dogtagpki

Clone
Source Code
GIT

#2703 OCSP subsystem generates invalid response
Closed: migrated 3 years ago by dmoluguw. Opened 6 years ago by edewata.

Closed: migrated
Reopen Issue

The OCSPServlet in OCSP subsystem fails to process a normal OCSP request. The same servlet seems to be working fine in CA subsystem.

Steps to reproduce:

  1. Install CA
  2. Install OCSP
  3. Initialize client database:
    $ pki -c Secret.123 client-init
  4. Install CA certificate in client database:
    $ pki client-cert-import "CA Certificate" --ca-server
  5. Submit OCSP request:
    $ OCSPClient -v -d ~/.dogtag/nssdb -c "CA Certificate" -h $HOSTNAME -p 8080 -t /ocsp/ee/ocsp --serial 1

On the client side the OCSPClient failed with the following exception:

org.mozilla.jss.asn1.InvalidBERException: SEQUENCE(item #0) >> Incorrect tag: expected [UNIVERSAL 16], found [UNIVERSAL 28]
        at org.mozilla.jss.asn1.ASN1Header.validate(ASN1Header.java:371)
        at org.mozilla.jss.asn1.ASN1Header.validate(ASN1Header.java:356)
        at org.mozilla.jss.asn1.SEQUENCE$Template.decode(SEQUENCE.java:314)
        at com.netscape.cmsutil.ocsp.OCSPResponse$Template.decode(OCSPResponse.java:121)
        at com.netscape.cmsutil.ocsp.OCSPResponse$Template.decode(OCSPResponse.java:116)
        at com.netscape.cmsutil.ocsp.OCSPProcessor.submitRequest(OCSPProcessor.java:167)
        at com.netscape.cmstools.OCSPClient.main(OCSPClient.java:194)
ERROR: Incorrect tag: expected [UNIVERSAL 16], found [UNIVERSAL 28]
Try 'OCSPClient --help' for more information.

On the server side the OCSPServlet failed with the following exception:

java.lang.NullPointerException
        at java.util.Calendar.setTime(Calendar.java:1770)
        at org.mozilla.jss.asn1.TimeBase.encode(TimeBase.java:54)
        at org.mozilla.jss.asn1.SET.BERencode(SET.java:215)
        at org.mozilla.jss.asn1.SEQUENCE.encode(SEQUENCE.java:40)
        at org.mozilla.jss.asn1.SET.encode(SET.java:145)
        at com.netscape.cmsutil.ocsp.SingleResponse.encode(SingleResponse.java:87)
        at org.mozilla.jss.asn1.SET.BERencode(SET.java:215)
        at org.mozilla.jss.asn1.SEQUENCE.encode(SEQUENCE.java:40)
        at org.mozilla.jss.asn1.SET.BERencode(SET.java:215)
        at org.mozilla.jss.asn1.SEQUENCE.encode(SEQUENCE.java:40)
        at com.netscape.cmsutil.ocsp.ResponseData.encode(ResponseData.java:111)
        at org.mozilla.jss.asn1.ASN1Util.encode(ASN1Util.java:23)
        at org.mozilla.jss.asn1.ASN1Util.encode(ASN1Util.java:15)
        at com.netscape.ocsp.OCSPAuthority.sign(OCSPAuthority.java:424)
        at com.netscape.cms.ocsp.DefStore.validate(DefStore.java:396)
        at com.netscape.ocsp.OCSPAuthority.validate(OCSPAuthority.java:346)
        at com.netscape.cms.servlet.ocsp.OCSPServlet.process(OCSPServlet.java:208)
        at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:510)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        ...
        at java.lang.Thread.run(Thread.java:748)

The OCSPServlet should return a valid response in all cases.

Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to Community
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
6 years ago

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455354
6 years ago

Metadata Update from @mharmsen:
- Custom field component adjusted to OCSP (was: General)
6 years ago

Per PKI Bug Council of May 25, 2017: 10.4 - critical

Metadata Update from @mharmsen:
- Issue priority set to: critical
- Issue set to the milestone: 10.4 (was: 0.0 NEEDS_TRIAGE)
6 years ago

cfu pointed out that according to RFC 6960 in case of error the OCSP responder should still generate a valid OCSP response that contains the error code. See https://tools.ietf.org/html/rfc6960#section-2.3.

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5 (was: 10.4)
6 years ago

Metadata Update from @mharmsen:
- Issue priority set to: major (was: critical)
6 years ago

Metadata Update from @mharmsen:
- Issue priority set to: critical (was: major)
6 years ago

Per CS/DS Meeting 09/25/2017: 10.5 critical

Apparently the error only happens on a new CA which has not published the CRL yet. Once the CRL is published (even if it's empty) the OCSP will work correctly. Here are the steps:

Possible solutions:

  1. Modify CA subsystem to automatically publish the initial (i.e. empty) CRL.
  2. Modify OCSP subsystem to handle missing CRL gracefully (i.e. returning valid OCSP response).

Lowering the priority to major.

Metadata Update from @edewata:
- Issue priority set to: major (was: critical)
6 years ago

[20171025] - Offline Triage ==> 10.6

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.6 (was: 10.5)
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2823

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
major
None
None
defect
''
None
None
None
''
Community
''
None
None
None
None
''
OCSP
''
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.