Adding user certificate using TPS UI permits both pem format and pkcs7 format as mentioned in dialog box.
1. When we try to add a pem file with/without header it works and certificate gets added. 2. When we try to add a pkcs7 file with header it failed 3. When we try to add a pkcs7 file without header it worked.
Ideally behavior should be identical.
Steps to Reproduce:
add a certificate to user
Actual results:
* When we try to add a pkcs7 file with header it failed * When we try to add a pkcs7 file without header it worked. Issue 2: Logging should be user friendly.If we add pkcs7 cert with headers exception raised is :: [09/Aug/2016:05:31:49][http-bio-25443-exec-24]: UserService: Submitted data is not an X.509 certificate: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=111, too big. [09/Aug/2016:05:31:49][http-bio-25443-exec-24]: UserService: is PKCS #7 blob? netscape.security.pkcs.ParsingException: IOException: Sequence tag error 251 at netscape.security.pkcs.PKCS7.parse(PKCS7.java:129) at netscape.security.pkcs.PKCS7.<init>(PKCS7.java:113) at org.dogtagpki.server.rest.UserService.addUserCert(UserService.java:875) at sun.reflect.GeneratedMethodAccessor254.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc eMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher .service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.GeneratedMethodAccessor45.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati onFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1. run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati onFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic atorBase.java:614) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt p11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process (AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi nt.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT hread.java:61) at java.lang.Thread.run(Thread.java:745) [09/Aug/2016:05:31:49][http-bio-25443-exec-24]: UserService: Unable to import user certificate: com.netscape.certsrv.base.PKIException: Unable to import user certificate from PKCS #7 data: IOException: Sequence tag error 251
Expected results:
1. Ideally behavior should be identical. 2. logging should be more user friendly.
Additional info:
I used below mentioned certs for testing purpose pem format cert: -----BEGIN CERTIFICATE----- MIICOTCCAaICCQCYDmCp1jnMOjANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJJ TjELMAkGA1UECAwCSU4xCzAJBgNVBAcMAklOMQswCQYDVQQKDAJJTjELMAkGA1UE CwwCSU4xCzAJBgNVBAMMAklOMREwDwYJKoZIhvcNAQkBFgJJTjAeFw0xNjA4MDkw ODM3NDJaFw0xNzA4MDkwODM3NDJaMGExCzAJBgNVBAYTAklOMQswCQYDVQQIDAJJ TjELMAkGA1UEBwwCSU4xCzAJBgNVBAoMAklOMQswCQYDVQQLDAJJTjELMAkGA1UE AwwCSU4xETAPBgkqhkiG9w0BCQEWAklOMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDPNk4AtvcTn9xMPR/tG+eeWMIFqhMFTw0ZnhEutF7dRoCS1HaCiH1cX0RQ u4JF0PhjcWYCgxt5Nx5+vmNPrlyjeCeU4IrQLe9kK2EaSaNqPHW6CBf4yBqs7e+e GqEMEDTWhHFTc3CRBvsRTsZEdhPzz9FpMCV5F+ipl4yynf4fnwIDAQABMA0GCSqG SIb3DQEBBQUAA4GBAAUvPZCHrbqX5xj6Jf0XG6r27fwuTyyyaaGwC3a+/QLFAN+B HAdH43EQaqNCIsyuKpkGKpDALn9JGeUE/Iw+baxsVOPSi0h960XM0U3LvvYgsL62 d3E2mryuThIg/lLv6SAlq2QinKn4IqjdqBlHBHjWvjt6Zpmuo6DzbPJugJYN -----END CERTIFICATE----- pkcs7 format: -----BEGIN PKCS7----- MIIHTgYJKoZIhvcNAQcCoIIHPzCCBzsCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIH HzCCA2QwggJMoAMCAQICAWEwDQYJKoZIhvcNAQELBQAwSDElMCMGA1UECgwcdG9w b2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9yZzEfMB0GA1UEAwwWQ0EgU2lnbmluZyBD ZXJ0aWZpY2F0ZTAeFw0xNjA3MjIwOTMzMTVaFw0xNzAxMTgxMDMzMTVaMIGNMQsw CQYDVQQGEwJVUzEOMAwGA1UECwwFSURNUUUxGzAZBgNVBAMMEk9DU1BfVW5Qcml2 aWxlZ2VkVjEtMCsGCSqGSIb3DQEJARYeT0NTUF9VblByaXZpbGVnZWRWQGV4YW1w bGUub3JnMSIwIAYKCZImiZPyLGQBAQwST0NTUF9VblByaXZpbGVnZWRWMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEV7l3clQd+PqA3NVjhuxK9hPNrefM3Qm4 ztW49Ib4hpYkDIgUix/vEwXmT6Yovdcz/Grau9c+EO0W3Fwmmu2bGRICXYBECnsk mUas5ZsksUNCi5kkoLko1v/XwhdlA3rl3jdFwAXR9LediL6F81uBM2L1f6wb/SA1 OxgpC8OtPQIDAQABo4GWMIGTMB8GA1UdIwQYMBaAFBVcqyPkZK5YpzrryqkjACEK QoPGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL3BraTEuZXhh bXBsZS5jb206MjAwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYw FAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBxKqAQFsLC gT1lsDr5EDBwP4mm1bn+jbh15R//BOQ2oUsvPqa+hxUZXuJmQQmhjughPVkvVlAK 4YGBJbVkpi3t5FkeMwTVH7miIwy/w9mT9r8763wMJ2v2oUkqIIDQFikUW12KduXp nTqC2JS8RIbXOOa3VZ1LXtsDsiu3d0hSxydroWO2Fm/0yUaciomP2OmLE9S3oUCT OJ7VTAkPosFuGZ3zGkbrL7qkc1sRgQXMIkUoPNpwWZBJwbB7oC8sEwV2ud45Hx0s /nFq3zStsprNIB+SwCjfcKeK46UM4E+0v5C5RZYgTK0kevuZZiOo0Rxaw+M4lrTd reoMV0t83DdDMIIDszCCApugAwIBAgIBATANBgkqhkiG9w0BAQsFADBIMSUwIwYD VQQKDBx0b3BvbG9neS0wMl9Gb29iYXJtYXN0ZXIub3JnMR8wHQYDVQQDDBZDQSBT aWduaW5nIENlcnRpZmljYXRlMB4XDTE2MDcxOTA5MzAxN1oXDTM2MDcxOTA5MzAx N1owSDElMCMGA1UECgwcdG9wb2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9yZzEfMB0G A1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALV+nPLHKoQduc8AljQeOZUWpl/TqsMzhpIDPs5yN2lEQM57 Qo4gIjKGPP8poCKczq70YnDjBdFN+SqivfhArG9rtK06gzIooNGctloFUyDqiTtu X2+Q/Va3am5g8fI66voiKXzBvniT6VPEH20b2gXDMveFoV4hVdp7Jrmm83ZBYGhL 2u6t4KA9RbVMoQNSvYXdVAQXH11PH/3pdB/ZKLXbpJ8gmcMGfISlQvlR7bkjBodI t3zheOEBtd4qhi4ed0qO+mPaSk5IofKGvADwoFg18sHnbIr974r4crT7RWAEwnnP UmYUfLmyKgRTKPXye2r2y+ydnBgHYvzsYvtc1H8CAwEAAaOBpzCBpDAfBgNVHSME GDAWgBQVXKsj5GSuWKc668qpIwAhCkKDxjAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud DwEB/wQEAwIBxjAdBgNVHQ4EFgQUFVyrI+RkrlinOuvKqSMAIQpCg8YwQQYIKwYB BQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vcGtpMS5leGFtcGxlLmNvbToy MDA4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQC1FQqcjqmfaD3LcqfptcHK p65yQovRs7IpToWYz5iDoGGkW12tWeeVGJdjdD13MvPnNY6Zt1aSX4JwSFt+6F8N uYVQup/yOERB1y1OlNnDMA8YV6TioVvp3tc4chrvJIQZAHUqvF8P3Y5RH0cntnk2 iYMu/SezMEoJMrKp4ERUOsbIc/aRGx+Ja1mwXObhs66KqROqpgPFVcadN59vgma6 DlJSHbEEEc8RZru860SewlgU26Fi43WJYZHLQAFZ+i0c496/5i9f6LzpssAm8rRc MoCFj6tLcnVG5AVZ0ZVANaT/z3kSdY96c4bjp6AMpArwx44xY+jKSHgFhi8lb9QM MQA= -----END PKCS7-----
Per discussions in PKI Bug Council of 08/11/2016: The only action to take here may be to disallow the use of PKCS7 blobs in this area.
Per discussion with cfu and alee, for now the TPS UI has been modified to no longer mention PKCS #7, so it should not be tested. The REST service itself still accepts PKCS #7 without header, but it may be removed in the future.
The change has been pushed to master (10.4):
If this change is needed for 10.3.x, it needs to be cherry-picked into the DOGTAG_10_3_BRANCH.
The following was cherry-picked in to DOGTAG_10_3_BRANCH:
commit 2dae5f18fa5c68f7923b6b6691395790fb14791f Author: Endi S. Dewata <edewata@redhat.com> Date: Fri Aug 12 02:23:18 2016 +0200 Removed PKCS #7 from add user cert dialog in TPS UI. The dialog box for adding user certificate in TPS UI has been modified to no longer mention PKCS #7. The REST service itself still accepts PKCS #7, but it should be cleaned up in the future. https://fedorahosted.org/pki/ticket/2437 (cherry picked from commit d27d4600784acb49c42764d02835dedf3ee87227)
Metadata Update from @gkapoor: - Issue assigned to edewata - Issue set to the milestone: 10.3.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2557
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.