Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 454559 - OCSP returns a nullpointer exception if the request is not provided as a parameter in the GET operation
Summary: OCSP returns a nullpointer exception if the request is not provided as a para...
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: OCSP Responder
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Matthew Harmsen
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2008-07-08 23:38 UTC by Matthew Harmsen
Modified: 2015-06-03 14:36 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)
DOGTAG 1.0: pki-common-1.0.0-ocsp-null-get.patch (deleted)
2008-07-08 23:40 UTC, Matthew Harmsen
no flags Details
Dogtag spec file changes for pki-common (deleted)
2008-07-09 00:34 UTC, Matthew Harmsen
no flags Details

Description Matthew Harmsen 2008-07-08 23:38:03 UTC
If the OCSP client just submits an OCSP request via the GET method without
submitting the request along, the server will yield a NullPointerException.

Comment 1 Matthew Harmsen 2008-07-08 23:40:54 UTC
Created attachment 311325 [details]
DOGTAG 1.0:  pki-common-1.0.0-ocsp-null-get.patch

Comment 2 Andrew Wnuk 2008-07-08 23:43:51 UTC
attachment (id=311325) +awnuk

Comment 3 Matthew Harmsen 2008-07-09 00:09:05 UTC
Checking into trunk:

svn status
M      base/common/src/com/netscape/cms/servlet/ocsp/

svn commit base/common/src/com/netscape/cms/servlet/ocsp/
Sending        base/common/src/com/netscape/cms/servlet/ocsp/
Transmitting file data .
Committed revision 65.

Comment 4 Matthew Harmsen 2008-07-09 00:34:32 UTC
Created attachment 311332 [details]
Dogtag spec file changes for pki-common

Comment 5 Andrew Wnuk 2008-07-09 00:36:25 UTC
attachment (id=311332) +awnuk

Comment 6 Matthew Harmsen 2008-07-09 00:41:09 UTC
Checking into trunk:

svn status
M      linux/common/pki-common.spec

svn commit linux/common/pki-common.spec
Sending        linux/common/pki-common.spec
Transmitting file data .
Committed revision 66.

Comment 7 Chandrasekar Kannan 2008-08-27 00:29:24 UTC
Bug already MODIFIED. setting target CS8.0 and marking screened+

Comment 8 Kashyap Chamarthy 2009-06-21 13:33:07 UTC
OCSP client
[root@pkiserv export]# OCSPClient 11180 /var/lib/pki-ca/alias/ 'caSigningCert cert-pki-ca' 15 /export/ocspbin 1 
URI: /ocsp/ee/ocsp
Data Length: 68
Success: Output /export/ocspbin

 I tried with the below url from the browser (am I going the right way here )


Result: No response from the browser about the state of the certificate

ocsp debug log says: 

[21/Jun/2009:18:29:06][http-11444-Processor25]: OCSPServlet:

=>AIA extension is set to

=>When I manually verify the certificate from browser Edit ->Preferences->View Certificates->Your Certificates->"Select the revoked user certificate->View

Certificate viewer says  "Could not verify this certificate for unknown reasons" - which is successful behaviour fora a revoked cert.

[root@pkiserv ~]# tail -15 /var/log/pki-ocsp/debug 
[21/Jun/2009:18:29:06][http-11444-Processor25]: evaluating expressions: ipaddress=".*"
[21/Jun/2009:18:29:06][http-11444-Processor25]: evaluated expression: ipaddress=".*" to be true
[21/Jun/2009:18:29:06][http-11444-Processor25]: DirAclAuthz: authorization passed
[21/Jun/2009:18:29:06][http-11444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$NonRoleUser$][Outcome=Success][][Op=submit] authorization success

[21/Jun/2009:18:29:06][http-11444-Processor25]: getConn: mNumConns now 2
[21/Jun/2009:18:29:06][http-11444-Processor25]: returnConn: mNumConns now 3
[21/Jun/2009:18:29:06][http-11444-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Success][Role=<null>] assume privileged role

[21/Jun/2009:18:29:06][http-11444-Processor25]: Servlet Path=/ee/ocsp
[21/Jun/2009:18:29:06][http-11444-Processor25]: RequestURI=/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
[21/Jun/2009:18:29:06][http-11444-Processor25]: PathInfo=/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD
[21/Jun/2009:18:29:06][http-11444-Processor25]: Method=GET
[21/Jun/2009:18:29:06][http-11444-Processor25]: OCSPServlet:
[21/Jun/2009:18:29:06][http-11444-Processor25]: CMSServlet: curDate=Sun Jun 21 18:29:06 IST 2009 id=ocspOCSP time=5
[root@pkiserv ~]# 

Via Wget:

Result: In debug log  [21/Jun/2009:18:58:44][http-11180-Processor24]: OCSPServlet:

[root@pkiserv ca]# wget --no-check-certificate  http://OCSPClient
--18:58:44--  http://ocspclient/
Resolving ocspclient... failed: Temporary failure in name resolution.
Connecting to||:11180... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0

    [ <=>                                                                                                                 ] 0           --.-K/s   in 0s     

18:58:44 (0.00 B/s) - `MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT3QwPzI+DgueSBg4zUV9RdwWgM0AQUp4UD' saved [0/0]

Note You need to log in before you can comment on or make changes to this bug.