Bug 489342 - com.netscape.cms.servlet.common.CMCOutputTemplate.java doesn't support EC
com.netscape.cms.servlet.common.CMCOutputTemplate.java doesn't support EC
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: Certificate Manager (Show other bugs)
1.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks: 445047
  Show dependency treegraph
 
Reported: 2009-03-09 11:56 EDT by David Stutzman
Modified: 2015-01-05 20:17 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-04 16:08:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
DER encoded CMC enrollment request containing a CRMF certificate request with a P384 EC key. The SignerInfo of the CMC request was created with RSA credentials (1.87 KB, application/octet-stream)
2009-03-09 11:56 EDT, David Stutzman
no flags Details
Base64 version of attachment 334549 (2.57 KB, text/plain)
2009-03-09 12:03 EDT, David Stutzman
no flags Details
add EC key type branch to if block (897 bytes, text/plain)
2010-04-29 07:47 EDT, David Stutzman
no flags Details

  None (edit)
Description David Stutzman 2009-03-09 11:56:21 EDT
Created attachment 334549 [details]
DER encoded CMC enrollment request containing a CRMF certificate request with a P384 EC key.  The SignerInfo of the CMC request was created with RSA credentials

Description of problem:
I sent a binary CMC request to the cmc servlet and received an error, I tracked the problem to the com.netscape.cms.servlet.common.CMCOutputTemplate.java class which doesn't seem to support EC keys as it has an if/else block that checks for DSA and RSA then throws an error.

Version-Release number of selected component (if applicable):
svn HEAD

Steps to Reproduce:
1. send the bytes included in the attachment which is a binary CMC request to the cmc servlet: https://<ca>:<port>/ca/ee/ca/profileSubmitCMCFull
2. the following shows up in debug log:
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitCMCFull
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMSServlet: caProfileSubmitCMCFull start to service.
[09/Mar/2009:11:33:37][http-9443-Processor25]: Start of Input Parameters
[09/Mar/2009:11:33:37][http-9443-Processor25]: End of Input Parameters
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: start serving
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: SubId=profile
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: profileId caFullCMCUserCert
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: authenticator CMCAuth found
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmistServlet: set Inputs into Context
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: set sslClientCertProvider
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMCAuth: start checking signature
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMCAuth: verifying signature with public key
[09/Mar/2009:11:33:37][http-9443-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent pre-approved CMC request signature verification
[09/Mar/2009:11:33:37][http-9443-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent pre-approved CMC request signature verification
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMCOutputTemplate::getContentInfo() - signAlg is unsupported!
[09/Mar/2009:11:33:37][http-9443-Processor25]: ProfileSubmitServlet: authentication error Invalid Credential.
[09/Mar/2009:11:33:37][http-9443-Processor25]: CMSServlet: curDate=Mon Mar 09 11:33:37 EDT 2009 id=caProfileSubmitCMCFull time=11
3. the offending if/else block in the CMCOutputTemplate.java (
https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java):
CryptoManager.getInstance().findPrivKeyByCert(x509CAcert);
org.mozilla.jss.crypto.PrivateKey.Type keyType = privKey.getType();

if( keyType.equals( org.mozilla.jss.crypto.PrivateKey.RSA ) ) {
     signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest;
} else if( keyType.equals( org.mozilla.jss.crypto.PrivateKey.DSA ) ) {
     signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest;
} else {
     CMS.debug( "CMCOutputTemplate::getContentInfo() - "
                 + "signAlg is unsupported!" );
     return null;
}
Comment 1 David Stutzman 2009-03-09 12:02:59 EDT
I'm attaching the same CMC request base64 encoded.  You can paste this one into one of the enrollment web pages.  Choose the "Signed CMC-Authenticated User Certificate Enrollment" profile and paste in the contents of this new attachment and you should hit the same error through a different code path.
Comment 2 David Stutzman 2009-03-09 12:03:49 EDT
Created attachment 334551 [details]
Base64 version of attachment 334549 [details]
Comment 3 David Stutzman 2010-04-29 07:47:41 EDT
Created attachment 410076 [details]
add EC key type branch to if block

So I just added 2 lines to the if block that checks for key type to account for EC and now pasting a CMC request into the web form for the "Signed CMC-Authenticated User Certificate Enrollment" profile correctly issues the certificate.
Comment 4 David Stutzman 2010-08-23 10:15:08 EDT
I can add that I have now successfully tested this using the binary CMC servlet interface (https://<ca machine>:9444/ca/ee/ca/profileSubmitCMCFull) and things are working properly there as well.
Comment 5 Christina Fu 2010-09-14 15:57:43 EDT
Hi David, I'm finally coming around to this one.
It's good that you seemed to have found a fix.  However, I have a few questions:
1. The debug messages you have in Description is quite curious. It showed that the code failed CMC_SIGNED_REQUEST_SIG_VERIFY and yet it continued on to run and got to CMCOutputTemplate::getContentInfo().  I'm wondering if you have customized the code or we have something faulty in there.
2. I was trying to find an easier way to reproduce the issue (not having your cert/keys etc.). I turned off authentication and authorization (without changing/fixing CMCOutputTemplate.java, and submitted the base64 encoding you attached.  The cert was issued successfully.  I wonder if this went through different path.
3. Could you maybe let me know how exactly your request was generated and how it was submitted?

thanks,
Christina
Comment 6 Christina Fu 2010-09-16 01:46:04 EDT
My investigation result shows the following:
* The B64 blob pasted into enroll page goes through ProfileSubmitServlet
* The binary I submitted via ProfileSubmitCMCServlet

Both when bypassing authentication and authorization got through the issuance.
Upon closer examination, I found that in order to hit the code in question, the CA has to have an EC signing cert.
Comment 7 David Stutzman 2010-09-16 13:12:22 EDT
Yes, sorry, if that wasn't clear in the initial report, but as you mentioned in comment 6 the situation occurs when the CA has an EC signing key.  
While creating the CMC response, it needs to sign it and the CMCOutputTemplate is only RSA/DSA aware and throws up when it encounters the CA's EC signing key.  Also, for any CMC response, it's hard coded to use <Asymmetric alg>withSHA1 as the signature algorithm.  Maybe it would be possible to add a setting in CS.cfg to specify the signature algorithm that's used whenever a CMC structure needs to be signed or alternately use the CA's signing certificate sig. alg?
Comment 8 Christina Fu 2010-09-16 13:24:20 EDT
Yes, I actually found the problem and filed a separate bug earlier this morning regarding SHA1 used in this situation.  I will fix that soon.

As for this current bug, I'm nearly at the point of setting up the EC CA.
As soon as I verify your fix, I will check it in with problem credit to you per CLA.  Thanks!
Comment 9 Christina Fu 2010-09-16 13:25:25 EDT
(In reply to comment #8)
> Yes, I actually found the problem and filed a separate bug earlier this morning
> regarding SHA1 used in this situation.  I will fix that soon.
> 
> As for this current bug, I'm nearly at the point of setting up the EC CA.
> As soon as I verify your fix, I will check it in with problem credit to you per
> CLA.  Thanks!

^problem^proper
Comment 10 Christina Fu 2010-09-16 17:58:46 EDT
attachment 410076 [details]
+cfu (approved)
Comment 12 Christina Fu 2010-09-16 18:16:25 EDT
[cfu@jaw common]$ svn commit src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
Sending        src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
Transmitting file data .
Committed revision 1302

Note You need to log in before you can comment on or make changes to this bug.