Original report: https://www.redhat.com/archives/pki-users/2014-December/msg00000.html
PKCS #9 (RFC 2985) ยง5.4.1 "Challenge password" states that "PKCS #9- attribute processing systems MUST be able to recognize and process all string types in DirectoryString values."
From RFC 5280:
DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) }
The precise cause of the error is in com.netscape.cms.servlet.cert.scep.ChallengePassword, where derVal.getPrintableString() is called, but none of the other string encodings are tried.
com.netscape.cms.servlet.cert.scep.ChallengePassword
Proposed fix: add getDirectoryString() method to DerValue class, that checks that the tag is for one of the five string types above, then dispatches to getASN1CharString(). Also add corresponding getDirectoryString() method to DerInputStream class.
attachment pki-ftweedal-0019-Decode-challengePassword-attribute-as-DirectoryStrin.patch
pushed to master (cdebcd5a05544dfde1b904c3fc99ce97fa68fb98)
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: 10.2.1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1783
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.