Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 454559 - OCSP returns a nullpointer exception if the request is not provided as a parameter in the GET operation
Summary: OCSP returns a nullpointer exception if the request is not provided as a para...
Keywords:
Status: ASSIGNED
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: OCSP Responder
Version: 1.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Matthew Harmsen
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-08 23:38 UTC by Matthew Harmsen
Modified: 2015-06-03 14:36 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
DOGTAG 1.0: pki-common-1.0.0-ocsp-null-get.patch (deleted)
2008-07-08 23:40 UTC, Matthew Harmsen
no flags Details
Dogtag spec file changes for pki-common (deleted)
2008-07-09 00:34 UTC, Matthew Harmsen
no flags Details

Description Matthew Harmsen 2008-07-08 23:38:03 UTC
If the OCSP client just submits an OCSP request via the GET method without
submitting the request along, the server will yield a NullPointerException.

Comment 1 Matthew Harmsen 2008-07-08 23:40:54 UTC
Created attachment 311325 [details]
DOGTAG 1.0:  pki-common-1.0.0-ocsp-null-get.patch

Comment 2 Andrew Wnuk 2008-07-08 23:43:51 UTC
attachment (id=311325) +awnuk

Comment 3 Matthew Harmsen 2008-07-09 00:09:05 UTC
Checking into trunk:

svn status
M      base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java

svn commit base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java
Sending        base/common/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java
Transmitting file data .
Committed revision 65.


Comment 4 Matthew Harmsen 2008-07-09 00:34:32 UTC
Created attachment 311332 [details]
Dogtag spec file changes for pki-common

Comment 5 Andrew Wnuk 2008-07-09 00:36:25 UTC
attachment (id=311332) +awnuk

Comment 6 Matthew Harmsen 2008-07-09 00:41:09 UTC
Checking into trunk:

svn status
M      linux/common/pki-common.spec

svn commit linux/common/pki-common.spec
Sending        linux/common/pki-common.spec
Transmitting file data .
Committed revision 66.


Comment 7 Chandrasekar Kannan 2008-08-27 00:29:24 UTC
Bug already MODIFIED. setting target CS8.0 and marking screened+

Comment 8 Kashyap Chamarthy 2009-06-21 13:33:07 UTC
--------------------------------
OCSP client
[root@pkiserv export]# OCSPClient pkiserv.pnq.redhat.com 11180 /var/lib/pki-ca/alias/ 'caSigningCert cert-pki-ca' 15 /export/ocspbin 1 
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
sA2M01FNxjpKfqWl74TldtECAQ8=
CertID.serialNumber=15
CertStatus=Revoked
Success: Output /export/ocspbin
---------------------------------

 I tried with the below url from the browser (am I going the right way here )

---------
http://OCSPClient pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
---------

Result: No response from the browser about the state of the certificate

ocsp debug log says: 

[21/Jun/2009:18:29:06][http-11444-Processor25]: OCSPServlet: java.io.EOFException


Note:
-----
=>AIA extension is set to http://pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp

=>When I manually verify the certificate from browser Edit ->Preferences->View Certificates->Your Certificates->"Select the revoked user certificate->View

Certificate viewer says  "Could not verify this certificate for unknown reasons" - which is successful behaviour fora a revoked cert.
=>


===================================
[root@pkiserv ~]# tail -15 /var/log/pki-ocsp/debug 
[21/Jun/2009:18:29:06][http-11444-Processor25]: evaluating expressions: ipaddress=".*"
[21/Jun/2009:18:29:06][http-11444-Processor25]: evaluated expression: ipaddress=".*" to be true
[21/Jun/2009:18:29:06][http-11444-Processor25]: DirAclAuthz: authorization passed
[21/Jun/2009:18:29:06][http-11444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][aclResource=certServer.ee.request.ocsp][Op=submit] authorization success

[21/Jun/2009:18:29:06][http-11444-Processor25]: getConn: mNumConns now 2
[21/Jun/2009:18:29:06][http-11444-Processor25]: returnConn: mNumConns now 3
[21/Jun/2009:18:29:06][http-11444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=<null>] assume privileged role

[21/Jun/2009:18:29:06][http-11444-Processor25]: Servlet Path=/ee/ocsp
[21/Jun/2009:18:29:06][http-11444-Processor25]: RequestURI=/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
[21/Jun/2009:18:29:06][http-11444-Processor25]: PathInfo=/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
[21/Jun/2009:18:29:06][http-11444-Processor25]: Method=GET
[21/Jun/2009:18:29:06][http-11444-Processor25]: OCSPServlet: java.io.EOFException
[21/Jun/2009:18:29:06][http-11444-Processor25]: CMSServlet: curDate=Sun Jun 21 18:29:06 IST 2009 id=ocspOCSP time=5
[root@pkiserv ~]# 

=====================================================
Via Wget:

Result: In debug log  [21/Jun/2009:18:58:44][http-11180-Processor24]: OCSPServlet: java.io.EOFException


[root@pkiserv ca]# wget --no-check-certificate  http://OCSPClient pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
--18:58:44--  http://ocspclient/
Resolving ocspclient... failed: Temporary failure in name resolution.
--18:58:44--  http://pkiserv.pnq.redhat.com:11180/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
Resolving pkiserv.pnq.redhat.com... 192.168.63.128
Connecting to pkiserv.pnq.redhat.com|192.168.63.128|:11180... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0
Saving to: `MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD'

    [ <=>                                                                                                                 ] 0           --.-K/s   in 0s     

18:58:44 (0.00 B/s) - `MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD' saved [0/0]
=============================================


Note You need to log in before you can comment on or make changes to this bug.