Bug 497675 - FlatFileAuth and NullPointerException using an IPv6 address
FlatFileAuth and NullPointerException using an IPv6 address
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: SCEP (Show other bugs)
1.1
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-04-25 22:06 EDT by fortunato.montresor
Modified: 2015-01-04 18:38 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:34:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description fortunato.montresor 2009-04-25 22:06:33 EDT
Description of problem:

After editing /var/lib/rhpki-ca/conf/flatfile.txt to use and IPv6 address with a password as follows:

  UID=2001:a::1
  PWD=123456

The pki-ca component 

Version-Release number of selected component (if applicable):

1.1.0

How reproducible:


Steps to Reproduce:
1. tail -f /var/log/pki-ca/debug
2. Attempt to enroll using a Juniper Networks SCEP client 
  
Actual results:

[23/Apr/2009:18:30:03][http-9180-Processor24]: Found profile=caRouterCert
[23/Apr/2009:18:30:03][http-9180-Processor24]: Retrieving authenticator
[23/Apr/2009:18:30:03][http-9180-Processor24]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth
[23/Apr/2009:18:30:03][http-9180-Processor24]: FlatFileAuth: concatenating string i=0  keyAttrs[0] = UID
[23/Apr/2009:18:30:03][http-9180-Processor24]: FlatFileAuth: authenticating user: finding user from key: 2001:a:0:0:0:0:0:1
[23/Apr/2009:18:30:03][http-9180-Processor24]: handlePKIMessage exception java.lang.NullPointerException
java.lang.NullPointerException
        at com.netscape.cms.authentication.FlatFileAuth.authenticate(FlatFileAuth.java:462)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.authenticate(CRSEnrollment.java:276)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.postRequest(CRSEnrollment.java:1378)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKCSReq(CRSEnrollment.java:1282)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:671)
        at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:231)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
        at java.lang.Thread.run(Thread.java:636)
[23/Apr/2009:18:30:03][http-9180-Processor24]: Service exception javax.servlet.ServletException: Failed to process message in CEP servlet: null


Expected results:


Additional info:
Comment 1 Jack Magne 2009-06-23 18:35:46 EDT
OK, I was able to get this working with the latest CS 8.0 code after doing the following:

1. Experiment with the next CS release of JSS with Ipv6.

2. Modify a test scep client to be able to use ipv6 addresses.

3. Set flatfile.txt to look like:

UID:3ffe:1111:2222:2000:230:48ff:fe8c:39
PWD:netscape

4. Restarted the server.

5. Issued the following command with the test client:


./sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u "http://gamma6:9180/ca/cgi-bin/pkiclient.exe"



The following log trace shows that the Ipv6 IP address is being accepted just fine:

[23/Jun/2009:15:33:43][http-9180-Processor25]: Found profile=caRouterCert
[23/Jun/2009:15:33:43][http-9180-Processor25]: Retrieving authenticator
[23/Jun/2009:15:33:43][http-9180-Processor25]: Got authenticator=com.netscape.cms.authentication.FlatFileAuth
[23/Jun/2009:15:33:43][http-9180-Processor25]: FlatFileAuth: concatenating string i=0  keyAttrs[0] = UID
[23/Jun/2009:15:33:43][http-9180-Processor25]: FlatFileAuth: authenticating user: finding user from key: 3ffe:1111:2222:2000:230:48ff:fe8c:39
[23/Jun/2009:15:33:43][http-9180-Processor25]: CRSEnrollment: Creating profile requests
[23/Jun/2009:15:33:43][http-9180-Processor25]: xx Start parsePKCS10 MIIBuTCCASICAQAwLzEtMCsGA1UEAxMkM2ZmZToxMTExOjIyMjI6MjAwMDoyMzA6^M
NDhmZjpmZThjOjM5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6fWhARHAJ^M
f+R072/XsTTjtk8b5CPQ4NkokFu13qzBThZ2HzaHJcbzxltROsGgin5phGSGU6gp^M
1hN4O9yW5A4OJYOARdOspKGdfkQ+Q3WgsNGbmMieoLKB64epWDrkgt32r6a177SR^M
AO4wVBK5TiTl3w2RAg+DQrlCTRmXzI2OdwIDAQABoEowFwYJKoZIhvcNAQkHMQoT^M
CG5ldHNjYXBlMC8GCSqGSIb3DQEJDjEiMCAwHgYDVR0RAQH/BBQwEocQP/4RESIi^M
IAACMEj//owAOTANBgkqhkiG9w0BAQUFAAOBgQCi57X5u6Rp+HnHl3E0jQMPCVqd^M
G8GsfmMjQhujNBwJWeStIolmFhkqnFKU9isRB2C4jG2DoRXL7Qk9FMv+tnV30C52^M
lsemKXiOVrJbebpIMZj6lKVXfRZZeEL31jigxGMBT+Wbkwpq/4PR6fH6keT8Nlnl^M
09YlpzsS6MqejzKAGgMDAw==

The local printout of the client invocation looked like:

./sscep: sending certificate request
./sscep: valid response from server
./sscep: pkistatus: SUCCESS
./sscep: certificate written as cert.crt
Comment 2 Jack Magne 2009-06-23 18:36:52 EDT
Once we fix #469456, we can close this one with the caveat that the user will need a client that can connect over IPv6.
Comment 3 Jack Magne 2009-06-24 21:57:33 EDT
#469456 has been resolved. The next build of CS 8.0 should make this issue testable.

Note You need to log in before you can comment on or make changes to this bug.