Bug 503045 - CMC Revocation cannot be completed in EE page - fails with NullPointerException
CMC Revocation cannot be completed in EE page - fails with NullPointerException
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: CA (Show other bugs)
1.1
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Kashyap Chamarthy
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-05-28 09:53 EDT by Kashyap Chamarthy
Modified: 2015-01-04 18:38 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:35:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
complete ca debug log when CMC Revocation is performed (10.07 KB, application/octet-stream)
2009-05-28 09:55 EDT, Kashyap Chamarthy
no flags Details
fix for both nullpointer exception issue and authorization issue (6.40 KB, patch)
2009-06-06 12:38 EDT, Christina Fu
no flags Details | Diff
spec files diff (1.95 KB, patch)
2009-06-06 12:45 EDT, Christina Fu
no flags Details | Diff
pki-ca debug logs without request headers (10.45 KB, application/octet-stream)
2009-06-08 02:00 EDT, Kashyap Chamarthy
no flags Details
pki-ca debug logs with request headers when CMC Revoke on EE is performed (10.38 KB, text/plain)
2009-06-08 02:02 EDT, Kashyap Chamarthy
no flags Details

  None (edit)
Description Kashyap Chamarthy 2009-05-28 09:53:52 EDT
Description of problem:
CMC Revocation in EE pages fails with the below error

Policy Rule: RevocationConstraints - Unexpected error:java.lang.NullPointerException

Steps to Reproduce:
1.Firstly, to sign a revocation request with agent's certificate, use CMCRevoke as below
#CMCRevoke -d"/home/test/.mozilla/firefox/q9v5msej.default/" -n"CA Administrator of Instance pki-ca's PnqRedhat Domain ID" -i"CN=Certificate Authority" -s27 -m1 -hnetscape -c"test comment"

2.Now, go to CA end-entities page and select revocation tab

3.Paste the output from the CMCRevoke into the text box except the Begin/End headers of the request.
  
Actual results:

Revocation Request Cannot Be Completed

Policy Rule: RevocationConstraints - Unexpected error:java.lang.NullPointerException


Expected results:

The user certificate should be revoked.
-----------------------
Minor Note: If we look at the syntax, the tool throws an error("14 parameters") if there is a "space" between the options and the values we pass to CMCRevoke.
It counts the space between option and value as a parameter(that's 14 parameters).

Without a space it works fine.
-------------------------
Log info: CA debug log:

[28/May/2009:18:30:29][http-9444-Processor24]: CMSServlet: caCMCRevReq start to service.
[28/May/2009:18:30:29][http-9444-Processor24]: **** mFormPath = /ee/ca/revocationResult.template
[28/May/2009:18:30:29][http-9444-Processor24]: IP: 10.65.1.29
[28/May/2009:18:30:29][http-9444-Processor24]: AuthMgrName: CMCAuth
[28/May/2009:18:30:29][http-9444-Processor24]: CMSServlet: no client certificate found
[28/May/2009:18:30:29][http-9444-Processor24]: CMCAuth: start checking signature
[28/May/2009:18:30:29][http-9444-Processor24]: CMCAuth: verifying signature with public key
[28/May/2009:18:30:29][http-9444-Processor24]: CMCAuth: finished checking signature
[28/May/2009:18:30:29][http-9444-Processor24]: CertUserDBAuth: started
[28/May/2009:18:30:29][http-9444-Processor24]: CertUserDBAuth: Retrieving client certificate
[28/May/2009:18:30:29][http-9444-Processor24]: CertUserDBAuth: Got client certificate
[28/May/2009:18:30:29][http-9444-Processor24]: getConn: mNumConns now 2
[28/May/2009:18:30:29][http-9444-Processor24]: returnConn: mNumConns now 3
[28/May/2009:18:30:29][http-9444-Processor24]: Authentication: client certificate found
[28/May/2009:18:30:29][http-9444-Processor24]: getConn: mNumConns now 2
[28/May/2009:18:30:29][http-9444-Processor24]: returnConn: mNumConns now 3
[28/May/2009:18:30:29][http-9444-Processor24]: Authentication: mapped certificate to user
[28/May/2009:18:30:29][http-9444-Processor24]: authenticated uid=admin,ou=People,dc=rhel5t.pnq.redhat.com-pki-ca
[28/May/2009:18:30:29][http-9444-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Success][ReqType=revocation][CertSubject=$Unidentified$][SignerInfo=CA Administrator of Instance pki-ca] agent pre-approved CMC request signature verification

[28/May/2009:18:30:29][http-9444-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=admin][Outcome=Success][AuthMgr=CMCAuth] authentication success

[28/May/2009:18:30:29][http-9444-Processor24]: checkACLS(): ACLEntry expressions= user="anybody"
[28/May/2009:18:30:29][http-9444-Processor24]: evaluating expressions: user="anybody"
[28/May/2009:18:30:29][http-9444-Processor24]: evaluated expression: user="anybody" to be true
[28/May/2009:18:30:29][http-9444-Processor24]: DirAclAuthz: authorization passed
[28/May/2009:18:30:29][http-9444-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=admin][Outcome=Success][aclResource=certServer.ee.request.revocation][Op=submit] authorization success

[28/May/2009:18:30:29][http-9444-Processor24]: getConn: mNumConns now 2
[28/May/2009:18:30:29][http-9444-Processor24]: returnConn: mNumConns now 3
[28/May/2009:18:30:29][http-9444-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=admin][Outcome=Success][Role=Certificate Manager Agents, Administrators, Security Domain Administrators, Enterprise CA Administrators, Enterprise KRA Administrators, Enterprise OCSP Administrators, Enterprise TKS Administrators, Enterprise RA Administrators, Enterprise TPS Administrators] assume privileged role

[28/May/2009:18:30:29][http-9444-Processor24]: getConn: mNumConns now 2
[28/May/2009:18:30:29][http-9444-Processor24]: returnConn: mNumConns now 3
[28/May/2009:18:30:29][http-9444-Processor24]: getConn: mNumConns now 2
[28/May/2009:18:30:29][http-9444-Processor24]: In findCertRecordsInList
[28/May/2009:18:30:29][http-9444-Processor24]: In DBVirtualList filter attrs sortKey pageSize filter: (|(certRecordId=27)) attrs: null pageSize 1
[28/May/2009:18:30:29][http-9444-Processor24]: returnConn: mNumConns now 3
[28/May/2009:18:30:29][http-9444-Processor24]: getEntries returning 1
[28/May/2009:18:30:29][http-9444-Processor24]: mTop 0
[28/May/2009:18:30:29][http-9444-Processor24]: Getting Virtual List size: 1
[28/May/2009:18:30:29][http-9444-Processor24]: getElementAt: 0 mTop 0
[28/May/2009:18:30:29][http-9444-Processor24]: Repository: in getNextSerialNumber. 
[28/May/2009:18:30:29][http-9444-Processor24]: Repository: getNextSerialNumber: returning retSerial 39
[28/May/2009:18:30:29][http-9444-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST][SubjectID=admin][Outcome=Success][ReqID=$Unidentified$][CertSerialNum=0x6][RequestType=revoke] certificate revocation/unrevocation request made

[28/May/2009:18:30:29][http-9444-Processor24]: in CAPolicy.apply(requestType=revocation,requestId=39,requestStatus=begin)
[28/May/2009:18:30:29][http-9444-Processor24]: mPolicies = class com.netscape.cmscore.policy.GenericPolicyProcessor
[28/May/2009:18:30:29][http-9444-Processor24]: getConn: mNumConns now 2
[28/May/2009:18:30:29][http-9444-Processor24]: returnConn: mNumConns now 3
[28/May/2009:18:30:29][http-9444-Processor24]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=admin][Outcome=Success][ReqID=$Unidentified$][CertSerialNum=0x6][RequestType=revoke][RevokeReasonNum=1][Approval=rejected] certificate status change request processed

[28/May/2009:18:30:29][http-9444-Processor24]: CMSServlet: curDate=Thu May 28 18:30:29 IST 2009 id=caCMCRevReq time=82
[28/May/2009:18:30:29][Thread-124]: RunListeners:: noQueue  SingleRequest
[28/May/2009:18:30:29][Thread-124]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateIssuedListener
[28/May/2009:18:30:29][Thread-124]: CertificateIssuedListener: accept 39
[28/May/2009:18:30:29][Thread-124]: RunListeners: IRequestListener = com.netscape.ca.CRLIssuingPoint$RevocationRequestListener
[28/May/2009:18:30:29][Thread-124]: Revocation listener called.
[28/May/2009:18:30:29][Thread-124]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateRevokedListener
[28/May/2009:18:30:29][Thread-124]: RunListeners:  noQueue  SingleRequest
Comment 1 Kashyap Chamarthy 2009-05-28 09:55:50 EDT
Created attachment 345763 [details]
complete ca debug log when CMC Revocation is performed
Comment 3 Christina Fu 2009-06-06 12:38:59 EDT
Created attachment 346754 [details]
fix for both nullpointer exception issue and authorization issue
Comment 4 Christina Fu 2009-06-06 12:45:34 EDT
Created attachment 346755 [details]
spec files diff
Comment 5 Matthew Harmsen 2009-06-06 13:11:37 EDT
attachment (id=346754)
attachment (id=346755)
+mharmsen
Comment 6 Christina Fu 2009-06-06 13:18:36 EDT
[cfu@jaw base]$ pwd
/home/cfu/dogtag/src0/pki/base
[cfu@jaw base]$ svn commit ca common
Sending        ca/shared/webapps/ca/WEB-INF/web.xml
Sending        common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java
Sending        common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
Sending        common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java
Sending        common/src/com/netscape/cmscore/policy/PolicySet.java
Transmitting file data .....
Committed revision 561.



[cfu@jaw dogtag]$ pwd
/home/cfu/dogtag/src0/pki/dogtag
[cfu@jaw dogtag]$ svn commit ca common
Sending        ca/pki-ca.spec
Sending        common/pki-common.spec
Transmitting file data ..
Committed revision 562.
Comment 7 Kashyap Chamarthy 2009-06-08 01:57:19 EDT
I tried to verify with June-8th  build, but I still encounter the NullPointerException in the EE "CMC Revoke" pages.

Error

Policy Rule: RevocationConstraints - Unexpected
error:java.lang.NullPointerException


Note: I tried with both certificate request headers intact and truncated. Both result in same error.(Attached both logs of CA debug when CMC Revocation is performed.
Comment 8 Kashyap Chamarthy 2009-06-08 02:00:10 EDT
Created attachment 346816 [details]
pki-ca debug logs without request headers
Comment 9 Kashyap Chamarthy 2009-06-08 02:02:04 EDT
Created attachment 346817 [details]
pki-ca debug logs with request headers when CMC Revoke on EE is performed
Comment 10 Christina Fu 2009-06-08 11:20:18 EDT
Kashyap are you sure you have the right build with my fix in it?  The log tells me that you do not have the new code at all.
Comment 11 Kashyap Chamarthy 2009-06-08 11:37:16 EDT
yes,I'm sure, yesterday night(june-7th) I've installed the build. However, I will surely retry it again on an even newer build and let you know.
Comment 12 Kashyap Chamarthy 2009-06-09 02:59:42 EDT
Verified(june-8th). CMC Revocation works perfect with Christina's new fix.

Note You need to log in before you can comment on or make changes to this bug.