Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-9498

Regression: OCSP keybinding certificate import fails when CA fingerprint is missing in database

    Details

    • Issue discovered during:
      Customer

      Description

      OCSP keybinding certificate import fails when CA fingerprint is missing in database. A certificate might be missing a CA fingerprint if it is imported before the issuing CA's certificate, for example (but there might be other reasons as well).

      This only happens when "Enable nonce in response" is enabled in the OCSP keybinding.

      Symptom
      This error appears in server.log when trying to import the OCSP keybinding certificate:

      ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component InternalKeyBindingMgmtSessionBean for method public abstract void org.cesecore.keybind.InternalKeyBindingMgmtSession.importCertificateForInternalKeyBinding(org.cesecore.authentication.tokens.AuthenticationToken,int,byte[]) throws org.cesecore.authorization.AuthorizationDeniedException,org.cesecore.keybind.CertificateImportException,org.cesecore.keybind.InternalKeyBindingNonceConflictException: javax.ejb.EJBTransactionRolledbackException: id to load is required for loading
      	[...]
      	at org.cesecore.certificates.certificate.CertificateStoreSessionLocal$$$view101.getCertificateData(Unknown Source)
      	at org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.checkForPreProductionAndNonceConflictBeforeImport(InternalKeyBindingMgmtSessionBean.java:881)
      	at org.cesecore.keybind.InternalKeyBindingMgmtSessionBean.importCertificateForInternalKeyBinding(InternalKeyBindingMgmtSessionBean.java:804)
      	[...]
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.IllegalArgumentException: id to load is required for loading
      	at org.hibernate.event.spi.LoadEvent.<init>(LoadEvent.java:93)
      	[...]
      	at org.jboss.as.jpa.container.AbstractEntityManager.find(AbstractEntityManager.java:213)
      	at org.cesecore.certificates.certificate.CertificateDataSessionBean.findByFingerprint(CertificateDataSessionBean.java:71)
      	[...]
      	... 167 more
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              samuel Samuel Lidén Borell
              Reporter:
              samuel Samuel Lidén Borell
              Verified by:
              Ulf Undmark
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 hour
                  1h
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h