Description
This issue was migrated from Pagure Issue #2703. Originally filed by edewata (@edewata) on 2017-05-24 11:58:27:
- Assigned to nobody
- Associated bugzillas
The OCSPServlet in OCSP subsystem fails to process a normal OCSP request. The same servlet seems to be working fine in CA subsystem.
Steps to reproduce:
- Install CA
- Install OCSP
- Initialize client database:
$ pki -c Secret.123 client-init - Install CA certificate in client database:
$ pki client-cert-import "CA Certificate" --ca-server - Submit OCSP request:
$ OCSPClient -v -d ~/.dogtag/nssdb -c "CA Certificate" -h $HOSTNAME -p 8080 -t /ocsp/ee/ocsp --serial 1
On the client side the OCSPClient failed with the following exception:
org.mozilla.jss.cryptomilk1.InvalidBERException: SEQUENCE(item 0) >> Incorrect tag: expected [UNIVERSAL 16], found [UNIVERSAL 28]
at org.mozilla.jss.cryptomilk1.ASN1Header.validate(ASN1Header.java:371)
at org.mozilla.jss.cryptomilk1.ASN1Header.validate(ASN1Header.java:356)
at org.mozilla.jss.cryptomilk1.SEQUENCE$Template.decode(SEQUENCE.java:314)
at com.netscape.cmsutil.ocsp.OCSPResponse$Template.decode(OCSPResponse.java:121)
at com.netscape.cmsutil.ocsp.OCSPResponse$Template.decode(OCSPResponse.java:116)
at com.netscape.cmsutil.ocsp.OCSPProcessor.submitRequest(OCSPProcessor.java:167)
at com.netscape.cmstools.OCSPClient.main(OCSPClient.java:194)
ERROR: Incorrect tag: expected [UNIVERSAL 16], found [UNIVERSAL 28]
Try 'OCSPClient --help' for more information.
On the server side the OCSPServlet failed with the following exception:
java.lang.NullPointerException
at java.util.Calendar.setTime(Calendar.java:1770)
at org.mozilla.jss.cryptomilk1.TimeBase.encode(TimeBase.java:54)
at org.mozilla.jss.cryptomilk1.SET.BERencode(SET.java:215)
at org.mozilla.jss.cryptomilk1.SEQUENCE.encode(SEQUENCE.java:40)
at org.mozilla.jss.cryptomilk1.SET.encode(SET.java:145)
at com.netscape.cmsutil.ocsp.SingleResponse.encode(SingleResponse.java:87)
at org.mozilla.jss.cryptomilk1.SET.BERencode(SET.java:215)
at org.mozilla.jss.cryptomilk1.SEQUENCE.encode(SEQUENCE.java:40)
at org.mozilla.jss.cryptomilk1.SET.BERencode(SET.java:215)
at org.mozilla.jss.cryptomilk1.SEQUENCE.encode(SEQUENCE.java:40)
at com.netscape.cmsutil.ocsp.ResponseData.encode(ResponseData.java:111)
at org.mozilla.jss.cryptomilk1.ASN1Util.encode(ASN1Util.java:23)
at org.mozilla.jss.cryptomilk1.ASN1Util.encode(ASN1Util.java:15)
at com.netscape.ocsp.OCSPAuthority.sign(OCSPAuthority.java:424)
at com.netscape.cms.ocsp.DefStore.validate(DefStore.java:396)
at com.netscape.ocsp.OCSPAuthority.validate(OCSPAuthority.java:346)
at com.netscape.cms.servlet.ocsp.OCSPServlet.process(OCSPServlet.java:208)
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:510)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
...
at java.lang.Thread.run(Thread.java:748)
The OCSPServlet should return a valid response in all cases.