Bug 468347 - Exception encountered when status of a revoked certificate is queried from OCSPClient tool on Fedora 8
Summary: Exception encountered when status of a revoked certificate is queried from OC...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: OCSP Responder
Version: 1.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Andrew Wnuk
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
 
Reported: 2008-10-24 09:03 UTC by Kashyap Chamarthy
Modified: 2015-01-04 23:34 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-12 01:06:26 UTC
Embargoed:

Attachments (Terms of Use)
OCSPClient query exception screenshot (103.50 KB, image/png)
2008-10-24 09:10 UTC, Kashyap Chamarthy 		no flags Details
View All

Description Kashyap Chamarthy 2008-10-24 09:03:21 UTC 
Description of problem:

Encountering a  "BER encoding" related exception when the status of a revoked certificate (with "key compromise" as reason) is queried via the OCSPClient tool from the terminal(Please refer the attached screenshot OCSPClient_error.png for the same)


Steps to Reproduce:
1.Install OCSP responder, configure it and restart the service.
2.Revoke a couple of certificates in CA subsystem and ensure that these certificates are revoked by checking their details.
3.Push the generated CRL to the OCSP responder
4.Use the OCSPClient tool from the terminal and query the the OCSP server for the status of a revoked certificate
  
Actual results:

A BER encoding related exception error is thrown, saying:

Error: org.mozilla.jss.asn1.InvalidBERException: SEQUENCE(item #0) >> End-of-file reached while decoding ASN.1 header

Expected results:
Status of the revoked certificate should be displayed as "revoked" in response to the OCSPClient query.

Additional info:

(1)All the above tasks were carried out on a Fedora 8(on a Virtual Machine)
(2) Observed transaction, system and debug logs in /var/lib/pki-ocsp, /var/lib/pki-ca, I noticed nothing alarming.
(3) Tried with a couple of other revoked certificates, but noticed the same behaviour.
Comment 1 Kashyap Chamarthy 2008-10-24 09:10:43 UTC 
Created attachment 321391 [details]
OCSPClient query exception screenshot
Comment 2 Andrew Wnuk 2009-05-12 01:06:26 UTC 
Tests on OCSP:
1. Test for revoked certificate:
--------------------------------
OCSPClient a-f8.sjc.redhat.com 11180 ./db caCert 10 res_ocsp.txt 1 '/ocsp/ee/ocsp'
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQo=
CertID.serialNumber=10
CertStatus=Revoked
Success: Output res_ocsp.txt

2. Test for valid certificate: 
------------------------------
OCSPClient a-f8.sjc.redhat.com 11180 ./db caCert 9 res_ocsp.txt 1 '/ocsp/ee/ocsp'
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQk=
CertID.serialNumber=9
CertStatus=Good
Success: Output res_ocsp.txt

Tests on CA-OCSP:
1. Test for revoked certificate:
--------------------------------
OCSPClient a-f8.sjc.redhat.com 9180 ./db caCert 10 res_10.txt 1 '/ca/ocsp'
URI: /ca/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQo=
CertID.serialNumber=10
CertStatus=Revoked
Success: Output res_10.txt

2. Test for valid certificate: 
------------------------------
OCSPClient a-f8.sjc.redhat.com 9180 ./db caCert 9 res_10.txt 1 '/ca/ocsp'
URI: /ca/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQk=
CertID.serialNumber=9
CertStatus=Good
Success: Output res_10.txt
Comment 3 Kashyap Chamarthy 2009-05-12 11:30:20 UTC 
thanks Andrew. I was using the agent port(11443), instead of ee port(11180). It works for me too..

--kashyap
Note You need to log in before you can comment on or make changes to this bug.