Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7242

EJBCA is trying to parse the string 'KeyId' as an integer when authorising an admin


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: EJBCA 6.14.0
    • Fix Version/s: EJBCA 6.14.1, EJBCA 6.15.0
    • Component/s: None
    • Labels:
    • Issue discovered during:
    • Sprint:
      EJBCA Sprint 18


      In EndEntityCertificateAuthenticationModule.isAuthorizedAdmin EJBCA extracts the ID of the end entity profile to check if the administrator is authorized to handle the request. If the end entity profile is set to 'KeyId' EJBCA fails with "NumberFormatException".

      If the end entity profile is set to 'KeyId', extract the end entity profile from the senderKID field of the CMP request instead.

      How to reproduce:

      > java -jar cmpclient.jar crmf --dn "CN=cmp2w232wosj3s" --keyid="Unit Test" --keystore /opt/wildfly/p12/Administrator1.p12 --keystorepwd foo123 --authmodule EndEntityCertificate --authparam "Administrator 1" --url http://localhost:8080/ejbca/publicweb/cmp/keyid --v
      Creating CRMF request with: SubjectDN=CN=cmp2w232wosj3s
      Creating CRMF request with: IssuerDN=null
      Creating CRMF request with: AuthenticationModule=EndEntityCertificate
      Creating CRMF request with: EndEntityPassword=
      Creating CRMF request with: SubjectAltName=null
      Creating CRMF request with: CustomCertSerno=
      Creating CRMF request with: IncludePopo=false
      Creating CRMF request with: requestedValidity=null
      Creating CRMF request with: keyID=Unit Test
      Creating protected PKIMessage using authentication module: EndEntityCertificate
      Certificate in extraCerts field should be issued by: Administrator 1
      Keystore: /opt/wildfly/p12/Administrator1.p12  -  Keystore password: foo123
      Certificate to be attached in the extraCerts field extracted from keystore. Certificate SubjectDN: CN=Administrator 1,Name=Access to test installation,OU=Engineering,O=PrimeKey Solutions AB,C=SE - Certificate issuerDN: CN=PrimeKey TestNet - Certificate serialnumber: 35487C203ADCFD61 - Certificate fingerprint: 986acd950b15d75f647bbf83a72a6ef04c1eb72d
      Selected signature alg oid: 1.2.840.113549.1.1.11, key algorithm: RSA
      Signing CMP message with signature alg: SHA256WithRSA
      Using CMP URL: http://nautilus:8080/ejbca/publicweb/cmp/keyid
      Using default destination directory: ./dest/
      Received CMP Error Message: 'CN=Administrator 1,Name=Access to test installation,OU=Engineering,O=PrimeKey Solutions AB,C=SE' is not an authorized administrator.

      On the server:

      > cat /opt/wildfly/standalone/log/server.log | grep "Configures"
      2018-08-23 10:42:12,728 ERROR [org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule] (default task-10) Configures End Entity Profile ID in CMP alias keyid was not an Integer

      Workaround (until the bug is fixed) is to use HMAC for CMP Authentication Module instead of a certificate.




            • Assignee:
              bastianf Bastian Fredriksson
              bastianf Bastian Fredriksson
              Verified by:
              Henrik Sunmark
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created:

                Time Tracking

                Original Estimate - 4 hours
                Time Spent - 3 hours, 15 minutes Remaining Estimate - 45 minutes
                Time Spent - 3 hours, 15 minutes Remaining Estimate - 45 minutes
                3h 15m