SCEP RA Server signature and encryption required

2013-11-19
2013-11-19
  • Javier Arjona Sanchez

    Enviroment:
    EJBCA 4.0.16
    Operating System: Solaris 10
    Jboss 5.1.0

    Hi, I have RA Ext SCEP Server configured and CA Server with ExtRACAServiceWorker configured with this configuration:

    externalra-caservice.keystore.path=<my_path>/extrakeystore.p12
    externalra-caservice.signature.required=true
    externalra-caservice.encryption.required=true
    externalra-caservice.keystore.pwd=<my_password>
    externalra-caservice.raissuer=<my_CAname>
    externalra-caservice.persistenceunit=RAMessage1DS

    When RA SCEP receive request, RA save messages in database OK using scep.properties file, but when ExtRACAServiceWorker read message fail with this error:

    ERROR [org.ejbca.extra.db.ExtRAMsgHelper] Error verifying data :
    java.lang.NullPointerException
    at org.ejbca.extra.db.ExtRAMsgHelper.verifySignature(ExtRAMsgHelper.java:214)
    at org.ejbca.extra.db.ExtRAMsgHelper.verifySignature(ExtRAMsgHelper.java:163)
    at org.ejbca.extra.db.SubMessages.load(SubMessages.java:100)
    at org.ejbca.extra.db.Message.getSubMessages(Message.java:153)
    at org.ejbca.extra.ra.ScepRAServlet.service(ScepRAServlet.java:252)
    at org.ejbca.extra.ra.ScepRAServlet.doPost(ScepRAServlet.java:163)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:662)
    ERROR [org.ejbca.extra.db.SubMessages] Error reading persistent SubMessages.
    java.security.SignatureException: Signature not valid

    Why RA not sign and encrypt message?

    In source code ScepRAServlet use:

    SubMessages submessages = new SubMessages();

    and not use this other method:

    /
    Constructor to use when creating a SubMessages.

    @param userCert certificate used for signing the request and used for encryption by
    the responding service. Set this to null if no request signing should be performed.
    @param userKey Key to use as signing, set to null if no signing should be performed.
    @param encCert certificate that should be used to encrypt the messages.
    Set this to null if no encryption should be done.
    /
    public SubMessages(X509Certificate userCert, PrivateKey userKey, X509Certificate encCert)

    Why?

    If I put in service worker:

    externalra-caservice.signature.required=false
    externalra-caservice.encryption.required=false

    all work fine.

    I don't find in documentation how configure SCEP RA Server to sign and encrypt message.

    Thanks and Regards
    Javier Arjona

     
  • Javier Arjona Sanchez

    The real parameters in worker is:

    externalra-caservice.keystore.path=my_path/extrakeystore.p12
    externalra-caservice.signature.required=true
    externalra-caservice.encryption.required=true
    externalra-caservice.keystore.pwd=my_password
    externalra-caservice.raissuer=my_CA
    externalra-caservice.persistenceunit=RAMessage1DS

    Regards

     
  • Tomas Gustavsson

    The SCEP RA server does not support signing and encryption of messages. I think you will find this in the documentation somewhere, or at least there is something in jira.

    Cheers,
    Tomas


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
  • Javier Arjona Sanchez

    Hi Tomas,
    I found it now in documentation http://www.ejbca.org/externalra.html

    "For signing and encryption the client that uses the API on the RA must support these options. The ScepRA does not support signing and encryption"

    Ummmmmm, if I change in ScepRAServlet.java:

    SubMessages submessages = new SubMessages();

    for this:

    SubMessages submessages = new SubMessages(racert, rapriv, ????)

    Should it work fine or is necesary more internal changes in SCEP RA Server?

    ---> ???? is encCert and this param is encCert certificate that should be used to encrypt the messages.

    What encCert (X509Certificate) I need to write here? CA certificate or client SCEP certificate self signed of the request?

    Regards and thanks
    Javier

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks