000012929 - Xudad crashes when a certificate request is submitted via OneStep

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012929
Applies ToRSA Certificate Manager 6.8
RSA Certificate Manager OneStep 6.8
Mozilla FireFox 3.0
IssueXudad crashes when a certificate request is submitted via OneStep
RSA Certificate Manager (RCM) Secure Directory Server (Xudad) crashes when a certificate request is made via OneStep using a test html page on Firefox 3.0.1 browser on Windows.  The same request submitted via Microsoft Internet Explorer (MSIE) does not result in the crash.
CauseThe problem occurred due to the default value set for KCSOSD_PUBLICKEY in the test html page, and the same page was being used for both MSIE and FireFox browsers.  RCM Secure Directory Server expects the value of KCOSD_PUBLICKEY to be in a format dependent upon the browser (MSIE vs Netscape/FireFox/Mozilla).  Listed below is a quote from the OneStep Developer's Guide:

Names Supplied by the Browser

The following names are required for certificate generation. They should be supplied by the enrollment page, not by the plug-in, because the end user's browser creates the key pair.

Description/Value: The public key of the end user to be placed in the generated certificate. The format of the public key depends on the browser being used. For Microsoft Internet Explorer browsers, the key is in the PKCS #10 generated by XEnroll.cab. For Netscape Navigator, Mozilla Firefox, and Mozilla browsers, the key is in SubjectPublicKeyInfo format. The PKCS #10 is parsed, and only the SubjectPublicKeyInfo is used. The remaining values in the PKCS #10, such as Subject Distinguished Name, attributes, and so on, are ignored. These values must be specified in the other name/value pairs.

The value KCSOSD_PUBLICKEY for MSIE should be a complete PKCS#10. For Netscape or FireFox, the value should be only SubjectPublicKeyInfo value. For OneStep, RCM checks the browser type. If it is MSIE, it retrieves SPKI from PKCS#10 and sets the SPKI value properly. For Netscape type of browsers, such as FireFox, it sets the value directly.
ResolutionUpdate the test html page and correctly set the value for KCSOSD_PUBLICKEY based on the browser type.

While the test html page used with OneStep was incorrectly constructed (as explained above), Xudad should not have crashed.  RSA Certificate Manager 6.8, Build 516, fixes the crash problem.  A certificate will still not be issued when KCSOSD_PUBLICKEY is not set with correctly formatted value, however Xudad will not crash.
WorkaroundCreated a custom html page for certificate enrollment to test OneStep functionality
NotesBuild 516 for RSA Certificate Manager 6.8 is planned to be released in March 2009.
Legacy Article IDa43633