Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pki pkcs7-import does not process some certificates #4823

Open
sergius-fidelis opened this issue Aug 13, 2024 · 0 comments
Open

pki pkcs7-import does not process some certificates #4823

sergius-fidelis opened this issue Aug 13, 2024 · 0 comments

Comments

@sergius-fidelis
Copy link

sergius-fidelis commented Aug 13, 2024

Description of problem:

When processing certain certificates, pki pkcs7-import generates an error:

org.mozilla.jss.crypto.TokenException: Failed to find certificate that was just imported: (-8187) security library: invalid arguments.
	at org.mozilla.jss.CryptoManager.importCertPackageNative(Native Method)
	at org.mozilla.jss.CryptoManager.importCACertPackage(CryptoManager.java:861)
	at com.netscape.cmsutil.crypto.CryptoUtil.importPKCS7(CryptoUtil.java:883)
	at com.netscape.cmstools.pkcs7.PKCS7ImportCLI.execute(PKCS7ImportCLI.java:102)
	at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
	at org.dogtagpki.cli.CLI.execute(CLI.java:353)
	at org.dogtagpki.cli.CLI.execute(CLI.java:353)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)

Version of pki used:

PKI Command-Line Interface 11.5.0-SNAPSHOT

Distributor of pki:

AlmaLinux 9.4

How reproducible:

  • Copy the certificates below.
  • Run command:
cat $path_to_test_cert | pki pkcs7-import

Perhaps this is because the serial numbers of certificates are large.
But in this case, the error should be more informative.
This command is used when installing FreeIPA, and it may take a long time to find the cause of the failure.

Examples of "bad" certificates:

-----BEGIN PKCS7-----
MIIC9QYJKoZIhvcNAQcCoIIC5jCCAuICAQExADALBgkqhkiG9w0BBwGgggLKMIIC
xjCCAiigAwIBAgIVAIEAAAAAAAAAAAAAAAAAAAAAAAAAMAoGCCqGSM49BAMEMD4x
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxHjAcBgNVBAMMFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTAeFw0yNDA4MTMwMDAwMDBaFw0zNDA4MTEwMDAwMDBaMD4x
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxHjAcBgNVBAMMFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAGRbQq6jfFAD
gy03b13Cjc03GpT+5T2Ka1xx9LKZEDUtvV1VVrqErtsr0TjlSAy+F2J3mMNo8V07
fqxC9fBAFD8GAawNXiNh/iWVv4O/SKfmf0p1/vu5oQPWehV9rrs6Kp2G1Gtk3QEJ
EHGvFyO0Zt6LaUDb5dlXVgHtjeFsMk515xngo4G/MIG8MA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFNpcJ9W8YfcDqH5nBabDW62+D3OVMHoGA1UdIwRzMHGAFNpc
J9W8YfcDqH5nBabDW62+D3OVoUKkQDA+MQ0wCwYDVQQKDARUZXN0MQ0wCwYDVQQL
DARUZXN0MR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCFQCBAAAAAAAA
AAAAAAAAAAAAAAAAADAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDgYsAMIGH
AkFr6D3QoAaCo79WhDjma4Q973D9FMmD+j7M+Q8Qmwdqjvd5Ie88xiYXRKThQZu6
8OGFYSFrvpvjoBcr449CgMSolgJCAa4GaX5iYKt6Td39KYj9pZJ0HwsPGyczw+0Z
MfHL8nrNoKZ3Sp3zkbt/UOcMpKH8eaLWuinHRHN5hhh1sseWoK9bMQA=
-----END PKCS7-----
-----BEGIN PKCS7-----
MIIC9gYJKoZIhvcNAQcCoIIC5zCCAuMCAQExADALBgkqhkiG9w0BBwGgggLLMIIC
xzCCAiigAwIBAgIVAJIAAAAAAAAAAAAAAAAAAAAAAAAAMAoGCCqGSM49BAMEMD4x
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxHjAcBgNVBAMMFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTAeFw0yNDA4MTMwMDAwMDBaFw0zNDA4MTEwMDAwMDBaMD4x
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxHjAcBgNVBAMMFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAHiq3AdtafaR
ce+Kt3vOCoKefJL6SOnNwmvYyRu/ExsZluiG9p36KnnIgtFK6TObcqaPP0TZEzA2
SayhqW5cRTGjARC4+m30L0qhalMJ4gkPPDchjy/+NBeIxs0CMggk8qlJAlIp6Ucm
CLJhaBqIVV5BM6AkFtNFVVFxs8sp5hdlHCRDo4G/MIG8MA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFJCid7raJ/uU+THNfPgo//PJmdpmMHoGA1UdIwRzMHGAFJCi
d7raJ/uU+THNfPgo//PJmdpmoUKkQDA+MQ0wCwYDVQQKDARUZXN0MQ0wCwYDVQQL
DARUZXN0MR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCFQCSAAAAAAAA
AAAAAAAAAAAAAAAAADAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDgYwAMIGI
AkIAyF9PhtD5MLvzJ07t+1X+e/P2MTql/MKQG7wsGoIGjVcjXs/M58Q4etTYcUeG
Nzd0mgib3X+D236djN+AlnjV79ICQgD/VsQZXpZT/oZzD5kaLw+3OLd2GvRGFJJV
8FtGV3KwPFwpp0kg8IxCtrqC4XDXJ9aiuKWso7f+JeOslsetqxDPRDEA
-----END PKCS7-----

OpenSSL does not generate errors when processing these certificates:

openssl pkcs7 -in $path_to_test_cert -print_certs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant