The OCSPServlet in OCSP subsystem fails to process a normal OCSP request. The same servlet seems to be working fine in CA subsystem.
Steps to reproduce:
On the client side the OCSPClient failed with the following exception:
org.mozilla.jss.asn1.InvalidBERException: SEQUENCE(item #0) >> Incorrect tag: expected [UNIVERSAL 16], found [UNIVERSAL 28] at org.mozilla.jss.asn1.ASN1Header.validate(ASN1Header.java:371) at org.mozilla.jss.asn1.ASN1Header.validate(ASN1Header.java:356) at org.mozilla.jss.asn1.SEQUENCE$Template.decode(SEQUENCE.java:314) at com.netscape.cmsutil.ocsp.OCSPResponse$Template.decode(OCSPResponse.java:121) at com.netscape.cmsutil.ocsp.OCSPResponse$Template.decode(OCSPResponse.java:116) at com.netscape.cmsutil.ocsp.OCSPProcessor.submitRequest(OCSPProcessor.java:167) at com.netscape.cmstools.OCSPClient.main(OCSPClient.java:194) ERROR: Incorrect tag: expected [UNIVERSAL 16], found [UNIVERSAL 28] Try 'OCSPClient --help' for more information.
On the server side the OCSPServlet failed with the following exception:
java.lang.NullPointerException at java.util.Calendar.setTime(Calendar.java:1770) at org.mozilla.jss.asn1.TimeBase.encode(TimeBase.java:54) at org.mozilla.jss.asn1.SET.BERencode(SET.java:215) at org.mozilla.jss.asn1.SEQUENCE.encode(SEQUENCE.java:40) at org.mozilla.jss.asn1.SET.encode(SET.java:145) at com.netscape.cmsutil.ocsp.SingleResponse.encode(SingleResponse.java:87) at org.mozilla.jss.asn1.SET.BERencode(SET.java:215) at org.mozilla.jss.asn1.SEQUENCE.encode(SEQUENCE.java:40) at org.mozilla.jss.asn1.SET.BERencode(SET.java:215) at org.mozilla.jss.asn1.SEQUENCE.encode(SEQUENCE.java:40) at com.netscape.cmsutil.ocsp.ResponseData.encode(ResponseData.java:111) at org.mozilla.jss.asn1.ASN1Util.encode(ASN1Util.java:23) at org.mozilla.jss.asn1.ASN1Util.encode(ASN1Util.java:15) at com.netscape.ocsp.OCSPAuthority.sign(OCSPAuthority.java:424) at com.netscape.cms.ocsp.DefStore.validate(DefStore.java:396) at com.netscape.ocsp.OCSPAuthority.validate(OCSPAuthority.java:346) at com.netscape.cms.servlet.ocsp.OCSPServlet.process(OCSPServlet.java:208) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:510) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) ... at java.lang.Thread.run(Thread.java:748)
The OCSPServlet should return a valid response in all cases.
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455354
Metadata Update from @mharmsen: - Custom field component adjusted to OCSP (was: General)
Per PKI Bug Council of May 25, 2017: 10.4 - critical
Metadata Update from @mharmsen: - Issue priority set to: critical - Issue set to the milestone: 10.4 (was: 0.0 NEEDS_TRIAGE)
cfu pointed out that according to RFC 6960 in case of error the OCSP responder should still generate a valid OCSP response that contains the error code. See https://tools.ietf.org/html/rfc6960#section-2.3.
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.4)
Metadata Update from @mharmsen: - Issue priority set to: major (was: critical)
Metadata Update from @mharmsen: - Issue priority set to: critical (was: major)
Per CS/DS Meeting 09/25/2017: 10.5 critical
Apparently the error only happens on a new CA which has not published the CRL yet. Once the CRL is published (even if it's empty) the OCSP will work correctly. Here are the steps:
Possible solutions:
Lowering the priority to major.
Metadata Update from @edewata: - Issue priority set to: major (was: critical)
[20171025] - Offline Triage ==> 10.6
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 10.5)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2823
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.