Bug 468347 - Exception encountered when status of a revoked certificate is queried from OCSPClient tool on Fedora 8
Exception encountered when status of a revoked certificate is queried from OC...
Status: CLOSED WORKSFORME
Product: Dogtag Certificate System
Classification: Community
Component: OCSP Responder (Show other bugs)
1.0
All Linux
high Severity high
: ---
: ---
Assigned To: Andrew Wnuk
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2008-10-24 05:03 EDT by Kashyap Chamarthy
Modified: 2015-01-04 18:34 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-11 21:06:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
OCSPClient query exception screenshot (103.50 KB, image/png)
2008-10-24 05:10 EDT, Kashyap Chamarthy
no flags Details

  None (edit)
Description Kashyap Chamarthy 2008-10-24 05:03:21 EDT
Description of problem:

Encountering a  "BER encoding" related exception when the status of a revoked certificate (with "key compromise" as reason) is queried via the OCSPClient tool from the terminal(Please refer the attached screenshot OCSPClient_error.png for the same)


Steps to Reproduce:
1.Install OCSP responder, configure it and restart the service.
2.Revoke a couple of certificates in CA subsystem and ensure that these certificates are revoked by checking their details.
3.Push the generated CRL to the OCSP responder
4.Use the OCSPClient tool from the terminal and query the the OCSP server for the status of a revoked certificate
  
Actual results:

A BER encoding related exception error is thrown, saying:

Error: org.mozilla.jss.asn1.InvalidBERException: SEQUENCE(item #0) >> End-of-file reached while decoding ASN.1 header

Expected results:
Status of the revoked certificate should be displayed as "revoked" in response to the OCSPClient query.

Additional info:

(1)All the above tasks were carried out on a Fedora 8(on a Virtual Machine)
(2) Observed transaction, system and debug logs in /var/lib/pki-ocsp, /var/lib/pki-ca, I noticed nothing alarming.
(3) Tried with a couple of other revoked certificates, but noticed the same behaviour.
Comment 1 Kashyap Chamarthy 2008-10-24 05:10:43 EDT
Created attachment 321391 [details]
OCSPClient query exception screenshot
Comment 2 Andrew Wnuk 2009-05-11 21:06:26 EDT
Tests on OCSP:
1. Test for revoked certificate:
--------------------------------
OCSPClient a-f8.sjc.redhat.com 11180 ./db caCert 10 res_ocsp.txt 1 '/ocsp/ee/ocsp'
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQo=
CertID.serialNumber=10
CertStatus=Revoked
Success: Output res_ocsp.txt

2. Test for valid certificate: 
------------------------------
OCSPClient a-f8.sjc.redhat.com 11180 ./db caCert 9 res_ocsp.txt 1 '/ocsp/ee/ocsp'
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQk=
CertID.serialNumber=9
CertStatus=Good
Success: Output res_ocsp.txt

Tests on CA-OCSP:
1. Test for revoked certificate:
--------------------------------
OCSPClient a-f8.sjc.redhat.com 9180 ./db caCert 10 res_10.txt 1 '/ca/ocsp'
URI: /ca/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQo=
CertID.serialNumber=10
CertStatus=Revoked
Success: Output res_10.txt

2. Test for valid certificate: 
------------------------------
OCSPClient a-f8.sjc.redhat.com 9180 ./db caCert 9 res_10.txt 1 '/ca/ocsp'
URI: /ca/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBTwwzEvJvb+882u8fzk3fbdjTmsmQQUmzo4
RDKfHivNymc/Bwv/gCZ/NS0CAQk=
CertID.serialNumber=9
CertStatus=Good
Success: Output res_10.txt
Comment 3 Kashyap Chamarthy 2009-05-12 07:30:20 EDT
thanks Andrew. I was using the agent port(11443), instead of ee port(11180). It works for me too..

--kashyap

Note You need to log in before you can comment on or make changes to this bug.