Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-2145

EJBCA is not prepared to receive signature protected CMP Confirm messages

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: EJBCA 3.10.4
    • Fix Version/s: EJBCA 4.0.4
    • Component/s: None
    • Labels:
      None
    • Environment:
      OS should be without importance for the client. I'm using the EJBCA live CD

      Description

      I'm trying to make the cmpforopenssl client interop with EJBCA. I configured the cmp module to work in normal mode, created a user and then tried to connect. The certificate is correctly issued, however, when the client sends CertConf, EJBCA throws the following error:

      15:20:25,032 INFO [CmpServlet] Sent a CMP response to: 10.205.20.114. 15:20:25,036 INFO [CmpServlet] CMP message received from: 10.205.20.114. 15:20:25,046 ERROR [CmpMessageDispatcher] Exception during CMP processing: java.lang.NullPointerException at org.ejbca.core.protocol.cmp.CmpPbeVerifyer.verify(CmpPbeVerifyer.java:87) at org.ejbca.core.protocol.cmp.ConfirmationMessageHandler.handleMessage(ConfirmationMessageHandler.java:74) at org.ejbca.core.protocol.cmp.CmpMessageDispatcher.dispatch(CmpMessageDispatcher.java:146) at org.ejbca.ui.web.protocol.CmpServlet.service(CmpServlet.java:212) at org.ejbca.ui.web.protocol.CmpServlet.doPost(CmpServlet.java:183) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:636)

      Looking into the code showns that EJBCA is trying to look for the raauthenticationsecret field in cmp.properties, which is commented since I am in client mode.

      In order to use cmpforopenssl for testing:
      1. I downloaded the latest svn sources from http://cmpforopenssl.sourceforge.net
      2. I compiled the packages as described in the README file.
      3. I patched the library to add support for the regToken required to authenticate to EJBCA
      4. I recompiled, then ran the client with the following command line:
      ./cmpclient --ir --cryptlib --server ejbca-vm --port 8080 --path ejbca/publicweb/cmp --proxy --cacert ./ejbca_ca_cert.pem --key ./cl_key.pem --clcert ./cl_cert.der --user ejbca_user --password foobar --subject "CN=ejbca_user"

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              aveen Aveen Ismail (Inactive)
              Reporter:
              strainu Strainu
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: