When trying to do CMC Revocation it fails and CA Debug logs show the below error:
[15/Jul/2015:18:23:18]http-bio-8443-exec-11: CMCOutputTemplate: verifyRevRequestSignature. Exception: org.mozilla.jss.crypto.InvalidKeyFormatException: Unable to decode DER-encoded SubjectPublicKeyInfo: invalid DER encoding [15/Jul/2015:18:23:18]http-bio-8443-exec-11: CMCOutputTemplate::getContentInfo() - done
Steps to Reproduce:
1. Install CA 2. Create a certificate request using below method. a. pki -d /opt/cmcreq/test -c 'redhat' client-init b. pki -d /opt/cmcreq/test -c "redhat" client-cert-request "uid=revokeme,cn=Revoke Me,ou=idm,o=Foobar Org" --type crmf c. approve the request pki -d /opt/example1 -n "PKI Administrator for example.org" -c "" cert-request-review 198 --action approve d. Import the cert with nickname 'revokeme' pki -d /opt/cmcreq/test -c 'redhat' client-cert-import 'revokeme' --serial 0xbf --trust 'u,u,u' 3. Create a cfg file for cmc request as below: numRequests=0 input= output=demo_rsauser.cmc nickname=PKI Administrator for example.org dbdir=/opt/cmcreq/test format=crmf password=redhat confirmCertAcceptance.enable=false confirmCertAcceptance.serial=1 confirmCertAcceptance.issuer=CN=CA Signing Certificate,O=Example Org getCert.enable=false getCert.serial= dataReturn.enable=false dataReturn.data= transactionMgt.enable=false transactionMgt.id= senderNonce.enable=false senderNonce.id= revRequest.enable=true revRequest.nickname=revokeme revRequest.issuer=CN=CA Signing Certificate,O=Example Org revRequest.serial=191 revRequest.reason=unspecified revRequest.sharedSecret= revRequest.comment= revRequest.invalidityDatePresent=true identityProof.enable=false identityProof.sharedSecret=testing popLinkWitness.enable=false LraPopWitness.enable=false LraPopWitness.bodyPartIDs=1 4. Submit the request using HttpClient using below cfg host=pki2.example.org port=8443 secure=true input=demo_rsauser.cmc output=demo_rsauser.cmc.response dbdir=/opt/cmcreq/test clientmode=false password=redhat tokenname= nickname=PKI Administrator for example.org servlet=/ca/ee/ca/profileSubmitCMCFull
Actual results:
Certificate should be revoked
Expected results:
Certificate is not revoked.
Per impromptu 10.2.6 meeting of 7/17/2015: Needs Investigation - 10.2.7
Per CS/DS Meeting of 07/27/2015: 10.3
Per Bug Triage of 05/05/2016: 10.4
Per Offline Triage of 11/30/2016-12/01/2016: 10.4 - major
Metadata Update from @mrniranjan: - Issue set to the milestone: 10.4
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None - Issue priority set to: 2 (was: 3)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.4)
As discussed in PKI Bug Council of 04/20/2017, moving this bug to 10.5 as the CMC Revocation tool can be utilized rather than the 'pki' CLI.
Metadata Update from @mharmsen: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.0 (was: 10.5)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2057
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.