Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8881

Empty POST to /.well-known/est/simpleenroll results in NullPointerException

    Details

    • Issue discovered during:
      Customer
    • Sprint:
      EJBCA Team Alice - 2020 w7, EJBCA Team Alice -2020 w10

      Description

      Making a POST with an empty body (no CSR) results in Internal Server Error. The EST servlet should detect that no CSR has been sent and respond with Bad Request and a good error message.

      To reproduce, you can cURL like this:

      curl -v -k --user staging:foo123 --data "" -o -H "Content-Type: application/pkcs10" -H "Content-Transfer-Encoding: base64" https://nautilus:8442/.well-known/est/staging/simpleenroll
      

      This returns:

      <html><head><title>Error</title></head><body>java.lang.NullPointerException</body></html>
      

      The log on the server says:

      ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component EstOperationsSessionBean for method public abstract byte[] org.ejbca.core.protocol.est.EstOperationsSessionLocal.dispatchRequest: javax.ejb.EJBException: java.lang.NullPointerException
      [...]
      Caused by: java.lang.NullPointerException
      	at org.bouncycastle.pkcs.PKCS10CertificationRequest.getSubject(Unknown Source)
      	at org.cesecore.certificates.certificate.request.PKCS10RequestMessage.getRequestX500Name(PKCS10RequestMessage.java:340)
      	at org.cesecore.certificates.certificate.request.PKCS10RequestMessage.getRequestDN(PKCS10RequestMessage.java:312)
      	at org.ejbca.core.protocol.est.EstOperationsSessionBean.simpleEnroll(EstOperationsSessionBean.java:307)
      

      The root cause of the problem appears to be the fact that you its perfectly fine to create a CSR from an empty byte array. But as soon as you try to do something with it, the bomb goes off. To illustrate, the following JUnit test throws Null Pointer Exception:

      @Test
      public void testEmptyCsr() {
              PKCS10RequestMessage csr = new PKCS10RequestMessage(new byte[0]);
              csr.getRequestDN();
      }
      

      One would perhaps except this constructor to throw an exception if the CSR is invalid. Indeed, the javadoc says:

      public PKCS10CertificationRequest(byte[] encoded) throws java.io.IOException
      Create a PKCS10CertificationRequestHolder from the passed in bytes.
      Parameters:
          encoded - BER/DER encoding of the CertificationRequest structure.
      Throws:
          java.io.IOException - in the event of corrupted data, or an incorrect structure.
      

      Bouncy Castle should probably throw an I/O Exception if an empty byte array is passed as parameter, but until that's fixed, it should be trivial to add a check in the servlet.

        Attachments

          Activity

            People

            Assignee:
            bastianf Bastian Fredriksson
            Reporter:
            bastianf Bastian Fredriksson
            Verified by:
            Henrik Sunmark
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: