Red Hat Bugzilla – Bug 454559
OCSP returns a nullpointer exception if the request is not provided as a parameter in the GET operation
Last modified: 2015-06-03 10:36:34 EDT
If the OCSP client just submits an OCSP request via the GET method without submitting the request along, the server will yield a NullPointerException.
Created attachment 311325 [details] DOGTAG 1.0: pki-common-1.0.0-ocsp-null-get.patch
attachment (id=311325) +awnuk
Checking into trunk: svn status M base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java svn commit base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java Sending base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java Transmitting file data . Committed revision 65.
Created attachment 311332 [details] Dogtag spec file changes for pki-common
attachment (id=311332) +awnuk
Checking into trunk: svn status M linux/common/pki-common.spec svn commit linux/common/pki-common.spec Sending linux/common/pki-common.spec Transmitting file data . Committed revision 66.
Bug already MODIFIED. setting target CS8.0 and marking screened+
-------------------------------- OCSP client [root@pkiserv export]# OCSPClient pkiserv.pnq.redhat.com 11180 /var/lib/pki-ca/alias/ 'caSigningCert cert-pki-ca' 15 /export/ocspbin 1 URI: /ocsp/ee/ocsp Data Length: 68 Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD sA2M01FNxjpKfqWl74TldtECAQ8= CertID.serialNumber=15 CertStatus=Revoked Success: Output /export/ocspbin --------------------------------- I tried with the below url from the browser (am I going the right way here ) --------- http://OCSPClient pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD --------- Result: No response from the browser about the state of the certificate ocsp debug log says: [21/Jun/2009:18:29:06][http-11444-Processor25]: OCSPServlet: java.io.EOFException Note: ----- =>AIA extension is set to http://pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp =>When I manually verify the certificate from browser Edit ->Preferences->View Certificates->Your Certificates->"Select the revoked user certificate->View Certificate viewer says "Could not verify this certificate for unknown reasons" - which is successful behaviour fora a revoked cert. => =================================== [root@pkiserv ~]# tail -15 /var/log/pki-ocsp/debug [21/Jun/2009:18:29:06][http-11444-Processor25]: evaluating expressions: ipaddress=".*" [21/Jun/2009:18:29:06][http-11444-Processor25]: evaluated expression: ipaddress=".*" to be true [21/Jun/2009:18:29:06][http-11444-Processor25]: DirAclAuthz: authorization passed [21/Jun/2009:18:29:06][http-11444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.ee.request.ocsp][Op=submit] authorization success [21/Jun/2009:18:29:06][http-11444-Processor25]: getConn: mNumConns now 2 [21/Jun/2009:18:29:06][http-11444-Processor25]: returnConn: mNumConns now 3 [21/Jun/2009:18:29:06][http-11444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=<null>] assume privileged role [21/Jun/2009:18:29:06][http-11444-Processor25]: Servlet Path=/ee/ocsp [21/Jun/2009:18:29:06][http-11444-Processor25]: RequestURI=/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD [21/Jun/2009:18:29:06][http-11444-Processor25]: PathInfo=/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD [21/Jun/2009:18:29:06][http-11444-Processor25]: Method=GET [21/Jun/2009:18:29:06][http-11444-Processor25]: OCSPServlet: java.io.EOFException [21/Jun/2009:18:29:06][http-11444-Processor25]: CMSServlet: curDate=Sun Jun 21 18:29:06 IST 2009 id=ocspOCSP time=5 [root@pkiserv ~]# ===================================================== Via Wget: Result: In debug log [21/Jun/2009:18:58:44][http-11180-Processor24]: OCSPServlet: java.io.EOFException [root@pkiserv ca]# wget --no-check-certificate http://OCSPClient pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD --18:58:44-- http://ocspclient/ Resolving ocspclient... failed: Temporary failure in name resolution. --18:58:44-- http://pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD Resolving pkiserv.pnq.redhat.com... 192.168.63.128 Connecting to pkiserv.pnq.redhat.com|192.168.63.128|:11180... connected. HTTP request sent, awaiting response... 200 OK Length: 0 Saving to: `MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD' [ <=> ] 0 --.-K/s in 0s 18:58:44 (0.00 B/s) - `MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD' saved [0/0] =============================================
https://bugzilla.redhat.com/show_bug.cgi?id=238514#c16 https://bugzilla.redhat.com/show_bug.cgi?id=306091#c17 https://bugzilla.redhat.com/show_bug.cgi?id=306091#c37