Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-9292

Receive Certificate Response fails for EC DVCA when debug logging is enabled

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Issue discovered during:
      Another issue

      Description

      Receive Certificate Response fails for EC DVCA when debug logging is enabled

      Steps to reproduce

      1. Ensure you have a CVCA (CVC root CA) certificate.
        • If not, create a self signed CVC CA, save the certificate (use binary format), and then delete the CA.
      2. Create a CA:
        • CA type: CVC
        • Signature algorithm: SHA256withECDSA
        • Signed by: External CA
      3. Edit the CA. At the bottom of the page, "Step 2 - Import Certificate", select the CVCA.
      4. Press "Receive Certificate Response"

      Expected results
      CA should be activated.

      Actual results
      Error: java.lang.RuntimeException: error creating key

      and the following stack trace with an NPE in EC5Util.convertPoint:

      2020-07-06 15:21:58,979 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component CAAdminSessionBean for method public abstract void org.ejbca.core.ejb.ca.caadmin.CAAdminSession.receiveResponse(org.cesecore.authentication.tokens.AuthenticationToken,int,org.cesecore.certificates.certificate.request.ResponseMessage,java.util.Collection,java.lang.String,boolean) throws org.cesecore.authorization.AuthorizationDeniedException,java.security.cert.CertPathValidatorException,org.ejbca.core.EjbcaException,org.cesecore.CesecoreException: javax.ejb.EJBException: java.lang.RuntimeException: error creating key
              at org.jboss.as.ejb3@14.0.1.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:246)
              [...]
              at org.jboss.as.ee@14.0.1.Final//org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
              at deployment.ejbca.ear.ejbca-ejb.jar//org.ejbca.core.ejb.ca.caadmin.CAAdminSessionLocal$$$view140.receiveResponse(Unknown Source)
              at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.cainterface.CADataHandler.receiveResponse(CADataHandler.java:245)
              at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.ca.EditCAsMBean.receiveResponse(EditCAsMBean.java:2040)
              at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              [...]
              at java.base/java.lang.Thread.run(Thread.java:834)
      Caused by: java.lang.RuntimeException: error creating key
              at deployment.ejbca.ear//org.cesecore.keys.util.KeyTools.createSubjectKeyId(KeyTools.java:967)
              at deployment.ejbca.ear.ejbca-ejb.jar//org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.activateNextKeyAndCert(CAAdminSessionBean.java:1380)
              at deployment.ejbca.ear.ejbca-ejb.jar//org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.receiveResponse(CAAdminSessionBean.java:1262)
              at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              [...]
              at org.jboss.as.ejb3@14.0.1.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:237)
              ... 113 more
      Caused by: java.lang.NullPointerException
              at org.bouncycastle//org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util.convertPoint(Unknown Source)
              at org.bouncycastle//org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey.<init>(Unknown Source)
              at org.bouncycastle//org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi.engineTranslateKey(Unknown Source)
              at java.base/java.security.KeyFactory.translateKey(KeyFactory.java:470)
              at deployment.ejbca.ear//org.cesecore.keys.util.KeyTools.createSubjectKeyId(KeyTools.java:958)
              ... 149 more
      

      Analysis/cause
      The cause of the issue is that we try to print the Subject Key ID of the CA's existing public key in CAAdminSessionBean. The KeyTools.createSubjectKeyId method that is used does not appear to handle EC public keys from CVC certificates.

      This limitation in KeyTools.createSubjectKeyId also causes warnings to be logged when a CertificateData objects are created when a certificate is stored (I have this in logs from november).

      Suggested solution
      If it's easy to do, add handling of EC CVC keys in KeyTools.createSubjectKeyId.
      The resulting SKID should be the same as the crypto token public key for the certificate.

      Otherwise, we could just skip printing of SKIDs for CVC certificates.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              samuel Samuel Lidén Borell
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 3 days
                  3d
                  Remaining:
                  Remaining Estimate - 3 days
                  3d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified