TldtECAQ8=
CertID.serialNumber=15
CertStatus=Revoked
Success: Output /export/ocspbin
---------------------------------

 I tried with the below url from the browser (am I going the right way here )

---------
http://OCSPClient pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
---------

Result: No response from the browser about the state of the certificate

ocsp debug log says: 

[21/Jun/2009:18:29:06][http-11444-Processor25]: OCSPServlet: java.io.EOFException


Note:
-----
=>AIA extension is set to http://pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp

=>When I manually verify the certificate from browser Edit ->Preferences->View Certificates->Your Certificates->"Select the revoked user certificate->View

Certificate viewer says  "Could not verify this certificate for unknown reasons" - which is successful behaviour fora a revoked cert.
=>


===================================
[root@pkiserv ~]# tail -15 /var/log/pki-ocsp/debug 
[21/Jun/2009:18:29:06][http-11444-Processor25]: evaluating expressions: ipaddress=".*"
[21/Jun/2009:18:29:06][http-11444-Processor25]: evaluated expression: ipaddress=".*" to be true
[21/Jun/2009:18:29:06][http-11444-Processor25]: DirAclAuthz: authorization passed
[21/Jun/2009:18:29:06][http-11444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.ee.request.ocsp][Op=submit] authorization success

[21/Jun/2009:18:29:06][http-11444-Processor25]: getConn: mNumConns now 2
[21/Jun/2009:18:29:06][http-11444-Processor25]: returnConn: mNumConns now 3
[21/Jun/2009:18:29:06][http-11444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=<null>] assume privileged role

[21/Jun/2009:18:29:06][http-11444-Processor25]: Servlet Path=/ee/ocsp
[21/Jun/2009:18:29:06][http-11444-Processor25]: RequestURI=/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
[21/Jun/2009:18:29:06][http-11444-Processor25]: PathInfo=/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
[21/Jun/2009:18:29:06][http-11444-Processor25]: Method=GET
[21/Jun/2009:18:29:06][http-11444-Processor25]: OCSPServlet: java.io.EOFException
[21/Jun/2009:18:29:06][http-11444-Processor25]: CMSServlet: curDate=Sun Jun 21 18:29:06 IST 2009 id=ocspOCSP time=5
[root@pkiserv ~]# 

=====================================================
Via Wget:

Result: In debug log  [21/Jun/2009:18:58:44][http-11180-Processor24]: OCSPServlet: java.io.EOFException


[root@pkiserv ca]# wget --no-check-certificate  http://OCSPClient pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
--18:58:44--  http://ocspclient/
Resolving ocspclient... failed: Temporary failure in name resolution.
--18:58:44--  http://pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
Resolving pkiserv.pnq.redhat.com... 192.168.63.128
Connecting to pkiserv.pnq.redhat.com|192.168.63.128|:11180... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0
Saving to: `MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD'

    [ <=>                                                                                                                 ] 0           --.-K/s   in 0s     

18:58:44 (0.00 B/s) - `MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD' saved [0/0]
=============================================

Note You need to log in before you can comment on or make changes to this bug.