000022340 - Existing certificate requests are not listed in Keon Certificate Authority; JavaScript errors appear when trying to list active certificate requests

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022340
Applies ToKeon Certificate Authority 6.5.1
IssueExisting certificate requests are not listed in Keon Certificate Authority; JavaScript errors appear when trying to list active certificate requests
When an administrator (or a vettor) attempts to list all active certificate requests (using Microsoft Internet Explorer) for a jurisdiction on the Keon Certificate Authority administrative interface -> Certificate Operations workbench, the following error message pops up in a window:

    Error
    A Runtime Error has occurred. Do you wish to Debug?
    Line: 503
    Error: Unterminated string constant
    <Yes> <No>

If <No> is clicked on the above message, the following error shows in a second pop-up window:

    Error
    A Runtime Error has occurred. Do you wish to Debug?
    Line: 665
    Error: 'resultList' is undefined
    <Yes> <No>
CauseThe recent certificate request submitted to the Keon Certificate Authority (KCA) contained a string terminated by a single 'Carriage Return' character (CR, \r, or x0D) as a value to one of the request attributes. The KCA administrative interface did not expect such a string (terminated by \r); hence, it was not sanitized, resulting in JavaScript errors being thrown on the browser when rendering the page.

In one known instance, the attributes of the certificate request 'xuda_cert_req' object containing such a string were 'nondn' and 'postal-address'. If an LDIF of the KCA database is generated (see re-indexing instructions in the KCA Administrator's Guide), any strings containing \r character would be converted into a base-64 value. If such a certificate request object is located in the LDIF, those attribute values would show base-64 encoded instead of a usual string. This is an expected behavior as per RFC 2849 (http://www.faqs.org/rfcs/rfc2849.html) in that an LDIF may contain base-64 encoded value for data that contains characters other than those defined as "SAFE-CHAR".  SAFE-CHAR includes %x01-09, %x0B-0C, and %x0E-7F (i.e., any value <=127 decimal except NUL, LF, and CR).
ResolutionA complete solution would include both 1) an update to the KCA-API application to sanitize the data being passed to the KCA, and 2) an update to the KCA administrative interface to prune such data being displayed. As of September 2005, a defect is open and a future hot fix for KCA 6.5.1 may include a solution for this issue. In the meantime, the following steps can be taken to update the KCA administrative interface to avoid the above known issue:

1. Backup the file <KCA-install-dir>/WebServer/x-templates/x-construct-req.xuda

2. Use a text editor to open <KCA-install-dir>/WebServer/x-templates/x-construct-req.xuda

3. Search for the following line:

    !SubStr( reqNonDn, "\n", "\\n" )

4. Add the following new line immediately after the above line:

    !SubStr( reqNonDn, "\r", "\\n" )

5. Save the changes

6. Close all existing browser windows and open a new browser window to go to the KCA administrative interface to list all active certificate requests. The page should now display all the requests.
WorkaroundA new certificate request was submitted by an end user through a Keon Certificate Authority API (KCA-API) based application
Legacy Article IDa28008

Attachments

    Outcomes