search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
363 stars 135 forks source link

OCSP subsystem generates invalid response #2823

Open pki-bot opened 3 years ago

pki-bot commented 3 years ago

This issue was migrated from Pagure Issue #2703. Originally filed by edewata (@edewata) on 2017-05-24 11:58:27:

The OCSPServlet in OCSP subsystem fails to process a normal OCSP request. The same servlet seems to be working fine in CA subsystem.

Steps to reproduce:

  1. Install CA
  2. Install OCSP
  3. Initialize client database: $ pki -c Secret.123 client-init
  4. Install CA certificate in client database: $ pki client-cert-import "CA Certificate" --ca-server
  5. Submit OCSP request: $ OCSPClient -v -d ~/.dogtag/nssdb -c "CA Certificate" -h $HOSTNAME -p 8080 -t /ocsp/ee/ocsp --serial 1

On the client side the OCSPClient failed with the following exception:

org.mozilla.jss.cryptomilk1.InvalidBERException: SEQUENCE(item 0) >> Incorrect tag: expected [UNIVERSAL 16], found [UNIVERSAL 28]
        at org.mozilla.jss.cryptomilk1.ASN1Header.validate(ASN1Header.java:371)
        at org.mozilla.jss.cryptomilk1.ASN1Header.validate(ASN1Header.java:356)
        at org.mozilla.jss.cryptomilk1.SEQUENCE$Template.decode(SEQUENCE.java:314)
        at com.netscape.cmsutil.ocsp.OCSPResponse$Template.decode(OCSPResponse.java:121)
        at com.netscape.cmsutil.ocsp.OCSPResponse$Template.decode(OCSPResponse.java:116)
        at com.netscape.cmsutil.ocsp.OCSPProcessor.submitRequest(OCSPProcessor.java:167)
        at com.netscape.cmstools.OCSPClient.main(OCSPClient.java:194)
ERROR: Incorrect tag: expected [UNIVERSAL 16], found [UNIVERSAL 28]
Try 'OCSPClient --help' for more information.

On the server side the OCSPServlet failed with the following exception:

java.lang.NullPointerException
        at java.util.Calendar.setTime(Calendar.java:1770)
        at org.mozilla.jss.cryptomilk1.TimeBase.encode(TimeBase.java:54)
        at org.mozilla.jss.cryptomilk1.SET.BERencode(SET.java:215)
        at org.mozilla.jss.cryptomilk1.SEQUENCE.encode(SEQUENCE.java:40)
        at org.mozilla.jss.cryptomilk1.SET.encode(SET.java:145)
        at com.netscape.cmsutil.ocsp.SingleResponse.encode(SingleResponse.java:87)
        at org.mozilla.jss.cryptomilk1.SET.BERencode(SET.java:215)
        at org.mozilla.jss.cryptomilk1.SEQUENCE.encode(SEQUENCE.java:40)
        at org.mozilla.jss.cryptomilk1.SET.BERencode(SET.java:215)
        at org.mozilla.jss.cryptomilk1.SEQUENCE.encode(SEQUENCE.java:40)
        at com.netscape.cmsutil.ocsp.ResponseData.encode(ResponseData.java:111)
        at org.mozilla.jss.cryptomilk1.ASN1Util.encode(ASN1Util.java:23)
        at org.mozilla.jss.cryptomilk1.ASN1Util.encode(ASN1Util.java:15)
        at com.netscape.ocsp.OCSPAuthority.sign(OCSPAuthority.java:424)
        at com.netscape.cms.ocsp.DefStore.validate(DefStore.java:396)
        at com.netscape.ocsp.OCSPAuthority.validate(OCSPAuthority.java:346)
        at com.netscape.cms.servlet.ocsp.OCSPServlet.process(OCSPServlet.java:208)
        at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:510)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        ...
        at java.lang.Thread.run(Thread.java:748)

The OCSPServlet should return a valid response in all cases.

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-05-24 17:54:53

Metadata Update from @mharmsen:

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-05-24 18:02:26

Metadata Update from @mharmsen:

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-05-24 18:03:10

Metadata Update from @mharmsen:

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-05-25 14:51:56

Per PKI Bug Council of May 25, 2017: 10.4 - critical

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-05-25 14:51:58

Metadata Update from @mharmsen:

pki-bot commented 3 years ago

Comment from edewata (@edewata) at 2017-06-20 12:19:49

cfu pointed out that according to RFC 6960 in case of error the OCSP responder should still generate a valid OCSP response that contains the error code. See https://tools.ietf.org/html/rfc6960#section-2.3.

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-08-04 13:58:36

Metadata Update from @mharmsen:

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-09-25 17:02:12

Metadata Update from @mharmsen:

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-09-25 17:21:59

Metadata Update from @mharmsen:

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-09-25 17:22:33

Per CS/DS Meeting 09/25/2017: 10.5 critical

pki-bot commented 3 years ago

Comment from edewata (@edewata) at 2017-10-06 19:18:12

Apparently the error only happens on a new CA which has not published the CRL yet. Once the CRL is published (even if it's empty) the OCSP will work correctly. Here are the steps:

Possible solutions:

  1. Modify CA subsystem to automatically publish the initial (i.e. empty) CRL.
  2. Modify OCSP subsystem to handle missing CRL gracefully (i.e. returning valid OCSP response).

Lowering the priority to major.

pki-bot commented 3 years ago

Comment from edewata (@edewata) at 2017-10-06 19:18:23

Metadata Update from @edewata:

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-10-25 14:15:56

[20171025] - Offline Triage ==> 10.6

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-10-25 14:15:57

Metadata Update from @mharmsen: