499842 – Revoking an unknown serial numbers does not return useful error

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 499842 - Revoking an unknown serial numbers does not return useful error

Summary: Revoking an unknown serial numbers does not return useful error

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Dogtag Certificate System
Classification:	Retired
Component:	CA
Sub Component:
Version:	1.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Andrew Wnuk
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	431020 freeipa20 445047
TreeView+	depends on / blocked

Reported:	2009-05-08 14:32 UTC by Rob Crittenden
Modified:	2015-01-06 01:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-06-04 20:32:57 UTC
Embargoed:

Attachments	(Terms of Use)
proposed fix (deleted) 2009-11-16 22:14 UTC, Andrew Wnuk	no flags	Details \| Diff
View All

Description Rob Crittenden 2009-05-08 14:32:42 UTC

Description of problem:

I'm accessing bits of the CA directly by issuing remote authenticated requests. If I revoke a non-existent certificate I get a generic error, not a "unknown certificate" error.

For example, I issue this request to revoke a non-issued certificate:

https://catest.example.com:9444/ca/agent/ca/doRevoke

POST /ca/agent/ca/doRevoke HTTP/1.1
Host: catest.example.com:9444
Accept-Encoding: identity
Content-Length: 81
Content-type: application/x-www-form-urlencoded
Accept: text/plain

revocationReason=0&totalRecordCount=1&revokeAll=%28certRecordId%3D99%29&op=revoke

The error is:

fixed.errorDetails = "Error encountered while marking certificate revoked.";
fixed.authorityName = "Certificate Manager";

Not particularly helpful. What error occurred?

Comment 7 Andrew Wnuk 2009-11-16 22:14:23 UTC

Created attachment 369801 [details]
proposed fix

Comment 8 Matthew Harmsen 2009-11-16 22:19:01 UTC

attachment (id=369801) +mharmsen

Comment 9 Andrew Wnuk 2009-11-16 22:50:20 UTC

svn commit pki/base/common/src/LogMessages_en.properties
Sending        pki/base/common/src/LogMessages_en.properties
Transmitting file data .
Committed revision 823.

svn commit pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java
Sending        pki/base/common/src/com/netscape/cms/servlet/cert/DoRevoke.java
Transmitting file data .
Committed revision 824.

Comment 10 Andrew Wnuk 2009-11-16 22:53:57 UTC

In case were no certificate was found to be revoked, error message:
  "Error encountered while marking certificate revoked."
was replaced with
  "Attempt to revoke non-existent certificate(s).".

Comment 12 Kashyap Chamarthy 2010-12-08 09:14:24 UTC

Verified.
CS8.1 nightly(4-Dec-2010) ; x86_64
RHEL5.6 nightly  ; x86_64

Procedure:
(1)Disable random nonces securing access by setting  `ca.enableNonces=false` in CS.cfg
(2)Try to revoke a non-existent cert (99) by invoking the doRevoke servlet url as below

##################################
[root@iceberg ~]# grep -i enableNnonce /var/lib/pki-ca1/conf/CS.cfg
ca.enableNonces=false
[root@iceberg ~]# 
#################################
https://iceberg.pnq.redhat.com:35333/ca/agent/ca/doRevoke?op=doRevoke&revocationReason=0&revokeAll=%28certRecordId=99%29&op=revoke
#################################

Result: (as expected)
Attempt to revoke non-existent certificate(s)

Note You need to log in before you can comment on or make changes to this bug.