[Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9
Marc Sauton
msauton at redhat.com
Thu Oct 30 19:20:23 UTC 2008
Jan Meijer wrote:
> Hi!
>
> I'm trying to get CMC signed enrollment to work.
>
> What I want to do is create certificate requests via a web based tool
> on one server, and ship them to the CA for auto-vetting. It looks like in
> my situation using signed CMC is the most simple solution.
>
>
> I *think* I have set everything up correctly but, when I try to test my
> assumption by using either CMCEnroll or CMCRequest to create a CMC request
> I get the following error:
>
> [root at ebbe test]# CMCEnroll -d "/root/test/cmc-agent/" -n "cmc" -r
> "/root/test/test3.csr" -p "bla"
> cert/key prefix =
> path = /root/test/cmc-agent/
> java.io.IOException: Internal Error - java.io.IOException: Sequence tag
> error 9
> at com.netscape.cmstools.CMCEnroll.getCMCBlob(CMCEnroll.java:133)
> at com.netscape.cmstools.CMCEnroll.main(CMCEnroll.java:412)
>
There is something going on with your certificate request in
/root/test/test3.csr
> and the same error comes when using CMCRequest.
>
> Now, this is NOT an error with the CA setup, as the CA doesn't come in
> play yet, no? Unfortunately I haven't debugged enough Java problems yet
> to understand what the error means. Maybe there's some library/class
> missing somewhere?
>
> If anyone could help out that would be great :)
>
>
> I'm running Fedora 9 and DogTag 1.00, package list is below:
>
> [root at ebbe test]# yum list | grep pki
> pki-ca.noarch 1.0.0-6.fc9 installed
> pki-ca-ui.noarch 1.0.0-1.fc9 installed
> pki-common.noarch 1.0.0-8.fc9 installed
> pki-common-ui.noarch 1.0.0-2.fc9 installed
> pki-console.noarch 1.0.0-4.fc9 installed
> pki-console-ui.noarch 1.0.0-1.fc9 installed
> pki-java-tools.noarch 1.0.0-1.fc9 installed
> pki-native-tools.i386 1.0.0-1.fc9 installed
> pki-ra.noarch 1.0.0-2.fc9 installed
> pki-ra-ui.noarch 1.0.0-1.fc9 installed
> pki-setup.noarch 1.0.0-2.fc9 installed
> pki-util.noarch 1.0.0-2.fc9 installed
> krb5-pkinit-openssl.i386 1.6.3-10.fc9 fedora
> pki-common-javadoc.noarch 1.0.0-8.fc9 pki
> pki-java-tools-javadoc.noarch 1.0.0-1.fc9 pki
> pki-kra.noarch 1.0.0-2.fc9 pki
> pki-kra-ui.noarch 1.0.0-2.fc9 pki
> pki-manage.noarch 1.0.0-1.fc9 pki
> pki-migrate.noarch 1.0.0-1.fc9 pki
> pki-ocsp.noarch 1.0.0-2.fc9 pki
> pki-ocsp-ui.noarch 1.0.0-1.fc9 pki
> pki-silent.noarch 1.0.0-1.fc9 pki
> pki-tks.noarch 1.0.0-2.fc9 pki
> pki-tks-ui.noarch 1.0.0-1.fc9 pki
> pki-tps.i386 1.0.0-2.fc9 pki
> pki-tps-ui.noarch 1.0.0-2.fc9 pki
> pki-util-javadoc.noarch 1.0.0-2.fc9 pki
>
>
>
> The contents of test3.csr:
>
> [root at ebbe test]# cat test3.csr
>
> Certificate request generated by Netscape certutil
> Phone: (not specified)
>
> Common Name: test4
> Email: (not specified)
> Organization: (not specified)
> State: (not specified)
> Country: (not specified)
>
> -----BEGIN NEW CERTIFICATE REQUEST-----
> MIIBTzCBuQIBADAQMQ4wDAYDVQQDEwV0ZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOB
> jQAwgYkCgYEA5wv8VPSNH7HH0Nsdr2/3xu3fqglDbQUz8CxhFvFHXm26a1DlyC+l
> pqZXCgozJzpb1N5EXDR/Wg1VVbcJNnKyvJOa4XqOqqAPFKLfH5GhAijOIIQRuLL/
> WHlUeY2LUHcLCZ257b9QEOTrR6iVZPp74r2l7CBkXQ3zvx4PRfX2eY8CAwEAAaAA
> MA0GCSqGSIb3DQEBBQUAA4GBAB6R3Gf4koSXucYifCIFri3vTSt2ThK7GpKrYe86
> JLYOTk4aNdaL/wZDNBLnnw8if8Gv2y/LcpR7Qvto52uckCA2+rRWEYmHhDs8NF6U
> q0HuaYaUgN1kdOqrzjGFaZxG5eSJkLnmFpKlp+9OsnNfz43v9zzeomzqSdRHpPEZ
> pmFM
> -----END NEW CERTIFICATE REQUEST-----
>
>
The csr seem to be somehow malformed:
0 335: SEQUENCE {
4 185: SEQUENCE {
7 1: INTEGER 0
10 16: SEQUENCE {
12 14: SET {
14 12: SEQUENCE {
16 3: OBJECT IDENTIFIER commonName (2 5 4 3)
: (X.520 id-at (2 5 4))
21 5: PrintableString 'test4'
: }
: }
: }
28 159: SEQUENCE {
31 13: SEQUENCE {
33 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
: (PKCS #1)
44 0: NULL
: }
46 141: BIT STRING, encapsulates {
50 137: SEQUENCE {
53 129: INTEGER
: 00 E7 0B FC 54 F4 8D 1F B1 C7 D0 DB 1D AF 6F F7
: C6 ED DF AA 09 43 6D 05 33 F0 2C 61 16 F1 47 5E
: 6D BA 6B 50 E5 C8 2F A5 A6 A6 57 0A 0A 33 27 3A
: 5B D4 DE 44 5C 34 7F 5A 0D 55 55 B7 09 36 72 B2
: BC 93 9A E1 7A 8E AA A0 0F 14 A2 DF 1F 91 A1 02
: 28 CE 20 84 11 B8 B2 FF 58 79 54 79 8D 8B 50 77
: 0B 09 9D B9 ED BF 50 10 E4 EB 47 A8 95 64 FA 7B
: E2 BD A5 EC 20 64 5D 0D F3 BF 1E 0F 45 F5 F6 79
: 8F
185 3: INTEGER 65537
: }
: }
: }
190 0: [0]
* : Error: Object has zero length.*
...snip...
> The contents of the certificate database that's used for the CMC agent:
>
> [root at ebbe test]# certutil -L -d /root/test/cmc-agent
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CMC Agent - NetherNordic SLCS u,u,u
> cmc u,u,u
> ca c,c,c
>
>
>
>
More information about the Pki-users
mailing list