000022836 - Error: 'Unable to complete decoding operation' when submitting PKCS10 from Enrollment server in Keon Certificate Authority and RSA Certificate Manager

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022836
Applies ToKeon Certificate Authority 6.5.1
RSA Certificate Manager 6.6
Sun PKCS10 API
IssueError: "Unable to complete decoding operation" when submitting PKCS10 from Enrollment server in Keon Certificate Authority and RSA Certificate Manager
PKCS#10 request was created using Sun PKCS10 API
The following error shows up when submitting the PKCS10 to the enrollment server, while submitting the same PKCS10 request to the CMP server will succeed:

!PKCS10Parse(): [XrcDECODINGFAILURE] unable to complete decoding operation. XudaParsePKCS10Request(): [XrcDECODINGFAILURE: unable to complete decoding operation]
Calling the following method with empty parameters will result in a PKCS10 request containing errors.

       X500Name x500Name = new X500Name("TestCertificate","Test Organization","Test OU", "","","US");

Resulting ASN.1 representation of the PKCS10:

 SEQUENCE {
   SEQUENCE {
     INTEGER 0
     SEQUENCE {
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER countryName (2 5 4 6)
           PrintableString 'US'
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
           PrintableString
* Error: Object has zero length.
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER localityName (2 5 4 7)
           PrintableString
* Error: Object has zero length.
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER organizationName (2 5 4 10)
           PrintableString 'Test OU'
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
           PrintableString 'Test Organization'
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER commonName (2 5 4 3)
           PrintableString 'Test Certificate'
           }
         }
       } 
CauseBad PKCS10 request
ResolutionTo correct this issue, use a different constructor that does not need the StateOrProvince and Locality fields. Alternatively, use JSAFE instead of Sun API. A good request would look like the following:

 SEQUENCE {
   SEQUENCE {
     INTEGER 0
     SEQUENCE {
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER countryName (2 5 4 6)
           PrintableString 'US'
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
           PrintableString 'Test State'
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER localityName (2 5 4 7)
           PrintableString 'Test Locality'
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER organizationName (2 5 4 10)
           PrintableString 'Test OU'
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
           PrintableString 'Test Organization'
           }
         }
       SET {
         SEQUENCE {
           OBJECT IDENTIFIER commonName (2 5 4 3)
           PrintableString 'Test Certificate'
           }
         }
       }
Legacy Article IDa30573

Attachments

    Outcomes