search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
374 stars 138 forks source link

pki pkcs7-import does not process some certificates #4823

Open sergius-fidelis opened 3 months ago

sergius-fidelis commented 3 months ago

Description of problem:

When processing certain certificates, pki pkcs7-import generates an error:

org.mozilla.jss.crypto.TokenException: Failed to find certificate that was just imported: (-8187) security library: invalid arguments.
    at org.mozilla.jss.CryptoManager.importCertPackageNative(Native Method)
    at org.mozilla.jss.CryptoManager.importCACertPackage(CryptoManager.java:861)
    at com.netscape.cmsutil.crypto.CryptoUtil.importPKCS7(CryptoUtil.java:883)
    at com.netscape.cmstools.pkcs7.PKCS7ImportCLI.execute(PKCS7ImportCLI.java:102)
    at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
    at org.dogtagpki.cli.CLI.execute(CLI.java:353)
    at org.dogtagpki.cli.CLI.execute(CLI.java:353)
    at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
    at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)

Version of pki used:

PKI Command-Line Interface 11.5.0-SNAPSHOT

Distributor of pki:

AlmaLinux 9.4

How reproducible:

Perhaps this is because the serial numbers of certificates are large. But in this case, the error should be more informative. This command is used when installing FreeIPA, and it may take a long time to find the cause of the failure.

Examples of "bad" certificates:

-----BEGIN PKCS7-----
MIIC9QYJKoZIhvcNAQcCoIIC5jCCAuICAQExADALBgkqhkiG9w0BBwGgggLKMIIC
xjCCAiigAwIBAgIVAIEAAAAAAAAAAAAAAAAAAAAAAAAAMAoGCCqGSM49BAMEMD4x
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxHjAcBgNVBAMMFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTAeFw0yNDA4MTMwMDAwMDBaFw0zNDA4MTEwMDAwMDBaMD4x
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxHjAcBgNVBAMMFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAGRbQq6jfFAD
gy03b13Cjc03GpT+5T2Ka1xx9LKZEDUtvV1VVrqErtsr0TjlSAy+F2J3mMNo8V07
fqxC9fBAFD8GAawNXiNh/iWVv4O/SKfmf0p1/vu5oQPWehV9rrs6Kp2G1Gtk3QEJ
EHGvFyO0Zt6LaUDb5dlXVgHtjeFsMk515xngo4G/MIG8MA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFNpcJ9W8YfcDqH5nBabDW62+D3OVMHoGA1UdIwRzMHGAFNpc
J9W8YfcDqH5nBabDW62+D3OVoUKkQDA+MQ0wCwYDVQQKDARUZXN0MQ0wCwYDVQQL
DARUZXN0MR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCFQCBAAAAAAAA
AAAAAAAAAAAAAAAAADAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDgYsAMIGH
AkFr6D3QoAaCo79WhDjma4Q973D9FMmD+j7M+Q8Qmwdqjvd5Ie88xiYXRKThQZu6
8OGFYSFrvpvjoBcr449CgMSolgJCAa4GaX5iYKt6Td39KYj9pZJ0HwsPGyczw+0Z
MfHL8nrNoKZ3Sp3zkbt/UOcMpKH8eaLWuinHRHN5hhh1sseWoK9bMQA=
-----END PKCS7-----
-----BEGIN PKCS7-----
MIIC9gYJKoZIhvcNAQcCoIIC5zCCAuMCAQExADALBgkqhkiG9w0BBwGgggLLMIIC
xzCCAiigAwIBAgIVAJIAAAAAAAAAAAAAAAAAAAAAAAAAMAoGCCqGSM49BAMEMD4x
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxHjAcBgNVBAMMFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTAeFw0yNDA4MTMwMDAwMDBaFw0zNDA4MTEwMDAwMDBaMD4x
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxHjAcBgNVBAMMFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAHiq3AdtafaR
ce+Kt3vOCoKefJL6SOnNwmvYyRu/ExsZluiG9p36KnnIgtFK6TObcqaPP0TZEzA2
SayhqW5cRTGjARC4+m30L0qhalMJ4gkPPDchjy/+NBeIxs0CMggk8qlJAlIp6Ucm
CLJhaBqIVV5BM6AkFtNFVVFxs8sp5hdlHCRDo4G/MIG8MA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFJCid7raJ/uU+THNfPgo//PJmdpmMHoGA1UdIwRzMHGAFJCi
d7raJ/uU+THNfPgo//PJmdpmoUKkQDA+MQ0wCwYDVQQKDARUZXN0MQ0wCwYDVQQL
DARUZXN0MR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCFQCSAAAAAAAA
AAAAAAAAAAAAAAAAADAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDgYwAMIGI
AkIAyF9PhtD5MLvzJ07t+1X+e/P2MTql/MKQG7wsGoIGjVcjXs/M58Q4etTYcUeG
Nzd0mgib3X+D236djN+AlnjV79ICQgD/VsQZXpZT/oZzD5kaLw+3OLd2GvRGFJJV
8FtGV3KwPFwpp0kg8IxCtrqC4XDXJ9aiuKWso7f+JeOslsetqxDPRDEA
-----END PKCS7-----

OpenSSL does not generate errors when processing these certificates:

openssl pkcs7 -in $path_to_test_cert -print_certs