Description of problem: I can't get CRL distribution list extension working. When trying to open a certificate request in CA manager, the following error is shown: ==================================================================== The Certificate System has encountered an unrecoverable error. Error Message: java.lang.ClassCastException: netscape.security.x509.Extension cannot be cast to netscape.security.x509.CRLDistributionPointsExtension Please contact your local administrator for assistance. ==================================================================== Relevant part of the profile under which the cert request was made: ==================================================================== policyset.caYuriOtherCertSet.9.constraint.class_id=noConstraintImpl policyset.caYuriOtherCertSet.9.constraint.name=No Constraint policyset.caYuriOtherCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl policyset.caYuriOtherCertSet.9.default.name=CRL Distribution Points Extension Default policyset.caYuriOtherCertSet.9.default.params.crlDistPointsCritical=false policyset.caYuriOtherCertSet.9.default.params.crlDistPointsEnable_0=true policyset.caYuriOtherCertSet.9.default.params.crlDistPointsIssuerName_0= policyset.caYuriOtherCertSet.9.default.params.crlDistPointsIssuerType_0= policyset.caYuriOtherCertSet.9.default.params.crlDistPointsNum=1 policyset.caYuriOtherCertSet.9.default.params.crlDistPointsPointName_0=http://ca.xxx.net:9180/ca/ee/ca/crl/MasterCRL.crl policyset.caYuriOtherCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.caYuriOtherCertSet.9.default.params.crlDistPointsReasons_0= ==================================================================== catalina.log: ==================================================================== INFO: caProfileReview: java.lang.ClassCastException: netscape.security.x509.Extension cannot be cast to netscape.security.x509.CRLDistributionPointsExtension at com.netscape.cms.profile.def.CRLDistributionPointsExtDefault.getValue(CRLDistributionPointsExtDefault.java:356) at com.netscape.cms.profile.def.EnrollDefault.getValue(EnrollDefault.java:238) at com.netscape.cms.servlet.profile.ProfileReviewServlet.handlePolicy(ProfileReviewServlet.java:409) at com.netscape.cms.servlet.profile.ProfileReviewServlet.process(ProfileReviewServlet.java:230) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:94) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:636) ==================================================================== Version-Release number of selected component (if applicable): 1.3.6.1.fc13 Thank you!
Created attachment 450882 [details] debug log Same thing when using unmodified DomainController.cfg profile. I'm attaching relevant debug log.
The fix for the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=623452, turns out to include the solution this bug. It was needed to test the feature implemented in that bug for the CRLDistribtionPoint extension. Marking modified..
Jack, I don't have access to that bug. How do I fix this one? Is there any patch already for it? Thanks.
Hello: The portion of the patch to the other bug that fixes this is here: Index: base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java =================================================================== --- base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java (revision 1496) +++ base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java (working copy) @@ -74,6 +74,7 @@ //throws IOException { try { + this.extensionId = PKIXExtensions.CRLDistributionPoints_Id; this.critical = critical.booleanValue(); this.extensionValue = (byte[])((byte[])value).clone(); @@ -169,6 +170,13 @@ ///////////////////////////////////////////////////////////// public static final String NAME = "CRLDistributionPoints"; + static { + try { + OIDMap.addAttribute(CRLDistributionPointsExtension.class.getName(), + OID, NAME); + } catch (CertificateException e) {} + } + public String toString() { return NAME; }
Verified. RHEL Version: Red Hat Enterprise Linux Server release 5.6 (Tikanga) RHCS Version: [root@cs81box ~]# rpm -qa|grep pki- |sort pki-ca-8.1.0-4.el5pki pki-common-8.1.0-9.el5pki pki-console-8.1.0-2.el5pki pki-java-tools-8.1.0-3.el5pki pki-kra-8.1.0-4.el5pki pki-native-tools-8.1.0-2.el5pki pki-ocsp-8.1.0-4.el5pki pki-ra-8.1.0-5.el5pki pki-selinux-8.1.0-2.el5pki pki-setup-8.1.0-3.el5pki pki-tks-8.1.0-4.el5pki pki-tps-8.1.0-9.el5pki pki-util-8.1.0-3.el5pki redhat-pki-ca-ui-8.1.0-3.el5pki redhat-pki-common-ui-8.1.0-2.el5pki redhat-pki-console-ui-8.1.0-2.el5pki redhat-pki-kra-ui-8.1.0-3.el5pki redhat-pki-ocsp-ui-8.1.0-2.el5pki redhat-pki-ra-ui-8.1.0-2.el5pki redhat-pki-tks-ui-8.1.0-2.el5pki redhat-pki-tps-ui-8.1.0-3.el5pki [root@cs81box ~] Steps used to verify: 1.Open CA Agent page and disable caUserCert.profile through Manage Certificate Profiles. 2.Launch pkiconsole and click on Certificate Profiles under Certificate Manager and choose the disabled profile(caUserCert) for edit. 3.Now Click on add and choose "CRL Distribution Points Extension Default". click ok. 4.Now in Policy editor fill following fields. -policy ID -crlDistPointsPointType_0 -crlDistPointsPointName_0 and select true for crlDistPointsEnable_0. click ok 5.Go to CA Agent page and Approve the caUserCert.profile. 6.Go to End-entity page and issue a certificate request using profile 'Manual User Dual-Use Certificate Enrollment(caUserCert)'. 7.Go to CA Agent page and approve the request. 8.Go to End-entity page and retrieve the the certificate Result: Certificate Request using a certificate profile where CRL Distribution point is defined is working fine now. CRL Distribution point Extension extract from the Certificate. Data: Version: v3 Serial Number: 0x2A Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Certificate Authority,OU=pki-ca,O=PnqRedhat Domain Validity: Not Before: Monday, May 9, 2011 12:27:13 PM IST Asia/Calcutta Not After: Saturday, November 5, 2011 12:27:13 PM IST Asia/Calcutta Subject: UID=ksiddiqu,E=ksiddiqu,CN=ksiddiqu,OU=Engineering Services,O=Redhat,C=IN Subject Public Key Info: Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: BB:CF:FD:D8:74:48:AD:75:2B:74:9A:84:30:BB:40:73: 2C:16:F0:37 Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://cs81box.pnq.redhat.com:9180/ca/ocsp Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key Encipherment Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.2 1.3.6.1.5.5.7.3.4 Identifier: CRL Distribution Points - 2.5.29.31 Critical: no Number of Points: 1 Point 0 Distribution Point: [URIName: http://cs81box.pnq.redhat.com:9444/ca/ee/ca/crl/MasterCRL.crl] Here CRL Distribution Point value is enclosed between braces.
Well, what can I tell you guys. I stumbled upon same problem with recent PKI packages. This time, however, I'm running java 1.7 as 1.6 is unsupported. 1.7 will be gone soon, too, but I'm trying to be as close to 1.6 as possible. ====================================== jdk-1.7.0_55-fcs pki-ca-8.1.6-1 pki-common-8.1.12-4 pki-console-8.1.0-5 pki-java-tools-8.1.0-6 pki-migrate-8.1.0-10 pki-native-tools-8.1.0-7 pki-ocsp-8.1.1-1 pki-selinux-8.1.0-2 pki-setup-8.1.0-4 pki-util-8.1.1-2 redhat-pki-ca-ui-8.1.0-8 redhat-pki-common-ui-8.1.0-2 redhat-pki-console-ui-8.1.0-2 redhat-pki-ocsp-ui-8.1.0-5 ====================================== Some packages contain my tiny mods (additional exts), but that's irrelevant to the problem. It's essentially exactly the same problem. I'm getting that exception when tyring to view Certificates with CRLDistribution extension in them. In "agent services", I'm getting: ==================================================================== INFO: caProfileReview: java.lang.ClassCastException: netscape.security.x509.Extension cannot be cast to netscape.security.x509.CRLDistributionPointsExtension at com.netscape.cms.profile.def.CRLDistributionPointsExtDefault.getValue(CRLDistributionPointsExtDefault.java:398) at com.netscape.cms.profile.def.EnrollDefault.getValue(EnrollDefault.java:238) at com.netscape.cms.servlet.profile.ProfileReviewServlet.handlePolicy(ProfileReviewServlet.java:410) at com.netscape.cms.servlet.profile.ProfileReviewServlet.process(ProfileReviewServlet.java:231) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:502) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:106) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:542) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685) at java.lang.Thread.run(Thread.java:745) ==================================================================== When using "end services" endpoint, the extension is shown in "binary" mode: ==================================================================== Identifier: 2.5.29.31 Critical: no Value: 30:3C:30:3A:A0:38:A0:36:86:34:68:74:74:70:3A:2F: 2F:63:61:32:2E:66:75:73:65:64:2E:6E:65:74:3A:39: 31:38:30:2F:63:61:2F:65:65:2F:63:61:2F:63:72:6C: 2F:4D:61:73:74:65:72:43:52:4C:2E:63:72:6C ==================================================================== Yes, it is registered, it's present, I'm using latest packages. I even tried substituting Extension to netscape.security.x509.Extension. I tried using old CRLDistributionPointsExtDefault and old CRLDistributionPointsExtension.java. Nothing helped! Thanks!
So, for those that encounter this bug, you need to do the following: - Enable a profile with CRLDistributionPointsExtDefault extension in it - Go to end-services page and submit a cert request using that profile (any dumb req will do) And voila, you've got CRLDistributionPointsExtension working. You can now go to agent page and reject/delete dump request. This will last till next CA reboot. Works on RH CA 8.1.