SSCEP enroll failed with ClassNotFoundException

[pki-bot]

This issue was migrated from Pagure Issue #3167. Originally filed by cipherboy (@cipherboy) on 2020-03-17 10:48:45:

• Assigned to nobody

---

Description of problem:
SSCEP enroll failed with ClassNotFoundException for different hashing algorithm i.e sha512 and sha256

Version-Release number of selected component (if applicable):
PKI Command-Line Interface 10.7.3-1.module+el8.1.0+3964+500fc130

How reproducible:
Always

Steps to Reproduce:

1. Install CA

2. wget sscep.conf, sscep and mkrequest tool from http://download.eng.bos.redhat.com/qa/rhts/lookaside/IdM/rhcs/scep_software/sscep/rhel7-x86_64_modified location

3.Provide execute permission for all the files: # chmod +x sscep.conf sscep mkrequest

4. Uncomment and update with correct IP address and pin in flatfile.txt
   UID: <ip_address>
   PWD: 1212

/var/lib/pki/<ca_instance>/conf/ca/flatfile.txt

5. restart the instance:
   systemctl restart

6. Execute the below commands to enroll the certificate with sha512:

./mkrequest -ip <ip_address> 1212 sha512
DIGEST=-sha512
Generating RSA private key, 1024 bit long modulus (2 primes)
........................+++++
.......................................+++++
e is 65537 (0x010001)

./sscep getca -u http://pki1.example.com:20080/ca/cgi-bin/pkiclient.exe -c ca.crt

./sscep: starting sscep, version 20081211
./sscep: hostname: pki1.example.com
./sscep: directory: ca/cgi-bin/pkiclient.exe
./sscep: port: 20080
./sscep: SCEP_OPERATION_GETCA
./sscep: requesting CA certificate
./sscep: scep msg: GET /ca/cgi-bin/pkiclient.exe?operation=GetCACert&message=CAIdentifier HTTP/1.0

./sscep: server returned status code 200
./sscep: MIME header: application/x-x509-ca-cert
./sscep: valid response from server
./sscep: MD5 fingerprint: 60:DF:DB:70:57:B2:FB:5E:B0:2D:2E:11:C6:2E:24:F1
./sscep: CA certificate written as ca.crt

./sscep enroll -f sscep.conf -u http://pki1.example.com:20080/ca/cgi-bin/pkiclient.exe -c ca.crt -k local.key -r local.csr -l cert.crt -S sha512 -d

Actual results:

It should enroll the certificate with the sha512 algorithm

Expected results:

sscep enroll will fail with below exception:

./sscep: server returned status code 500
./sscep: mime_err: HTTP/1.1 500 
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 3389
Date: Mon, 18 Nov 2019 13:12:57 GMT
Connection: close

<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Couldn&39;t handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: java.security.cert.CertificateException: Error instantiating class for challenge_password java.lang.ClassNotFoundException: com.netscape.cms.servlet.cert.scep.ChallengePassword</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>javax.servlet.ServletException: Couldn&39;t handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: java.security.cert.CertificateException: Error instantiating class for challenge_password java.lang.ClassNotFoundException: com.netscape.cms.servlet.cert.scep.ChallengePassword
	com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:397)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
	java.security.AccessController.doPrivileged(Native Method)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.7</h3></body></html>
./sscep: wrong (or missing) MIME content type
./sscep: error while sending message

Additional info: