000011911 - pollRep response from CMP Server is not compliant with ASN.1 specification by including an empty extraCerts field

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011911
Applies ToRSA Certificate Manager 6.9 build 554
CMP v2
CMP Server configured with 3gpp plugin
IssuepollRep response from CMP Server is not compliant with ASN.1 specification by including an empty extraCerts field
CauseCMP Server is not following the RFC when sending a pollRep. According to the PKIMessage ASN.1 definition:

*       PKIMessage ::= SEQUENCE {
*          header          
PKIHeader,
*          body            
PKIBody,
*          protection   [0]
PKIProtection OPTIONAL,
*         
extraCerts   [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
*                           OPTIONAL
*      }

The extraCerts is an optional field. If it does not apply, such as in pollRep, the sequence MUST not be encoded. If it is encoded, there MUST be at least 1 element.
ResolutionThis issue will be fixed in the next build 555 (not available at the time of writing this solution) for RSA Certificate Manager 6.9.  If a test fix is required prior to the release of build 555, contact RSA Customer Support.

As per proposed fix, CMP Server will not encode extraCerts field in response when number of certificates attached to extraCerts is zero.
NotesCERTMGR-4259
CERTMGR-4282
Legacy Article IDa62288

Attachments

    Outcomes