Menu
▾
▴
libpki-users — Users discussions and Advices
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
(2) |
Feb
|
Mar
|
Apr
(1) |
May
(4) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(18) |
Jul
|
Aug
(2) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(14) |
Mar
(2) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
|
Nov
(1) |
Dec
|
| 2017 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|
From: Dr. P. <dir...@op...> - 2022-12-15 23:33:12
|
Hello LibPKI Community, as some of you noticed, we have been working, recently, to provide support for post-quantum certificates in LibPKI. Specifically, the current version of the source (0.9.6) is looking at exploring few different options for the next generation PKIs. Here's some of the features we are working on that we really would like the community support for. *Composite Crypto Support (Hybrid Classic and Post-Quantum)* LibPKI is adding support for using multiple algorithms/keys via the Composite Crypto idea that we are promoting for standardization at the IETF. The Composite Crypto option combines multiple public keys in certificates and multiple signatures in all X.509 and other data structures we support. You can find more info here: * https://github.com/EntrustCorporation/draft-ounsworth-pq-composite-keys (composite keys) * https://github.com/EntrustCorporation/draft-ounsworth-composite-sigs (composite signatures) Many companies and projects are implementing this solution to provide Hybrid options for the ones of us that do not trust neither classic or post-quantum by itself. The LibPKI implementation, currently, generates a new Algorithm (the COMPOSITE) and allows for generating keys, requests, etc. More work is needed to provide support for explicit combinations of algorithms and for the verifying of multiple signatures within a composite signature. The use of Composite Crypto could be seen as a one-off need or maybe a change in our field. Specifically, the question that it is on our minds is about the longevity of PKIs (i.e., 50 years horizons). With the advent of post-quantum cryptography and group-based theories, maybe the time for long-term PKIs is now over? Maybe it is time for us to really look into shorter crypto-periods (7-10 years) and evolution of PKIs into dynamic ecosystems (7-10 years with migration built-in). If you are interested in working on Composite Crypto... please join our efforts! The IETF discussion on Hybrid certificates is available from the LAMPS working group: * https://mailarchive.ietf.org/arch/browse/spasm/ (mailing list archive) *Post-Quantum Certificates (Direct vs. Hash-n-Sign)* The standardization process for post-quantum public-key cryptography has progressed into its final phase and we need to start talking about how we are going to integrate these new algorithms in our certificates and PKIs. We are leading a small group of people and companies to investigate and propose approaches for how to use, for example, direct signing vs. hash-n-sign. This has many implications for the use of hybrid cryptography (i.e., the number of different OIDs to identify algorithm combinations). The LibPKI support is provided through the OQS library and the OQS-OpenSSL wrapper that is available here: * https://openquantumsafe.org/ We are also working on a LibPKI-native implementation of Dilithium to investigate the use of a single algorithm identifier to handle all security levels of the algorithms (i.e., Dilithium2022 -> Level 2, Level 3, and Level 5). At IETF 115 we started a interoperability project/hackaton for PQC and Composite Crypto. The project was started at IETF 115 Hackaton and is supported by many different entities such as big companies (e.g., DigiCert, CISCO, etc.) and open-source projects (e.g., PyCrypto, Rust Crypto). The GITHUB repository is available here: * https://github.com/IETF-Hackathon/pqc-certificates *A Complex World Requires Higher Ethics* When we started the OpenCA projects, we lived in a different world. Regrettably, today, terrorists countries like Russia are threatening the world-peace, making all other issues that we are dealing with much worst. At OpenCA Labs, we condemn the use of violence in any form and, in particular, the use of WAR as an instrument of political gain. Russia and all the countries that continue to support a terrorist attack on the sovereign country of Ukraine are on the WRONG side of history and we will do everything we can to support the free people of Ukraine. Because of these reasons, we have changed our LICENSE agreement to make sure that we do not directly or indirectly support terrorists, violence, and wars. If you or your organization are directly or indirectly supporting the war or the Russian terrorist country, please be aware that you are no longer among the welcome people in our community and you are legally required NOT to use any of our products. We hope that this policy will make you change your mind about supporting terrorism, violence, and death. *Happy Holidays* We hope that the world could grow and understand the need for a more ethical and intelligent way of taking decisions and in the meantime we would like to wish you all the best possible holidays you can celebrate. At OpenCA we will never stop striving for a better world with our work and commitment to providing easy security for all. Happy Holidays!!! -- Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA Logo |
|
From: Kent M. <kmo...@gm...> - 2017-01-18 13:05:15
|
Hello, I'm trying to use libpki. I've been able to setup a test OpenCA installation, but I can't find any documentation or good examples about using libpki to create certificate request, send them to OpenCA, and then retrieve issued certificates and CRLs. The examples folder in the source code looks to miss many files, and the only few examples with code don't compile (without modification), and explain nothing about they work. Headers file comment are very little helpful as well. Where could I find documentation/example about how to use libpki? Thank you, regards, Kent Morwath |
|
From: Massimiliano P. <dir...@op...> - 2015-11-23 20:25:29
|
Hi all,
we started a new initiatives for defining specifications for "Standard
Interfaces for Cryptographic APIs". The idea is to provide a very
practical approach to defining an API that can be implemented on top of
current (and future) cryptographic libraries that will provide
application portability.
We are currently hosting few web pages here:
http://cryptoapi.openca.org
There we have the link to the mailing list we will use for discussing
the work.
The initiative is at its very beginning and we hope to involve many
experts, practitioners, cryptographers, and vendors. The expected output
for the (not yet an IETF WG) working group is twofold: specifications
and implementations.
Please let me know if you would like to participate.. and/or just
subscribe to the mailing list and post your questions there.
Have a great day,
Cheers,
Dr. Max
|
|
From: Martin H. <he...@hl...> - 2015-09-30 09:00:55
|
Hi Brad, the configure script is created by autoconf. You might be able to build an appropriate configure script for freeBSD by just running autoconf yourself after extracting the files from the source package. However, if I do this on my linux system, "amd64" doesn't apppear in the configure script. If running autoconf alone doesn't help, you might have to modify configure.in. Actually, bsd is mentioned in some places there. Maybe you just need to replace 'bsd' by 'amd64' there and re-run autoconf. best regards, Martin On 09/29/2015 10:05 PM, Brad Waite wrote: > Thanks for the reply, Martin. > > Actually, I was most interested in the OCSP responder. There seems to be a dearth of open source responders out there. > > I tried building libpki from source under FreeBSD, but configure tossed an error: "Not supported arch (amd64)" > > Should I bring up the error on the ocspd list, or simply give up? ;) > > On 9/24/2015 11:04 AM, Martin Hecht wrote: >> Hi Brad, >> >> I think the mailing list is pretty much unused. on the ocspd list there >> is slightly more discussion, also about libpki. Ralf, and also a few >> others have proposed a few fixes on that list and you can find them in >> the archive of that list. >> >> Dr. Massimiliano Pala, the leader of the OpenCa project, and also of the >> related ones like libpki, has moved the code base to github a while ago. >> You can find libpki at https://github.com/openca/libpki, and actually, >> there is a version 0.8.9 from March 2015. >> >> So it's not happening a lot around OpenCa anymore, but it's not >> completely dead. Every now and then, there is a release with a couple of >> fixes and also some small feature extesions (like in the case of the >> latest commit for libpki). >> >> best regards, >> Martin >> |
|
From: Brad W. <li...@wc...> - 2015-09-29 20:06:04
|
Thanks for the reply, Martin. Actually, I was most interested in the OCSP responder. There seems to be a dearth of open source responders out there. I tried building libpki from source under FreeBSD, but configure tossed an error: "Not supported arch (amd64)" Should I bring up the error on the ocspd list, or simply give up? ;) On 9/24/2015 11:04 AM, Martin Hecht wrote: > Hi Brad, > > I think the mailing list is pretty much unused. on the ocspd list there > is slightly more discussion, also about libpki. Ralf, and also a few > others have proposed a few fixes on that list and you can find them in > the archive of that list. > > Dr. Massimiliano Pala, the leader of the OpenCa project, and also of the > related ones like libpki, has moved the code base to github a while ago. > You can find libpki at https://github.com/openca/libpki, and actually, > there is a version 0.8.9 from March 2015. > > So it's not happening a lot around OpenCa anymore, but it's not > completely dead. Every now and then, there is a release with a couple of > fixes and also some small feature extesions (like in the case of the > latest commit for libpki). > > best regards, > Martin > |
|
From: Martin H. <he...@hl...> - 2015-09-24 17:04:40
|
Hi Brad, I think the mailing list is pretty much unused. on the ocspd list there is slightly more discussion, also about libpki. Ralf, and also a few others have proposed a few fixes on that list and you can find them in the archive of that list. Dr. Massimiliano Pala, the leader of the OpenCa project, and also of the related ones like libpki, has moved the code base to github a while ago. You can find libpki at https://github.com/openca/libpki, and actually, there is a version 0.8.9 from March 2015. So it's not happening a lot around OpenCa anymore, but it's not completely dead. Every now and then, there is a release with a couple of fixes and also some small feature extesions (like in the case of the latest commit for libpki). best regards, Martin On 09/23/2015 04:34 AM, Brad Waite wrote: > Hi there, > > Based on the extremely low traffic, I'm assuming this project is dead. > > Is there anyone kind enough to confirm or deny? > > Thanks, > > Brad |
|
From: Brad W. <li...@wc...> - 2015-09-23 02:35:06
|
Hi there, Based on the extremely low traffic, I'm assuming this project is dead. Is there anyone kind enough to confirm or deny? Thanks, Brad |
|
From: Massimiliano P. <dir...@op...> - 2014-07-29 12:42:56
|
Hi All, As many of us have probably had to deal with some pain points when developing and/or using applications together with X509 PKIs. I hope that the projects we promote (i.e., OpenCA PKI, OpenCA OCSPD, and LibPKI) have been helpful in providing useful solution. However, issues still exist in interacting with PKIs. In particular, some of the most painful areas are related to service (and repository) discovery and efficient revocation. Besides implementing specific solutions for well-defined (and usually quite closed) environments, no existing standards efficiently address these issues. In the past we participated to discussions within the Internet Engineering Task Force (IETF) and implemented the standardized protocols (e.g., OCSP). However, the Working Group (WG) that was historically responsible for advancing the status of these standards (required for interoperability across applications and organizations) was declared closed - therefore, today, there is no proper venue where this standardization work can happen. It seems that the IETF is still on the fence about the need for solving these issues and that strong consensus is required in order to open a new WG that will address these problems. I was wondering what the OpenCA community thinks about the need to provide standards that cover the aforementioned issues (e.g., by providing enhancements over existing solutions - like OCSP over DNS, by providing new more-compact revocation formats that would better cope with high-volume transactions environments than OCSP, and - ultimetely - by providing PKIX discovery protocols that will ease interacting with certificate-related services and with federating identities) and if anybody would feel like they can contribute to the discussion and, eventually, to the needed work (via the PKIX mailing list - https://www.ietf.org/mailman/listinfo/pkix). If the proposal for working on these issues will move forward, I think that the OpenCA Labs could very well work on implementing those standards and, therefore, solve those issues for lots of us in a standardized and interoperable way. Cheers, Max |
|
From: Jon L. <jon...@ve...> - 2014-07-08 17:49:27
|
Hi there, I'm trying to set up OpenCA 1.5.0 as the CA for my ASA's VPN certs and I'm having a bit of trouble. No useful debugging info and no real error messages to speak of. Does anybody have a thought as to where to look or a tutorial? Thanks in advance -- Jon Leonard Mover and Shaker jon...@ve... 617-864-0636 x3024 www.vecna.com Cambridge Research Laboratory Vecna Technologies, Inc. 36 Cambridge Park Drive Cambridge, MA 02140 Office: (617) 864-0636 Fax: (617) 864-0638 http://vecna.com Better Technology, Better World (TM) The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. |
|
From: Esteban L. <el...@so...> - 2013-10-19 00:01:00
|
Hi everyone Openca fail when try to generate caCert or more exactly when try to insert the certificate info in database. Web Error Error while storing CA cert to dB! openca log DBD::Pg::st execute failed: ERROR: invalid input syntax for integer: "" at /etc/openca/lib/openca/perl_modules/perl5/OpenCA/DBI.pm line 3345. doQuery: query: insert into openca.ca_certificate ( ca_cert_key, data, format , status, notbefore, notafter, dn, cn, email, public_key) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) Postgres log dbdpg_p3691_2: insert into openca.ca_certificate ( ca_cert_key, data, format , status, notbefore, notafter, dn, cn, email, public_key) VALUES ( $1, $2, $3, $4, $5, $6, $7, $8, $9, $10) 2013-10-18 16:20:43 CDT [3692]: [20-1] db=atmCerts,user=openca LOCATION: exec_parse_message, postgres.c:1385 2013-10-18 16:20:43 CDT [3692]: [21-1] db=atmCerts,user=openca ERROR: 22P02: invalid input syntax for integer: "" Certificates exist in /etc/openca/var/openca/crypto But there is and error because of a null parameter in DBI.pm version openca-base-1.5.0 and openca-tools-1.3.0 Any advice is welcome |
|
From: Ralf V. <ral...@we...> - 2013-08-12 20:34:18
|
Hello, in libpki I found only some files where the GPL license is noticed. The according spec-file contains a hint for a BSD-Style license. So a general licence file would be preferable. In general I prefer a Apache-like / BSD-Style license. Than also commercial third parties can use the library without releasing their proprietary parts and can feel free if they distribute their patches to the community. I think this promotes the distribution of the library. I think this is also the reason why openssl is so successful in commercial and non-commercial areas. Regards, Ralf Am 07.08.2013 00:14, schrieb Dr. Pala: > Hi all, > > I wanted to ask you a question about the current license of LibPKI. It > was asked to change it from GPL to Apache-like (exactly as all the other > licenses of our projects). What do you think ? Good idea or bad ? > > Cheers, > Max > > > -- > > Best Regards, > Massimiliano Pala, Ph.D. > OpenCA Labs Director > > OpenCA Labs > Tel. (603) 369-9332 > skype: openca > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Libpki-users mailing list > Lib...@li... > https://lists.sourceforge.net/lists/listinfo/libpki-users > |
|
From: Dr. P. <dir...@op...> - 2013-08-06 22:22:31
|
Hi all, I wanted to ask you a question about the current license of LibPKI. It was asked to change it from GPL to Apache-like (exactly as all the other licenses of our projects). What do you think ? Good idea or bad ? Cheers, Max -- Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA Labs Tel. (603) 369-9332 skype: openca |
|
From: Dr. P. <dir...@op...> - 2013-08-04 12:17:10
|
Hi Guys, I finally had the time to package a new version of LibPKI that should solve some issues with the previous versions (memory leaks, mostly). Thanks to your contributions :D Please download and use it, let me know if you find issues with its usage - so that we can fix the latest bugs before we announce it publicly. Cheers, Max -- Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA Labs Tel. (603) 369-9332 skype: openca |
|
From: David O'C. <dav...@cs...> - 2012-08-14 11:57:25
|
Hi, I ran into the same problem encountered by Mark Nejedlo in May. I joined the mailing list to reply! My workaround is to statically link against libresolv.a for the binaries in src/tools. I've attached a patch for that. I had to do something similar with openca-ocspd. I have been working on producing up-to-date EL5 RPMs for both. Kind regards, David On 2012-05-07 Mark Nejedlo wrote: > I am running into build errors when I try to build libpki. Configure and make run fine until it reaches: > > libtool: link: gcc -g -O2 -fstack-check -maccumulate-outgoing-args -Wl,-rpath -Wl_tool-pki-tool.o -L/usr ../.libs/libpki.so -L/usr/kerberos/lib64 -lpthread -lrt -lresolv -Wl,-rpath -Wl,/opt/libpki-0.6.7/lib64 > > at which point the following errors are thrown: > > ../.libs/libpki.so: undefined reference to `__ns_initparse' > ../.libs/libpki.so: undefined reference to `__ns_name_uncompress' > ../.libs/libpki.so: undefined reference to `__ns_parserr' > > Google tells me that these are internal functions of libresolv and aren't exported. Any ideas how to work around this? > > I am building on RedHat Enterprise 5.6 for x86_64. > > Mark -- Ánra Taighde - Scoil na hEolaíochta Ríomhaireachta ⁊ na Staitisticí, Coláiste na Tríonóide, Baile Átha Cliath, BÁC 2 Research Fellow - School of Computer Science & Statistics, Trinity College Dublin, Dublin 2 T: +353 1 896 1720 |
|
From: Nejedlo, M. <Mar...@td...> - 2012-05-07 18:06:36
|
I am running into build errors when I try to build libpki. Configure and make run fine until it reaches: libtool: link: gcc -g -O2 -fstack-check -maccumulate-outgoing-args -Wl,-rpath -Wl_tool-pki-tool.o -L/usr ../.libs/libpki.so -L/usr/kerberos/lib64 -lpthread -lrt -lresolv -Wl,-rpath -Wl,/opt/libpki-0.6.7/lib64 at which point the following errors are thrown: ../.libs/libpki.so: undefined reference to `__ns_initparse' ../.libs/libpki.so: undefined reference to `__ns_name_uncompress' ../.libs/libpki.so: undefined reference to `__ns_parserr' Google tells me that these are internal functions of libresolv and aren't exported. Any ideas how to work around this? I am building on RedHat Enterprise 5.6 for x86_64. Mark |
|
From: <med...@gm...> - 2011-05-19 09:11:30
|
Join the Habeshas Network http://www.adoolis.com Join and invite your facebook friends on a click. Adoolis is an Amharic Facebook Added message: Join me on Adoolis! http://www.doolis.com - connecting and collaborating Habeshas! |
|
From: pradeep r. <pra...@gm...> - 2011-03-29 13:59:00
|
Hi,
I have succuessfully tested libpki scep, ocsp, getcacert,get CRL w.r.t EJBCA
as CA server.
I am struggling to make the scep client program work with MS 2008 server.
I dont see MS 2008 server is receiving my request message.
Here is the code:
if (PKI_X509_SCEP_MSG_encode ( scep_msg, scep_data ) == PKI_ERR )
{
PKI_log_debug( "Can not encrypt the scep message\n");
goto err;
}
till this point, scep client code for ejbca and MS 2008 is same,
But for MS 2008, request message has to be Base 64 encoded.
if(( sk = PKI_STACK_X509_new()) == NULL )
{
return( PKI_ERR );
}
if( PKI_STACK_X509_push( sk, scep_msg ) == PKI_ERR )
{
PKI_STACK_X509_free ( sk );
return ( PKI_ERR );
}
if((idx = PKI_STACK_X509_elements (sk)) < 1 )
{
return ( PKI_ERR );
}
if((scepmem = PKI_MEM_new_null()) == NULL )
{
return (PKI_ERR);
}
if(PKI_X509_STACK_put_mem( sk, PKI_DATA_FORMAT_B64, &scepmem, cred, NULL )
== NULL )
{
if( scepmem ) PKI_MEM_free ( scepmem );
return ( PKI_ERR );
}
if((scepret = URL_put_data_url ( url, scepmem, (char
*)"application/pki-x509-p7", &sceprespmem, 60, 0, NULL)) == PKI_ERR)
{
PKI_log_debug("ERROR::Can not write message or read response P7!");
PKI_log_debug("Please check Server logs for further information");
goto err;
}
Here url has the server application address.
|
|
From: pradeep r. <pra...@gm...> - 2011-03-09 12:17:04
|
Hi,
I am retrieving the signer certificate for siging the ocsp request.
signer = PKI_X509_CERT_get("ocspsigner.pem", NULL, NULL);
>From signer value Iam taking out the key
PKI_X509_KEYPAIR_VALUE *pubKey = NULL;
pubkey = PKI_X509_CERT_get_data ( signer, PKI_X509_DATA_KEYPAIR_VALUE);
But How to make a keypait out of it.
I tried, keypair = PKI_X509_new_dup_value ( PKI_DATATYPE_X509_KEYPAIR,
pubKey, NULL );
How ever, there is no dup call back for this conversion.
I tried another way:
PKI_X509_KEYPAIR *keypair=PKI_X509_new ( PKI_DATATYPE_X509_KEYPAIR, NULL );
keypair->value = PKI_X509_CERT_get_data ( signer,
PKI_X509_DATA_KEYPAIR_VALUE);
But PKI_X509_OCSP_REQ_sign(ocspreq, keypair, certtochk, cacert, NULL,
digest); is failing in signing the request at EVP_SignFinal in
HSM_OPENSSL_sign call.(with segmentation fault.)
|
|
From: pradeep r. <pra...@gm...> - 2011-02-25 15:53:30
|
Hi Max,
Below is the code i coded to send ocsp request, but ejbca is not receiving
the request.Can you point out any thing I missed?
PKI_X509_CERT *certtochk = PKI_X509_CERT_get("cert.pem", NULL, NULL));
PKI_X509_OCSP_REQ *ocspreq = NULL;
ocspreq = PKI_X509_OCSP_REQ_new();
PKI_X509_OCSP_REQ_add_cert(ocspreq, certtochk, cacert, digest);
PKI_X509_OCSP_REQ_add_nonce(ocspreq, 0);
PKI_X509_OCSP_REQ_sign(ocspreq, pkey, certtochk, cacert, NULL, digest);
OCSP_REQUEST_print(outbio, ocspreq->value, 0);
char* urlStr = "http://192.168.0.1:8080/ejbca/publicweb/status/ocsp";
PKI_X509_OCSP_REQ_STACK *sk = NULL;
if(( sk = PKI_STACK_OCSP_REQ_new()) == NULL ) return (PKI_ERR);
PKI_STACK_OCSP_REQ_push( sk, ocspreq );
BIO *membio = BIO_new(BIO_s_mem());
curr_req= PKI_STACK_OCSP_REQ_get_num( sk, 0 );
i2d_OCSP_REQUEST_bio( membio,(OCSP_REQUEST *) curr_req->value );
BIO_get_mem_ptr(membio, &buf_mem);
PKI_MEM_add( pki_mem, buf_mem->data, (size_t) buf_mem->length );
URL *url = NULL;
url = URL_new (urlStr);
URL_put_data_url ( url, pki_mem, (char *) mime, &ocsprespmem, 60, 0, ssl);
PKI_MEM_printf(pki_mem);
here is the request print, seems to me fine, from debug prints, it seems
connection is successfull with server.
OCSP Request Data:
Version: 1 (0x0)
Requestor Name: DirName: CN = scepclient.com, O = Corporation, ST = CA,
C = US
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 4145F8A5CCF07E01EBF1D22D40A1E29392B1E02E
Issuer Key Hash: FE537B40381C97926B154ED8E9288BDF47B422AA
Serial Number: 4C3BB2CF27678EE8
Request Extensions:
OCSP Nonce:
04107031089647AB3DF9168C3AEAC127C326
Signature Algorithm: sha1WithRSAEncryption
a0:01:4e:7b:72:b3:9a:95:3d:30:2f:d0:a7:fe:13:b4:13:8b:
de:cb:e8:ba:24:87:af:81:9c:0a:d3:7c:e1:2f:39:dd:55:e7:
9f:e9:e5:13:17:70:2f:f3:11:fc:37:fa:02:7a:9d:4c:69:04:
64:15:37:fb:9f:58:5e:43:95:9e:a4:41:74:64:92:29:fa:a6:
f6:0e:41:64:1b:d1:1f:1e:7d:0a:15:19:ac:b0:d5:15:49:1f:
a3:36:aa:76:64:d7:dc:74:60:0a:ac:4a:f6:cb:26:d5:d4:cf:
fe:d4:b4:e8:fe:4c:68:2f:eb:3d:7b:e1:14:3f:37:87:87:23:
60:88:8a:a3:b8:02:b4:cd:fe:69:8e:bc:35:f0:69:32:af:29:
31:ad:5e:e7:26:e4:9c:af:38:2b:77:b3:95:de:79:0e:58:9f:
d4:97:30:f5:98:00:66:4b:70:1c:85:f4:d4:b2:36:09:0e:20:
14:8d:18:21:87:4b:9a:24:6d:d6:db:44:82:7c:c1:f7:62:a5:
e6:9c:11:ea:7c:90:d6:86:cf:84:31:61:87:5d:66:9b:b7:58:
d1:be:ec:1c:0e:80:b0:ec:bb:4b:fe:50:62:f5:d5:00:72:17:
1b:79:79:d5:91:61:2a:1c:0d:a8:ab:c4:ca:fc:16:c8:49:e5:
83:e4:f8:70
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:3b:b2:cf:27:67:8e:e8
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=AdminCA1, O=EJBCA Sample, C=SE
Validity
Not Before: Feb 25 14:51:15 2011 GMT
Not After : Feb 25 14:51:15 2012 GMT
Subject: CN=scepclient.com, O=Corporation, ST=California, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c9:dd:ca:66:46:f5:a9:12:47:e3:39:4a:cc:9e:
39:35:64:91:80:63:66:37:b4:0f:6c:78:e7:1a:0c:
2f:d6:d9:e8:18:fc:41:59:0f:59:98:a0:52:41:36:
a1:0d:5a:ce:31:f1:50:45:4d:70:60:88:28:72:1f:
b8:96:f3:52:ee:8c:15:2d:fc:4d:70:74:58:09:24:
b1:f6:71:9f:34:67:09:56:9e:4a:87:b7:d8:f1:86:
cd:dd:8e:38:92:70:73:fa:e5:b7:1a:2a:05:68:b9:
b0:69:6f:1f:9f:11:82:65:c9:00:19:91:df:91:f2:
dd:78:23:48:6a:e0:a0:5e:27:6f:21:ed:52:aa:68:
81:83:db:10:c2:ac:33:01:3a:e0:a1:3a:ee:4e:08:
f8:4a:a5:f7:be:8e:c5:a8:3e:f3:5e:f0:95:06:41:
d1:55:8c:2e:c4:b5:53:92:d3:57:fc:23:01:c4:e7:
ba:9d:92:f0:f9:06:53:6c:f1:d3:e7:8e:4a:58:21:
1e:85:b8:b5:48:e5:d6:4d:52:43:8c:62:8c:48:79:
6f:3d:40:eb:27:98:10:67:2e:f1:db:3e:96:94:d9:
6e:dc:2b:5f:24:2a:78:f7:b8:af:a6:d5:da:8e:f6:
b6:47:73:b9:6e:5b:d5:5d:ef:9e:01:9b:af:16:80:
12:b3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1C:C1:65:36:29:FA:2A:18:64:30:58:DF:00:4E:60:0A:8A:95:D2:FB
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:FE:53:7B:40:38:1C:97:92:6B:15:4E:D8:E9:28:8B:DF:47:B4:22:AA
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:scepclient.com
Signature Algorithm: sha1WithRSAEncryption
4e:25:20:11:33:e6:f7:50:70:29:22:88:6a:48:4b:cc:be:16:
5b:ef:d6:ee:e2:a7:7b:87:eb:af:30:18:c6:9f:a7:23:ce:73:
eb:f2:47:cb:63:b1:39:d3:e0:6b:5c:e7:b6:bd:e8:d8:10:f1:
3e:43:30:67:2d:69:2e:36:cf:b2:1c:1d:8d:a0:1e:4d:94:2b:
8e:8a:96:d3:14:c8:7a:49:fd:3b:53:b2:0f:a2:ad:52:36:e5:
ac:79:9c:e8:ee:ef:66:b7:5c:9d:df:6f:45:42:ec:a4:d3:4f:
f7:36:5f:4a:bd:6e:d4:70:2b:8e:fe:14:09:8c:f2:49:5c:1a:
44:5d:e0:6e:e8:e6:a6:55:c1:34:20:55:79:44:d5:ad:a8:28:
75:4e:05:ae:9b:61:73:16:73:98:e9:23:21:ff:68:62:37:83:
77:6d:90:8a:e2:61:ba:94:33:cb:2e:6f:76:84:16:e0:27:1d:
a6:cb:20:c9:a5:8b:c3:5c:27:57:47:96:7a:22:ae:34:e2:fb:
f8:a2:0f:ca:43:f9:3d:b5:09:f3:4c:1e:62:f5:7d:a6:e5:80:
20:3a:81:95:8d:8f:03:3a:2f:8d:eb:ca:c9:a9:33:0f:80:65:
4c:b9:e8:13:47:a3:b0:7d:e8:26:e2:02:c2:14:7c:26:5f:89:
db:bc:9e:28
Feb 25 15:31:31 2011 GMT [17051] INFO:
[net/pki_socket.c:123]::DEBUG::Creating a simple connection
Feb 25 15:31:31 2011 GMT [17051] INFO: [net/sock.c:322]::DEBUG::Connection
Successful to 192.168.0.1:8080
Feb 25 15:31:31 2011 GMT [17051] INFO: [net/sock.c:498]::DEBUG::Read 1024
bytes from socket
Feb 25 15:31:31 2011 GMT [17051] INFO: [net/sock.c:498]::DEBUG::Read 539
bytes from socket
Feb 25 15:31:31 2011 GMT [17051] INFO: [net/http_s.c:227]::DEBUG::HTTP DATA
=> size (349->1214)
-----BEGIN OCSP REQUEST-----
MIIFrTCB0aFjpGEwXzEeMBwGA1UEAwwVc2NlcGNsaWVudC5tb2NhbmEuY29tMRsw
GQYDVQQKDBJNb2NhbmEgQ29ycG9yYXRpb24xEzARBgNVBAgMCkNhbGlmb3JuaWEx
CzAJBgNVBAYTAlVTMEUwQzBBMAkGBSsOAwIaBQAEFEFF+KXM8H4B6/HSLUCh4pOS
seAuBBT+U3tAOByXkmsVTtjpKIvfR7QiqgIITDuyzydnjuiiIzAhMB8GCSsGAQUF
BzABAgQSBBBwMQiWR6s9+RaMOurBJ8MmoIIE1TCCBNEwDQYJKoZIhvcNAQEFBQAD
ggEBAKABTntys5qVPTAv0Kf+E7QTi97L6Lokh6+BnArTfOEvOd1V55/p5RMXcC/z
Efw3+gJ6nUxpBGQVN/ufWF5DlZ6kQXRkkin6pvYOQWQb0R8efQoVGayw1RVJH6M2
qnZk19x0YAqsSvbLJtXUz/7UtOj+TGgv6z174RQ/N4eHI2CIiqO4ArTN/mmOvDXw
aTKvKTGtXucm5JyvOCt3s5XeeQ5Yn9SXMPWYAGZLcByF9NSyNgkOIBSNGCGHS5ok
bdbbRIJ8wfdipeacEep8kNaGz4QxYYddZpu3WNG+7BwOgLDsu0v+UGL11QByFxt5
edWRYSocDairxMr8FshJ5YPk+HCgggO5MIIDtTCCA7EwggKZoAMCAQICCEw7ss8n
Z47oMA0GCSqGSIb3DQEBBQUAMDcxETAPBgNVBAMMCEFkbWluQ0ExMRUwEwYDVQQK
DAxFSkJDQSBTYW1wbGUxCzAJBgNVBAYTAlNFMB4XDTExMDIyNTE0NTExNVoXDTEy
MDIyNTE0NTExNVowXzEeMBwGA1UEAwwVc2NlcGNsaWVudC5tb2NhbmEuY29tMRsw
GQYDVQQKDBJNb2NhbmEgQ29ycG9yYXRpb24xEzARBgNVBAgMCkNhbGlmb3JuaWEx
CzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyd3K
Zkb1qRJH4zlKzJ45NWSRgGNmN7QPbHjnGgwv1tnoGPxBWQ9ZmKBSQTahDVrOMfFQ
RU1wYIgoch+4lvNS7owVLfxNcHRYCSSx9nGfNGcJVp5Kh7fY8YbN3Y44knBz+uW3
GioFaLmwaW8fnxGCZckAGZHfkfLdeCNIauCgXidvIe1SqmiBg9sQwqwzATrgoTru
Tgj4SqX3vo7FqD7zXvCVBkHRVYwuxLVTktNX/CMBxOe6nZLw+QZTbPHT545KWCEe
hbi1SOXWTVJDjGKMSHlvPUDrJ5gQZy7x2z6WlNlu3CtfJCp497ivptXajva2R3O5
blvVXe+eAZuvFoASswIDAQABo4GYMIGVMB0GA1UdDgQWBBQcwWU2KfoqGGQwWN8A
TmAKipXS+zAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFP5Te0A4HJeSaxVO2Oko
i99HtCKqMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAgBgNV
HREEGTAXghVzY2VwY2xpZW50Lm1vY2FuYS5jb20wDQYJKoZIhvcNAQEFBQADggEB
AE4lIBEz5vdQcCkiiGpIS8y+Flvv1u7ip3uH668wGMafpyPOc+vyR8tjsTnT4Gtc
57a96NgQ8T5DMGctaS42z7IcHY2gHk2UK46KltMUyHpJ/TtTsg+irVI25ax5nOju
72a3XJ3fb0VC7KTTT/c2X0q9btRwK47+FAmM8klcGkRd4G7o5qZVwTQgVXlE1a2o
KHVOBa6bYXMWc5jpIyH/aGI3g3dtkIriYbqUM8sub3aEFuAnHabLIMmli8NcJ1dH
lnoirjTi+/iiD8pD+T21CfNMHmL1fablgCA6gZWNjwM6L43rysmpMw+AZUy56BNH
o7B96CbiAsIUfCZfidu8nig=
-----END OCSP REQUEST-----
---------------------------------------
I run with openssl,which run success >openssl ocsp -issuer
AdminCA1.cacert.pem -CAfile AdminCA1.cacert.pem -cert cert.pem -req_text
-url http://192.168.0.1:8080/ejbca/publicweb/status/ocsp
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 4145F8A5CCF07E01EBF1D22D40A1E29392B1E02E
Issuer Key Hash: FE537B40381C97926B154ED8E9288BDF47B422AA
Serial Number: 4C3BB2CF27678EE8
Request Extensions:
OCSP Nonce:
0410F4EA2A76F9CEBA624EF13A75A2F25792
Response verify OK
cert.pem: good
This Update: Feb 25 15:43:17 2011 GMT
localhost src #
|
|
From: pradeep r. <pra...@gm...> - 2011-02-25 03:12:54
|
Hi Max,
This did not work.Data in received response seems to be in asn1/der format.
As outer envelope is in signed and inner envelope which should contain the
certificate would be in encrypted( as per standard)
Do we need to run any decode/decrypt calls to extract the signed and
encrypted data?
Thanks,
Pradeep.
On Wed, Feb 23, 2011 at 9:28 PM, Massimiliano Pala <
Mas...@da...> wrote:
> Hi,
>
> you should not use the _get_certs_num() as that will return the number
> of signing certificates - that is when the PKCS#7 file has been signed.
>
> Since the data in the response is the certificate and it is not encrypted,
> you should just retrieve the bytes from the PKCS#7 and generate a new
> cert. I should add the function to the SCEP API, for now, try this:
>
> // Assuming you have your data in p7 variables (PKI_X509_PKCS7)
>
> PKI_MEM *mem = NULL;
> PKI_X509_CERT *cert = NULL;
>
> if((mem = PKI_X509_PKCS7_get_data( p7, NULL, NULL )) == NULL ) {
> // Memory error
> ...
> }
>
> if( cert = PKI_X509_get_mem( mem, PKI_DATATYPE_X509_CERT,
> NULL, NULL) == PKI_ERR) {
> // An error occurred
> };
>
> // Now you can safely save the certificate
> rv = PKI_X509_CERT_put( cert, PKI_DATA_FORMAT_PEM, "cert.pem",
> NULL, NULL, NULL);
>
> if( rv == PKI_ERR ) {
> // Error while saving...
> ...
> };
>
> Let me know if this works. This might become the core of a new function:
>
> PKI_X509 * obj = PKI_SCEP_DATA_get_x509_obj( PKI_X509_PKCS7 *p7,
> PKI_DATATYPE type );
>
> Cheers,
> Max
>
>
>
> On 02/23/2011 03:55 AM, pradeep reddy wrote:
>
>>
>>
>> Hi Max,
>>
>> I used the first method, using PKI_X509_PKCS7 structures.
>> And EJBCA is sending the sucess response.But response mesage does not
>> contain created certificate
>> I am running folowing code:
>> URL_put_data_url ( url, scepmem, (char *) mime, &sceprespmem, 60, 0, ssl
>> );
>> p7_resp = PKI_X509_PKCS7_get_mem ( p7_resp_mem, NULL );
>> PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_PEM, "scep-resp.pem",NULL,
>> cred, NULL );
>> PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_TXT, "scep-resp.txt",NULL,
>> cred, NULL );
>> int certnum = PKI_X509_PKCS7_get_certs_num( p7_resp );
>> Here certnum returns -1. Below o/p, certificates fields is NULL, though
>>
>
>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager]
> op...@ac...
> pro...@op...
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to those of us
> who do.
> -- Isaac Asimov
>
>
|
|
From: Massimiliano P. <Mas...@Da...> - 2011-02-23 15:57:04
|
Hi,
you should not use the _get_certs_num() as that will return the number
of signing certificates - that is when the PKCS#7 file has been signed.
Since the data in the response is the certificate and it is not encrypted,
you should just retrieve the bytes from the PKCS#7 and generate a new
cert. I should add the function to the SCEP API, for now, try this:
// Assuming you have your data in p7 variables (PKI_X509_PKCS7)
PKI_MEM *mem = NULL;
PKI_X509_CERT *cert = NULL;
if((mem = PKI_X509_PKCS7_get_data( p7, NULL, NULL )) == NULL ) {
// Memory error
...
}
if( cert = PKI_X509_get_mem( mem, PKI_DATATYPE_X509_CERT,
NULL, NULL) == PKI_ERR) {
// An error occurred
};
// Now you can safely save the certificate
rv = PKI_X509_CERT_put( cert, PKI_DATA_FORMAT_PEM, "cert.pem",
NULL, NULL, NULL);
if( rv == PKI_ERR ) {
// Error while saving...
...
};
Let me know if this works. This might become the core of a new function:
PKI_X509 * obj = PKI_SCEP_DATA_get_x509_obj( PKI_X509_PKCS7 *p7,
PKI_DATATYPE type );
Cheers,
Max
On 02/23/2011 03:55 AM, pradeep reddy wrote:
>
>
> Hi Max,
> I used the first method, using PKI_X509_PKCS7 structures.
> And EJBCA is sending the sucess response.But response mesage does not
> contain created certificate
> I am running folowing code:
> URL_put_data_url ( url, scepmem, (char *) mime, &sceprespmem, 60, 0, ssl );
> p7_resp = PKI_X509_PKCS7_get_mem ( p7_resp_mem, NULL );
> PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_PEM, "scep-resp.pem",NULL,
> cred, NULL );
> PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_TXT, "scep-resp.txt",NULL,
> cred, NULL );
> int certnum = PKI_X509_PKCS7_get_certs_num( p7_resp );
> Here certnum returns -1. Below o/p, certificates fields is NULL, though
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] op...@ac...
pro...@op...
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
|
|
From: pradeep r. <pra...@gm...> - 2011-02-23 08:56:01
|
Hi Max,
I used the first method, using PKI_X509_PKCS7 structures.
And EJBCA is sending the sucess response.But response mesage does not
contain created certificate
I am running folowing code:
URL_put_data_url ( url, scepmem, (char *) mime, &sceprespmem, 60, 0, ssl );
p7_resp = PKI_X509_PKCS7_get_mem ( p7_resp_mem, NULL );
PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_PEM, "scep-resp.pem",NULL,
cred, NULL );
PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_TXT, "scep-resp.txt",NULL,
cred, NULL );
int certnum = PKI_X509_PKCS7_get_certs_num( p7_resp );
Here certnum returns -1. Below o/p, certificates fields is NULL, though in
ejbca logs I see certificate is added to response message.
Let me know if this is the correct way to get the certificate from response
message.
scep-resp.txt:
PKCS#7 Message:
Message Type:
Signed
Message Data:
Size=2280 bytes
Encrypted=no
Signer Info:
[1 of 1] Signer Details:
Serial=783996641852637500
Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
Encryption Algoritm=rsaEncryption
Digest Algorithm=sha256
Signed Attributes:
SCEP Message Type=3
Status=0
contentType=pkcs7-data
signingTime=Feb 23 08:44:47 2011 GMT
Sender Nonce=5d:ad:28:5c:d3:58:85:d7:75:42:91:e2:bf:3d:ca:08
Recipient Nonce=df:5b:f8:13:68:ff:a5:b0:e4:13:f1:a3:10:74:f5:4f
Message Digest:
42:2d:9e:2f:eb:a7:d0:99:ff:71:72:5f:12:cd:ff:be:74:09:2f:60:
f6:8c:67:4d:f9:41:f7:e8:fa:5e:25:b7
Transaction
Identifier=81:8c:9f:e9:95:d6:56:03:ef:62:fc:48:f5:9d:8e:3f:cf:15:a6:48:64:54:dd:23:b7:a3:69:76:75:8b:4d:7b
Non Signed Attributes:
None.
Recipients Info:
No Recipients
Certificates:
None.
Certificate Revocation Lists:
None.
Thanks.
On Mon, Feb 21, 2011 at 9:46 PM, Massimiliano Pala <
Mas...@da...> wrote:
> Hi,
>
> you should try to use different functions that ease encoding of the
> message.
> I think you are missing the final step - the encoding part. To make things
> easier, you should use the following function:
>
> // Generates and encodes a new PKI Cert Request (SCEP)
> PKI_X509_SCEP_MSG * PKI_X509_SCEP_MSG_new_certreq ( PKI_X509_KEYPAIR
> *key,
> PKI_X509_REQ *req, PKI_X509_CERT *signer,
> PKI_X509_CERT_STACK *recipients );
>
> Alternatively, you can do things on your own. First you generate the scep
> "DATA" - which is the core of the SCEP message:
>
> ...
>
> // Allocates the memory
>
> scep_data = PKI_X509_SCEP_DATA_new();
>
> // Add a Recipient
> PKI_X509_SCEP_DATA_add_recipient( scep_data, cacert );
>
> // Now put the data (PKCS#10 request or any other PKI_X509 object - it
> // could be a certificate, a crl, etc.. it depends on the type of message)
> PKI_X509_SCEP_DATA_set_x509_obj( scep_data, req );
>
> Supposing you have the scep_data, now you have to encode the message.
> Here's an example:
>
> // Alloc the memory
> msg = PKI_X509_SCEP_MSG_new(PKI_X509_SCEP_MSG_PKCSREQ);
>
> // Adds the signer (outer PKCS#7 envelope)
> PKI_X509_SCEP_MSG_add_signer(msg, signerCert,
> signerKey, PKI_DIGEST_ALG_SHA1);
>
> // Sets the NONCE
> PKI_X509_SCEP_MSG_set_sender_nonce( msg, NULL );
>
> // Sets the message type (in this case a PKCSREQ)
> PKI_X509_SCEP_MSG_set_type(msg, PKI_X509_SCEP_MSG_PKCSREQ );
>
> // Final Step - encoding of the data
> PKI_X509_SCEP_MSG_encode(msg, scep_data);
>
>
> Another possibility - but the API requires more work - is to generate a
> "generic" PKI request message and encode it in the SCEP format. Here's
> an example:
>
> // Generates a generic PKI Request Message
> PKI_MSG_REQ *msg = NULL;
> msg = PKI_MSG_REQ_new ( PKI_MSG_REQ_ACTION_CERTREQ,
> subject, NULL, tk->keypair, NULL, cacert );
>
> // Sets some properties of the request
> PKI_MSG_REQ_set_loa ( msg, "2");
> PKI_MSG_REQ_set_template ( msg, "CA Operator");
>
> // Sets the Encoding protocol
> PKI_MSG_REQ_set_proto( msg, PKI_MSG_PROTO_SCEP );
>
> // Now you can save the message
> PKI_MSG_REQ_put ( msg, PKI_DATA_FORMAT_PEM, "scep.pem",
> NULL, NULL, NULL, 0 );
>
> // Or simply send it to the recipient (the CA)
> if(( r = PKI_MSG_REQ_send ( msg, tk, url_s )) == NULL ) {
> // ERROR!
> return 1;
> }
>
> // Save the Response
> PKI_MSG_RESP_put ( r, PKI_DATA_FORMAT_PEM, "out/scep.pem",
> NULL, NULL, NULL );
>
> In the future versions I will probably add the possibility to pick the
> Digest algor in the PKI_X509_SCEP_MSG_new_certreq() directly :) But the
> new SCEP draft should allow you to use SHA2 algorithms as well... :D
>
> Let me know,
>
> Cheers,
> Max
>
>
>
> On 02/21/2011 09:03 AM, pradeep reddy wrote:
>
>> Hi Max,
>> At last ejbca accepting the message.
>> I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr,
>> NULL, cred, NULL);
>> It is failing the message with, POPO verification failed.
>> I debugging the error.
>> BTW, can you let me know, how to make digest use the sha1. instead of
>> sha256.
>>
>> On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy
>> <pra...@gm... <mailto:pra...@gm...>> wrote:
>>
>> Hi Max,
>> Thanks you for the pointers:
>> I am not aware of ejbca internals. But EJBCA is tested with other
>> openssl used libs, I guess libpki will also work.
>> 1. I have following piece of code:
>> pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
>> digest = PKI_DIGEST_ALG_get_by_key( pkey );
>> PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req,
>> NULL, serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
>> PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
>> I set in pki_digest.h, I set the default, #define
>> PKI_DIGEST_DEFAULT_ALG PKI_DIGEST_ALG_SHA1
>> But in signer info digest algorithm is still sha256.
>> Signer Info:
>> [1 of 1] Signer Details:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Encryption Algoritm=rsaEncryption
>> Digest Algorithm=sha256
>> 2. I have the following code:
>> scep_data = PKI_X509_SCEP_DATA_new();
>> scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
>> In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
>> internally scep_msg calls
>> with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
>> But still receipient(CA) details are not printing and PKCS#7
>> Message:Message Type: Signed
>> I have used the libpki default code. Did not make any changes to
>> libpki code.
>> And I have folowing piece of code to send to ejbca:
>> PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
>> char* urlStr = "*MailScanner warning: numerical links are often
>> malicious:* http://192.168.0.1:8080/ejbca";
>> <http://192.168.0.1:8080/ejbca%22;>
>>
>> URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
>> Let me know, where I may be going wrong.
>>
>> On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala
>> <Mas...@da...
>> <mailto:Mas...@da...>> wrote:
>>
>> Hi,
>>
>> I actually never tried the SCEP code with ejbca :( Do you know
>> the internals of
>> EJBCA ? It seems like an error in the message encoding.. but the
>> error message is
>> not very useful... Some thoughts:
>> - Maybe you should use SHA1 instead of SHA256 ?
>> - Shouldn't the request be encrypted with the CA certificate
>> (Message Type:
>> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>>
>> Cheers,
>> Max
>>
>>
>>
>> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>>
>> Hi,
>> I am still stuck at this error.
>> Please confirm whether libpki scep client works with ejbca CA.
>> More information. Here Iam printing the pkcs7 structure:
>> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
>> And When printing the pkcs7, it is saying receipient info is
>> missing,
>> but I have added ca certificate in to scep_data.
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_keypair.c:49]::DEBUG::Getting Default HSM
>> (0xb77863e0/0xb77863e0)
>> generated a new Keypair!
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> -----BEGIN CERTIFICATE REQUEST-----
>>
>> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
>>
>> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
>>
>> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
>>
>> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
>>
>> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
>>
>> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
>>
>> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
>>
>> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
>>
>> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
>>
>> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
>>
>> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
>>
>> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
>>
>> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
>> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
>> -----END CERTIFICATE REQUEST-----
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
>> Value is 0xb75b80e0
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
>> ptype = 22PKCS#7 Message:
>> Message Type:
>> Signed
>> Message Data:
>> Size=1087 bytes
>> Encrypted=no
>> Signer Info:
>> [1 of 1] Signer Details:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Encryption Algoritm=rsaEncryption
>> Digest Algorithm=sha256
>> Signed Attributes:
>> SCEP Message Type=19
>> contentType=pkcs7-data
>> signingTime=Feb 18 11:15:22 2011 GMT
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Sender
>> Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Recipient
>> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Message Digest:
>>
>> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
>> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
>> Transaction
>>
>> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
>> Non Signed Attributes:
>> None.
>> Recipients Info:
>> No Recipients
>> Certificates:
>> [1 of 1] Certificate:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Subject=CN=scepclient , O=EJBCA Sample, C=SE
>> Fingerprint [SHA256]:
>>
>> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
>> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
>> Certificate Revocation Lists:
>> None.
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/sock.c:323]::DEBUG::Connection Successful to
>> *MailScanner warning:
>> numerical links are often malicious:* *MailScanner warning:
>>
>> numerical links are often malicious:* 127.0.0.1:8080
>> <http://127.0.0.1:8080/> <*MailScanner warning: numerical
>> links are often malicious:* http://127.0.0.1:8080
>>
>> <http://127.0.0.1:8080/>>
>>
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/http_s.c:227]::DEBUG::HTTP
>> DATA => size (356->1235)
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>> Let me know, Iam scratching my head since few days.
>> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
>> <pra...@gm...
>> <mailto:pra...@gm...>
>> <mailto:pra...@gm...
>> <mailto:pra...@gm...>>> wrote:
>>
>> Hi,
>> I coded scep client with libpki. I am using ejbca as ca
>> server
>> Does libpki scep client works with ejbca CA?
>> As when I send the scep request message, ejbca errors it
>> with below
>> print:
>> 10:44:46,179 INFO [ScepServlet] Received a SCEP message
>> from 127.0.0.1.
>> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP
>> request.
>> java.lang.ClassCastException:
>> org.bouncycastle.asn1.DERSequence
>> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
>> at
>> org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source)
>> at
>>
>> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown
>> Source)
>> at
>> org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
>> at
>> org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
>> Source)
>> at
>> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> at
>> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> Thanks.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R)
>> Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the
>> development cycle.
>> Locate bottlenecks in serial and parallel code that limit
>> performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>>
>>
>>
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> <mailto:Lib...@li...>
>>
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>>
>>
>> --
>>
>> Best Regards,
>>
>> Massimiliano Pala
>>
>>
>> --o------------------------------------------------------------------------
>> Massimiliano Pala [OpenCA Project Manager] op...@ac...
>> <mailto:op...@ac...>
>> pro...@op... <mailto:pro...@op...>
>>
>>
>> Dartmouth Computer Science Dept Home Phone: +1
>> (603) 369-9332
>> PKI/Trust Laboratory Work Phone: +1
>> (603) 646-8734
>>
>> --o------------------------------------------------------------------------
>> People who think they know everything are a great annoyance to
>> those of us
>> who do.
>> --
>> Isaac Asimov
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel
>> Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development
>> cycle.
>> Locate bottlenecks in serial and parallel code that limit
>> performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> <mailto:Lib...@li...>
>>
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>>
>>
>>
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager]
> op...@ac...
> pro...@op...
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to those of us
> who do.
> -- Isaac Asimov
>
>
|
|
From: Massimiliano P. <Mas...@Da...> - 2011-02-21 16:15:24
|
Hi,
you should try to use different functions that ease encoding of the message.
I think you are missing the final step - the encoding part. To make things
easier, you should use the following function:
// Generates and encodes a new PKI Cert Request (SCEP)
PKI_X509_SCEP_MSG * PKI_X509_SCEP_MSG_new_certreq ( PKI_X509_KEYPAIR *key,
PKI_X509_REQ *req, PKI_X509_CERT *signer,
PKI_X509_CERT_STACK *recipients );
Alternatively, you can do things on your own. First you generate the scep
"DATA" - which is the core of the SCEP message:
...
// Allocates the memory
scep_data = PKI_X509_SCEP_DATA_new();
// Add a Recipient
PKI_X509_SCEP_DATA_add_recipient( scep_data, cacert );
// Now put the data (PKCS#10 request or any other PKI_X509 object - it
// could be a certificate, a crl, etc.. it depends on the type of message)
PKI_X509_SCEP_DATA_set_x509_obj( scep_data, req );
Supposing you have the scep_data, now you have to encode the message.
Here's an example:
// Alloc the memory
msg = PKI_X509_SCEP_MSG_new(PKI_X509_SCEP_MSG_PKCSREQ);
// Adds the signer (outer PKCS#7 envelope)
PKI_X509_SCEP_MSG_add_signer(msg, signerCert,
signerKey, PKI_DIGEST_ALG_SHA1);
// Sets the NONCE
PKI_X509_SCEP_MSG_set_sender_nonce( msg, NULL );
// Sets the message type (in this case a PKCSREQ)
PKI_X509_SCEP_MSG_set_type(msg, PKI_X509_SCEP_MSG_PKCSREQ );
// Final Step - encoding of the data
PKI_X509_SCEP_MSG_encode(msg, scep_data);
Another possibility - but the API requires more work - is to generate a
"generic" PKI request message and encode it in the SCEP format. Here's
an example:
// Generates a generic PKI Request Message
PKI_MSG_REQ *msg = NULL;
msg = PKI_MSG_REQ_new ( PKI_MSG_REQ_ACTION_CERTREQ,
subject, NULL, tk->keypair, NULL, cacert );
// Sets some properties of the request
PKI_MSG_REQ_set_loa ( msg, "2");
PKI_MSG_REQ_set_template ( msg, "CA Operator");
// Sets the Encoding protocol
PKI_MSG_REQ_set_proto( msg, PKI_MSG_PROTO_SCEP );
// Now you can save the message
PKI_MSG_REQ_put ( msg, PKI_DATA_FORMAT_PEM, "scep.pem",
NULL, NULL, NULL, 0 );
// Or simply send it to the recipient (the CA)
if(( r = PKI_MSG_REQ_send ( msg, tk, url_s )) == NULL ) {
// ERROR!
return 1;
}
// Save the Response
PKI_MSG_RESP_put ( r, PKI_DATA_FORMAT_PEM, "out/scep.pem",
NULL, NULL, NULL );
In the future versions I will probably add the possibility to pick the
Digest algor in the PKI_X509_SCEP_MSG_new_certreq() directly :) But the
new SCEP draft should allow you to use SHA2 algorithms as well... :D
Let me know,
Cheers,
Max
On 02/21/2011 09:03 AM, pradeep reddy wrote:
> Hi Max,
> At last ejbca accepting the message.
> I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr,
> NULL, cred, NULL);
> It is failing the message with, POPO verification failed.
> I debugging the error.
> BTW, can you let me know, how to make digest use the sha1. instead of
> sha256.
>
> On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy
> <pra...@gm... <mailto:pra...@gm...>> wrote:
>
> Hi Max,
> Thanks you for the pointers:
> I am not aware of ejbca internals. But EJBCA is tested with other
> openssl used libs, I guess libpki will also work.
> 1. I have following piece of code:
> pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
> digest = PKI_DIGEST_ALG_get_by_key( pkey );
> PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req,
> NULL, serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
> PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
> I set in pki_digest.h, I set the default, #define
> PKI_DIGEST_DEFAULT_ALG PKI_DIGEST_ALG_SHA1
> But in signer info digest algorithm is still sha256.
> Signer Info:
> [1 of 1] Signer Details:
> Serial=4294967295
> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
> Encryption Algoritm=rsaEncryption
> Digest Algorithm=sha256
> 2. I have the following code:
> scep_data = PKI_X509_SCEP_DATA_new();
> scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
> In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
> internally scep_msg calls
> with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
> But still receipient(CA) details are not printing and PKCS#7
> Message:Message Type: Signed
> I have used the libpki default code. Did not make any changes to
> libpki code.
> And I have folowing piece of code to send to ejbca:
> PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
> char* urlStr = "*MailScanner warning: numerical links are often
> malicious:* http://192.168.0.1:8080/ejbca";
> <http://192.168.0.1:8080/ejbca%22;>
> URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
> Let me know, where I may be going wrong.
>
> On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala
> <Mas...@da...
> <mailto:Mas...@da...>> wrote:
>
> Hi,
>
> I actually never tried the SCEP code with ejbca :( Do you know
> the internals of
> EJBCA ? It seems like an error in the message encoding.. but the
> error message is
> not very useful... Some thoughts:
> - Maybe you should use SHA1 instead of SHA256 ?
> - Shouldn't the request be encrypted with the CA certificate
> (Message Type:
> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>
> Cheers,
> Max
>
>
>
> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>
> Hi,
> I am still stuck at this error.
> Please confirm whether libpki scep client works with ejbca CA.
> More information. Here Iam printing the pkcs7 structure:
> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
> And When printing the pkcs7, it is saying receipient info is
> missing,
> but I have added ca certificate in to scep_data.
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_keypair.c:49]::DEBUG::Getting Default HSM
> (0xb77863e0/0xb77863e0)
> generated a new Keypair!
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:408]::DEBUG::Using
> HSM for Key Operations
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:416]::DEBUG::HSM
> sign() callback called
> -----BEGIN CERTIFICATE REQUEST-----
> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
> -----END CERTIFICATE REQUEST-----
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
> Value is 0xb75b80e0
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:408]::DEBUG::Using
> HSM for Key Operations
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:416]::DEBUG::HSM
> sign() callback called
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
> ptype = 22PKCS#7 Message:
> Message Type:
> Signed
> Message Data:
> Size=1087 bytes
> Encrypted=no
> Signer Info:
> [1 of 1] Signer Details:
> Serial=4294967295
> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
> Encryption Algoritm=rsaEncryption
> Digest Algorithm=sha256
> Signed Attributes:
> SCEP Message Type=19
> contentType=pkcs7-data
> signingTime=Feb 18 11:15:22 2011 GMT
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_string.c:140]::DEBUG::Error,
> can not convert string to utf8! [type 4]
> Sender
> Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_string.c:140]::DEBUG::Error,
> can not convert string to utf8! [type 4]
> Recipient
> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_string.c:140]::DEBUG::Error,
> can not convert string to utf8! [type 4]
> Message Digest:
>
> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
> Transaction
> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
> Non Signed Attributes:
> None.
> Recipients Info:
> No Recipients
> Certificates:
> [1 of 1] Certificate:
> Serial=4294967295
> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
> Subject=CN=scepclient , O=EJBCA Sample, C=SE
> Fingerprint [SHA256]:
>
> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
> Certificate Revocation Lists:
> None.
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [net/sock.c:323]::DEBUG::Connection Successful to
> *MailScanner warning:
> numerical links are often malicious:* *MailScanner warning:
> numerical links are often malicious:* 127.0.0.1:8080
> <http://127.0.0.1:8080/> <*MailScanner warning: numerical
> links are often malicious:* http://127.0.0.1:8080
> <http://127.0.0.1:8080/>>
>
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [net/http_s.c:227]::DEBUG::HTTP
> DATA => size (356->1235)
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
> Let me know, Iam scratching my head since few days.
> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
> <pra...@gm...
> <mailto:pra...@gm...>
> <mailto:pra...@gm...
> <mailto:pra...@gm...>>> wrote:
>
> Hi,
> I coded scep client with libpki. I am using ejbca as ca
> server
> Does libpki scep client works with ejbca CA?
> As when I send the scep request message, ejbca errors it
> with below
> print:
> 10:44:46,179 INFO [ScepServlet] Received a SCEP message
> from 127.0.0.1.
> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP
> request.
> java.lang.ClassCastException:
> org.bouncycastle.asn1.DERSequence
> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
> at
> org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source)
> at
>
> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown
> Source)
> at
> org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
> at
> org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
> Source)
> at
> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
> at
> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
> Thanks.
>
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R)
> Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the
> development cycle.
> Locate bottlenecks in serial and parallel code that limit
> performance.
> http://p.sf.net/sfu/intel-dev2devfeb
>
>
>
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> <mailto:Lib...@li...>
> https://lists.sourceforge.net/lists/listinfo/libpki-users
>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager] op...@ac...
> <mailto:op...@ac...>
> pro...@op... <mailto:pro...@op...>
>
> Dartmouth Computer Science Dept Home Phone: +1
> (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1
> (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to
> those of us
> who do.
> --
> Isaac Asimov
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel
> Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development
> cycle.
> Locate bottlenecks in serial and parallel code that limit
> performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> <mailto:Lib...@li...>
> https://lists.sourceforge.net/lists/listinfo/libpki-users
>
>
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
>
>
>
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libpki-users
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] op...@ac...
pro...@op...
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
|
|
From: pradeep r. <pra...@gm...> - 2011-02-21 14:03:36
|
Hi Max, At last ejbca accepting the message. I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr, NULL, cred, NULL); It is failing the message with, POPO verification failed. I debugging the error. BTW, can you let me know, how to make digest use the sha1. instead of sha256. On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy <pra...@gm...>wrote: > Hi Max, > > Thanks you for the pointers: > > I am not aware of ejbca internals. But EJBCA is tested with other openssl > used libs, I guess libpki will also work. > 1. I have following piece of code: > > pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL ); > digest = PKI_DIGEST_ALG_get_by_key( pkey ); > PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req, NULL, > serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL ); > PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest); > > I set in pki_digest.h, I set the default, #define PKI_DIGEST_DEFAULT_ALG > PKI_DIGEST_ALG_SHA1 > But in signer info digest algorithm is still sha256. > Signer Info: > [1 of 1] Signer Details: > Serial=4294967295 > Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE > Encryption Algoritm=rsaEncryption > Digest Algorithm=sha256 > > 2. I have the following code: > > scep_data = PKI_X509_SCEP_DATA_new(); > scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED)) > In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED, > internally scep_msg calls > with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED) > But still receipient(CA) details are not printing and PKCS#7 > Message:Message Type: Signed > > I have used the libpki default code. Did not make any changes to libpki > code. > > And I have folowing piece of code to send to ejbca: > > PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg ); > char* urlStr = "http://192.168.0.1:8080/ejbca"; > URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL ); > Let me know, where I may be going wrong. > > On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala < > Mas...@da...> wrote: > >> Hi, >> >> I actually never tried the SCEP code with ejbca :( Do you know the >> internals of >> EJBCA ? It seems like an error in the message encoding.. but the error >> message is >> not very useful... Some thoughts: >> - Maybe you should use SHA1 instead of SHA256 ? >> - Shouldn't the request be encrypted with the CA certificate (Message >> Type: >> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?) >> >> Cheers, >> Max >> >> >> >> On 02/18/2011 06:24 AM, pradeep reddy wrote: >> >>> Hi, >>> I am still stuck at this error. >>> Please confirm whether libpki scep client works with ejbca CA. >>> More information. Here Iam printing the pkcs7 structure: >>> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure. >>> And When printing the pkcs7, it is saying receipient info is missing, >>> but I have added ca certificate in to scep_data. >>> >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> [hsm_keypair.c:49]::DEBUG::Getting Default HSM (0xb77863e0/0xb77863e0) >>> generated a new Keypair! >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using >>> HSM for Key Operations >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM >>> sign() callback called >>> -----BEGIN CERTIFICATE REQUEST----- >>> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK >>> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw >>> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz >>> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ >>> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek >>> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y >>> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo >>> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC >>> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp >>> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2 >>> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB >>> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO >>> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E >>> YDkEnJ9Y7QcWfK5XKvaDlPkwlg== >>> -----END CERTIFICATE REQUEST----- >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return >>> Value is 0xb75b80e0 >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using >>> HSM for Key Operations >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM >>> sign() callback called >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG >>> ptype = 22PKCS#7 Message: >>> Message Type: >>> Signed >>> Message Data: >>> Size=1087 bytes >>> Encrypted=no >>> Signer Info: >>> [1 of 1] Signer Details: >>> Serial=4294967295 >>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE >>> Encryption Algoritm=rsaEncryption >>> Digest Algorithm=sha256 >>> Signed Attributes: >>> SCEP Message Type=19 >>> contentType=pkcs7-data >>> signingTime=Feb 18 11:15:22 2011 GMT >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, >>> can not convert string to utf8! [type 4] >>> Sender Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4 >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, >>> can not convert string to utf8! [type 4] >>> Recipient >>> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79 >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, >>> can not convert string to utf8! [type 4] >>> Message Digest: >>> >>> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11: >>> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b >>> Transaction >>> >>> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f >>> Non Signed Attributes: >>> None. >>> Recipients Info: >>> No Recipients >>> Certificates: >>> [1 of 1] Certificate: >>> Serial=4294967295 >>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE >>> Subject=CN=scepclient , O=EJBCA Sample, C=SE >>> Fingerprint [SHA256]: >>> >>> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f: >>> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe >>> Certificate Revocation Lists: >>> None. >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> [net/pki_socket.c:123]::DEBUG::Creating a simple connection >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> [net/sock.c:323]::DEBUG::Connection Successful to *MailScanner warning: >>> numerical links are often malicious:* 127.0.0.1:8080 < >>> http://127.0.0.1:8080> >>> >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [net/http_s.c:227]::DEBUG::HTTP >>> DATA => size (356->1235) >>> >>> --------------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>> --------------------------------------------------------------------------------------------------------------------------------------------------------- >>> Let me know, Iam scratching my head since few days. >>> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy >>> <pra...@gm... <mailto:pra...@gm...>> wrote: >>> >>> Hi, >>> I coded scep client with libpki. I am using ejbca as ca server >>> Does libpki scep client works with ejbca CA? >>> As when I send the scep request message, ejbca errors it with below >>> print: >>> 10:44:46,179 INFO [ScepServlet] Received a SCEP message from >>> 127.0.0.1. >>> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP request. >>> java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence >>> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject >>> at org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown >>> Source) >>> at >>> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown Source) >>> at org.bouncycastle.asn1.cms.SignedData.<init>(Unknown >>> Source) >>> at org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown >>> Source) >>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source) >>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source) >>> Thanks. >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >>> Pinpoint memory and threading errors before they happen. >>> Find and fix more than 250 security defects in the development cycle. >>> Locate bottlenecks in serial and parallel code that limit performance. >>> http://p.sf.net/sfu/intel-dev2devfeb >>> >>> >>> >>> _______________________________________________ >>> Libpki-users mailing list >>> Lib...@li... >>> https://lists.sourceforge.net/lists/listinfo/libpki-users >>> >> >> >> -- >> >> Best Regards, >> >> Massimiliano Pala >> >> >> --o------------------------------------------------------------------------ >> Massimiliano Pala [OpenCA Project Manager] >> op...@ac... >> >> pro...@op... >> >> Dartmouth Computer Science Dept Home Phone: +1 (603) >> 369-9332 >> PKI/Trust Laboratory Work Phone: +1 (603) >> 646-8734 >> >> --o------------------------------------------------------------------------ >> People who think they know everything are a great annoyance to those of us >> who do. >> -- Isaac Asimov >> >> >> >> ------------------------------------------------------------------------------ >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >> Pinpoint memory and threading errors before they happen. >> Find and fix more than 250 security defects in the development cycle. >> Locate bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> Libpki-users mailing list >> Lib...@li... >> https://lists.sourceforge.net/lists/listinfo/libpki-users >> >> > |
|
From: pradeep r. <pra...@gm...> - 2011-02-21 12:37:31
|
Hi Max,
Thanks you for the pointers:
I am not aware of ejbca internals. But EJBCA is tested with other openssl
used libs, I guess libpki will also work.
1. I have following piece of code:
pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
digest = PKI_DIGEST_ALG_get_by_key( pkey );
PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req, NULL,
serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
I set in pki_digest.h, I set the default, #define PKI_DIGEST_DEFAULT_ALG
PKI_DIGEST_ALG_SHA1
But in signer info digest algorithm is still sha256.
Signer Info:
[1 of 1] Signer Details:
Serial=4294967295
Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
Encryption Algoritm=rsaEncryption
Digest Algorithm=sha256
2. I have the following code:
scep_data = PKI_X509_SCEP_DATA_new();
scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
internally scep_msg calls
with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
But still receipient(CA) details are not printing and PKCS#7 Message:Message
Type: Signed
I have used the libpki default code. Did not make any changes to libpki
code.
And I have folowing piece of code to send to ejbca:
PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
char* urlStr = "http://192.168.0.1:8080/ejbca";
URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
Let me know, where I may be going wrong.
On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala <
Mas...@da...> wrote:
> Hi,
>
> I actually never tried the SCEP code with ejbca :( Do you know the
> internals of
> EJBCA ? It seems like an error in the message encoding.. but the error
> message is
> not very useful... Some thoughts:
> - Maybe you should use SHA1 instead of SHA256 ?
> - Shouldn't the request be encrypted with the CA certificate (Message Type:
> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>
> Cheers,
> Max
>
>
>
> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>
>> Hi,
>> I am still stuck at this error.
>> Please confirm whether libpki scep client works with ejbca CA.
>> More information. Here Iam printing the pkcs7 structure:
>> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
>> And When printing the pkcs7, it is saying receipient info is missing,
>> but I have added ca certificate in to scep_data.
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_keypair.c:49]::DEBUG::Getting Default HSM (0xb77863e0/0xb77863e0)
>> generated a new Keypair!
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> -----BEGIN CERTIFICATE REQUEST-----
>> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
>> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
>> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
>> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
>> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
>> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
>> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
>> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
>> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
>> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
>> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
>> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
>> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
>> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
>> -----END CERTIFICATE REQUEST-----
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
>> Value is 0xb75b80e0
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
>> ptype = 22PKCS#7 Message:
>> Message Type:
>> Signed
>> Message Data:
>> Size=1087 bytes
>> Encrypted=no
>> Signer Info:
>> [1 of 1] Signer Details:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Encryption Algoritm=rsaEncryption
>> Digest Algorithm=sha256
>> Signed Attributes:
>> SCEP Message Type=19
>> contentType=pkcs7-data
>> signingTime=Feb 18 11:15:22 2011 GMT
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Sender Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Recipient
>> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Message Digest:
>>
>> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
>> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
>> Transaction
>>
>> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
>> Non Signed Attributes:
>> None.
>> Recipients Info:
>> No Recipients
>> Certificates:
>> [1 of 1] Certificate:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Subject=CN=scepclient , O=EJBCA Sample, C=SE
>> Fingerprint [SHA256]:
>>
>> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
>> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
>> Certificate Revocation Lists:
>> None.
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/sock.c:323]::DEBUG::Connection Successful to *MailScanner warning:
>> numerical links are often malicious:* 127.0.0.1:8080 <
>> http://127.0.0.1:8080>
>>
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [net/http_s.c:227]::DEBUG::HTTP
>> DATA => size (356->1235)
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>> Let me know, Iam scratching my head since few days.
>> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
>> <pra...@gm... <mailto:pra...@gm...>> wrote:
>>
>> Hi,
>> I coded scep client with libpki. I am using ejbca as ca server
>> Does libpki scep client works with ejbca CA?
>> As when I send the scep request message, ejbca errors it with below
>> print:
>> 10:44:46,179 INFO [ScepServlet] Received a SCEP message from
>> 127.0.0.1.
>> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP request.
>> java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence
>> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
>> at org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown
>> Source)
>> at
>> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown Source)
>> at org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
>> at org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
>> Source)
>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> Thanks.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>>
>>
>>
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager]
> op...@ac...
> pro...@op...
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to those of us
> who do.
> -- Isaac Asimov
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libpki-users
>
>
|
