Menu
▾
▴
libpki-users
|
From: pradeep r. <pra...@gm...> - 2011-02-17 11:09:54
|
Hi,
I coded scep client with libpki. I am using ejbca as ca server
Does libpki scep client works with ejbca CA?
As when I send the scep request message, ejbca errors it with below print:
10:44:46,179 INFO [ScepServlet] Received a SCEP message from 127.0.0.1.
10:44:46,187 ERROR [ScepServlet] Error processing SCEP request.
java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence cannot be
cast to org.bouncycastle.asn1.ASN1TaggedObject
at org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source)
at org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown Source)
at org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
at org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown Source)
at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
Thanks.
|
|
From: pradeep r. <pra...@gm...> - 2011-02-18 11:24:49
|
Hi,
I am still stuck at this error.
Please confirm whether libpki scep client works with ejbca CA.
More information. Here Iam printing the pkcs7 structure:
Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
And When printing the pkcs7, it is saying receipient info is missing, but I
have added ca certificate in to scep_data.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_keypair.c:49]::DEBUG::Getting
Default HSM (0xb77863e0/0xb77863e0)
generated a new Keypair!
Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using HSM
for Key Operations
Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM sign()
callback called
-----BEGIN CERTIFICATE REQUEST-----
MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
-----END CERTIFICATE REQUEST-----
Feb 18 11:15:22 2011 GMT [10771] INFO:
[pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
Value is 0xb75b80e0
Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using HSM
for Key Operations
Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM sign()
callback called
Feb 18 11:15:22 2011 GMT [10771] INFO:
[pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
Feb 18 11:15:22 2011 GMT [10771] INFO:
[pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
Feb 18 11:15:22 2011 GMT [10771] INFO:
[pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
Feb 18 11:15:22 2011 GMT [10771] INFO:
[pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
Feb 18 11:15:22 2011 GMT [10771] INFO:
[io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
ptype = 22PKCS#7 Message:
Message Type:
Signed
Message Data:
Size=1087 bytes
Encrypted=no
Signer Info:
[1 of 1] Signer Details:
Serial=4294967295
Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
Encryption Algoritm=rsaEncryption
Digest Algorithm=sha256
Signed Attributes:
SCEP Message Type=19
contentType=pkcs7-data
signingTime=Feb 18 11:15:22 2011 GMT
Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, can
not convert string to utf8! [type 4]
Sender Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, can
not convert string to utf8! [type 4]
Recipient Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, can
not convert string to utf8! [type 4]
Message Digest:
5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
Transaction
Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
Non Signed Attributes:
None.
Recipients Info:
No Recipients
Certificates:
[1 of 1] Certificate:
Serial=4294967295
Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
Subject=CN=scepclient , O=EJBCA Sample, C=SE
Fingerprint [SHA256]:
2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
2b:41:a1:df:10:7c:44:0a:25:65:88:fe
Certificate Revocation Lists:
None.
Feb 18 11:15:22 2011 GMT [10771] INFO:
[net/pki_socket.c:123]::DEBUG::Creating a simple connection
Feb 18 11:15:22 2011 GMT [10771] INFO: [net/sock.c:323]::DEBUG::Connection
Successful to 127.0.0.1:8080
Feb 18 11:15:22 2011 GMT [10771] INFO: [net/http_s.c:227]::DEBUG::HTTP DATA
=> size (356->1235)
---------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------
Let me know, Iam scratching my head since few days.
On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
<pra...@gm...>wrote:
> Hi,
>
> I coded scep client with libpki. I am using ejbca as ca server
> Does libpki scep client works with ejbca CA?
>
> As when I send the scep request message, ejbca errors it with below print:
>
> 10:44:46,179 INFO [ScepServlet] Received a SCEP message from 127.0.0.1.
> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP request.
> java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence cannot be
> cast to org.bouncycastle.asn1.ASN1TaggedObject
> at org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source)
> at org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown
> Source)
> at org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
> at org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown Source)
> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>
> Thanks.
>
|
|
From: Massimiliano P. <Mas...@Da...> - 2011-02-18 16:56:05
Attachments:
smime.p7s
|
Hi, I actually never tried the SCEP code with ejbca :( Do you know the internals of EJBCA ? It seems like an error in the message encoding.. but the error message is not very useful... Some thoughts: - Maybe you should use SHA1 instead of SHA256 ? - Shouldn't the request be encrypted with the CA certificate (Message Type: encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?) Cheers, Max On 02/18/2011 06:24 AM, pradeep reddy wrote: > Hi, > I am still stuck at this error. > Please confirm whether libpki scep client works with ejbca CA. > More information. Here Iam printing the pkcs7 structure: > Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure. > And When printing the pkcs7, it is saying receipient info is missing, > but I have added ca certificate in to scep_data. > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Feb 18 11:15:22 2011 GMT [10771] INFO: > [hsm_keypair.c:49]::DEBUG::Getting Default HSM (0xb77863e0/0xb77863e0) > generated a new Keypair! > Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using > HSM for Key Operations > Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM > sign() callback called > -----BEGIN CERTIFICATE REQUEST----- > MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK > QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw > ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz > gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ > MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek > fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y > ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo > H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC > AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp > v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2 > fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB > BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO > hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E > YDkEnJ9Y7QcWfK5XKvaDlPkwlg== > -----END CERTIFICATE REQUEST----- > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return > Value is 0xb75b80e0 > Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using > HSM for Key Operations > Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM > sign() callback called > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start > Feb 18 11:15:22 2011 GMT [10771] INFO: > [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG > ptype = 22PKCS#7 Message: > Message Type: > Signed > Message Data: > Size=1087 bytes > Encrypted=no > Signer Info: > [1 of 1] Signer Details: > Serial=4294967295 > Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE > Encryption Algoritm=rsaEncryption > Digest Algorithm=sha256 > Signed Attributes: > SCEP Message Type=19 > contentType=pkcs7-data > signingTime=Feb 18 11:15:22 2011 GMT > Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, > can not convert string to utf8! [type 4] > Sender Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4 > Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, > can not convert string to utf8! [type 4] > Recipient Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79 > Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, > can not convert string to utf8! [type 4] > Message Digest: > > 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11: > 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b > Transaction > Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f > Non Signed Attributes: > None. > Recipients Info: > No Recipients > Certificates: > [1 of 1] Certificate: > Serial=4294967295 > Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE > Subject=CN=scepclient , O=EJBCA Sample, C=SE > Fingerprint [SHA256]: > > 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f: > 2b:41:a1:df:10:7c:44:0a:25:65:88:fe > Certificate Revocation Lists: > None. > Feb 18 11:15:22 2011 GMT [10771] INFO: > [net/pki_socket.c:123]::DEBUG::Creating a simple connection > Feb 18 11:15:22 2011 GMT [10771] INFO: > [net/sock.c:323]::DEBUG::Connection Successful to *MailScanner warning: > numerical links are often malicious:* 127.0.0.1:8080 <http://127.0.0.1:8080> > Feb 18 11:15:22 2011 GMT [10771] INFO: [net/http_s.c:227]::DEBUG::HTTP > DATA => size (356->1235) > --------------------------------------------------------------------------------------------------------------------------------------------------------- > --------------------------------------------------------------------------------------------------------------------------------------------------------- > Let me know, Iam scratching my head since few days. > On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy > <pra...@gm... <mailto:pra...@gm...>> wrote: > > Hi, > I coded scep client with libpki. I am using ejbca as ca server > Does libpki scep client works with ejbca CA? > As when I send the scep request message, ejbca errors it with below > print: > 10:44:46,179 INFO [ScepServlet] Received a SCEP message from 127.0.0.1. > 10:44:46,187 ERROR [ScepServlet] Error processing SCEP request. > java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence > cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject > at org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source) > at > org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown Source) > at org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source) > at org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown > Source) > at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source) > at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source) > Thanks. > > > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > > > > _______________________________________________ > Libpki-users mailing list > Lib...@li... > https://lists.sourceforge.net/lists/listinfo/libpki-users -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] op...@ac... pro...@op... Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o------------------------------------------------------------------------ People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov |
|
From: pradeep r. <pra...@gm...> - 2011-02-21 12:37:31
|
Hi Max,
Thanks you for the pointers:
I am not aware of ejbca internals. But EJBCA is tested with other openssl
used libs, I guess libpki will also work.
1. I have following piece of code:
pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
digest = PKI_DIGEST_ALG_get_by_key( pkey );
PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req, NULL,
serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
I set in pki_digest.h, I set the default, #define PKI_DIGEST_DEFAULT_ALG
PKI_DIGEST_ALG_SHA1
But in signer info digest algorithm is still sha256.
Signer Info:
[1 of 1] Signer Details:
Serial=4294967295
Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
Encryption Algoritm=rsaEncryption
Digest Algorithm=sha256
2. I have the following code:
scep_data = PKI_X509_SCEP_DATA_new();
scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
internally scep_msg calls
with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
But still receipient(CA) details are not printing and PKCS#7 Message:Message
Type: Signed
I have used the libpki default code. Did not make any changes to libpki
code.
And I have folowing piece of code to send to ejbca:
PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
char* urlStr = "http://192.168.0.1:8080/ejbca";
URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
Let me know, where I may be going wrong.
On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala <
Mas...@da...> wrote:
> Hi,
>
> I actually never tried the SCEP code with ejbca :( Do you know the
> internals of
> EJBCA ? It seems like an error in the message encoding.. but the error
> message is
> not very useful... Some thoughts:
> - Maybe you should use SHA1 instead of SHA256 ?
> - Shouldn't the request be encrypted with the CA certificate (Message Type:
> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>
> Cheers,
> Max
>
>
>
> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>
>> Hi,
>> I am still stuck at this error.
>> Please confirm whether libpki scep client works with ejbca CA.
>> More information. Here Iam printing the pkcs7 structure:
>> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
>> And When printing the pkcs7, it is saying receipient info is missing,
>> but I have added ca certificate in to scep_data.
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_keypair.c:49]::DEBUG::Getting Default HSM (0xb77863e0/0xb77863e0)
>> generated a new Keypair!
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> -----BEGIN CERTIFICATE REQUEST-----
>> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
>> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
>> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
>> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
>> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
>> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
>> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
>> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
>> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
>> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
>> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
>> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
>> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
>> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
>> -----END CERTIFICATE REQUEST-----
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
>> Value is 0xb75b80e0
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
>> ptype = 22PKCS#7 Message:
>> Message Type:
>> Signed
>> Message Data:
>> Size=1087 bytes
>> Encrypted=no
>> Signer Info:
>> [1 of 1] Signer Details:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Encryption Algoritm=rsaEncryption
>> Digest Algorithm=sha256
>> Signed Attributes:
>> SCEP Message Type=19
>> contentType=pkcs7-data
>> signingTime=Feb 18 11:15:22 2011 GMT
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Sender Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Recipient
>> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Message Digest:
>>
>> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
>> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
>> Transaction
>>
>> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
>> Non Signed Attributes:
>> None.
>> Recipients Info:
>> No Recipients
>> Certificates:
>> [1 of 1] Certificate:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Subject=CN=scepclient , O=EJBCA Sample, C=SE
>> Fingerprint [SHA256]:
>>
>> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
>> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
>> Certificate Revocation Lists:
>> None.
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/sock.c:323]::DEBUG::Connection Successful to *MailScanner warning:
>> numerical links are often malicious:* 127.0.0.1:8080 <
>> http://127.0.0.1:8080>
>>
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [net/http_s.c:227]::DEBUG::HTTP
>> DATA => size (356->1235)
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>> Let me know, Iam scratching my head since few days.
>> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
>> <pra...@gm... <mailto:pra...@gm...>> wrote:
>>
>> Hi,
>> I coded scep client with libpki. I am using ejbca as ca server
>> Does libpki scep client works with ejbca CA?
>> As when I send the scep request message, ejbca errors it with below
>> print:
>> 10:44:46,179 INFO [ScepServlet] Received a SCEP message from
>> 127.0.0.1.
>> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP request.
>> java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence
>> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
>> at org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown
>> Source)
>> at
>> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown Source)
>> at org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
>> at org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
>> Source)
>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> Thanks.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>>
>>
>>
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager]
> op...@ac...
> pro...@op...
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to those of us
> who do.
> -- Isaac Asimov
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libpki-users
>
>
|
|
From: pradeep r. <pra...@gm...> - 2011-02-21 14:03:36
|
Hi Max, At last ejbca accepting the message. I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr, NULL, cred, NULL); It is failing the message with, POPO verification failed. I debugging the error. BTW, can you let me know, how to make digest use the sha1. instead of sha256. On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy <pra...@gm...>wrote: > Hi Max, > > Thanks you for the pointers: > > I am not aware of ejbca internals. But EJBCA is tested with other openssl > used libs, I guess libpki will also work. > 1. I have following piece of code: > > pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL ); > digest = PKI_DIGEST_ALG_get_by_key( pkey ); > PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req, NULL, > serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL ); > PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest); > > I set in pki_digest.h, I set the default, #define PKI_DIGEST_DEFAULT_ALG > PKI_DIGEST_ALG_SHA1 > But in signer info digest algorithm is still sha256. > Signer Info: > [1 of 1] Signer Details: > Serial=4294967295 > Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE > Encryption Algoritm=rsaEncryption > Digest Algorithm=sha256 > > 2. I have the following code: > > scep_data = PKI_X509_SCEP_DATA_new(); > scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED)) > In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED, > internally scep_msg calls > with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED) > But still receipient(CA) details are not printing and PKCS#7 > Message:Message Type: Signed > > I have used the libpki default code. Did not make any changes to libpki > code. > > And I have folowing piece of code to send to ejbca: > > PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg ); > char* urlStr = "http://192.168.0.1:8080/ejbca"; > URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL ); > Let me know, where I may be going wrong. > > On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala < > Mas...@da...> wrote: > >> Hi, >> >> I actually never tried the SCEP code with ejbca :( Do you know the >> internals of >> EJBCA ? It seems like an error in the message encoding.. but the error >> message is >> not very useful... Some thoughts: >> - Maybe you should use SHA1 instead of SHA256 ? >> - Shouldn't the request be encrypted with the CA certificate (Message >> Type: >> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?) >> >> Cheers, >> Max >> >> >> >> On 02/18/2011 06:24 AM, pradeep reddy wrote: >> >>> Hi, >>> I am still stuck at this error. >>> Please confirm whether libpki scep client works with ejbca CA. >>> More information. Here Iam printing the pkcs7 structure: >>> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure. >>> And When printing the pkcs7, it is saying receipient info is missing, >>> but I have added ca certificate in to scep_data. >>> >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> [hsm_keypair.c:49]::DEBUG::Getting Default HSM (0xb77863e0/0xb77863e0) >>> generated a new Keypair! >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using >>> HSM for Key Operations >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM >>> sign() callback called >>> -----BEGIN CERTIFICATE REQUEST----- >>> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK >>> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw >>> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz >>> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ >>> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek >>> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y >>> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo >>> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC >>> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp >>> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2 >>> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB >>> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO >>> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E >>> YDkEnJ9Y7QcWfK5XKvaDlPkwlg== >>> -----END CERTIFICATE REQUEST----- >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return >>> Value is 0xb75b80e0 >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using >>> HSM for Key Operations >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM >>> sign() callback called >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> >>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG >>> ptype = 22PKCS#7 Message: >>> Message Type: >>> Signed >>> Message Data: >>> Size=1087 bytes >>> Encrypted=no >>> Signer Info: >>> [1 of 1] Signer Details: >>> Serial=4294967295 >>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE >>> Encryption Algoritm=rsaEncryption >>> Digest Algorithm=sha256 >>> Signed Attributes: >>> SCEP Message Type=19 >>> contentType=pkcs7-data >>> signingTime=Feb 18 11:15:22 2011 GMT >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, >>> can not convert string to utf8! [type 4] >>> Sender Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4 >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, >>> can not convert string to utf8! [type 4] >>> Recipient >>> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79 >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error, >>> can not convert string to utf8! [type 4] >>> Message Digest: >>> >>> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11: >>> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b >>> Transaction >>> >>> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f >>> Non Signed Attributes: >>> None. >>> Recipients Info: >>> No Recipients >>> Certificates: >>> [1 of 1] Certificate: >>> Serial=4294967295 >>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE >>> Subject=CN=scepclient , O=EJBCA Sample, C=SE >>> Fingerprint [SHA256]: >>> >>> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f: >>> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe >>> Certificate Revocation Lists: >>> None. >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> [net/pki_socket.c:123]::DEBUG::Creating a simple connection >>> Feb 18 11:15:22 2011 GMT [10771] INFO: >>> [net/sock.c:323]::DEBUG::Connection Successful to *MailScanner warning: >>> numerical links are often malicious:* 127.0.0.1:8080 < >>> http://127.0.0.1:8080> >>> >>> Feb 18 11:15:22 2011 GMT [10771] INFO: [net/http_s.c:227]::DEBUG::HTTP >>> DATA => size (356->1235) >>> >>> --------------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>> --------------------------------------------------------------------------------------------------------------------------------------------------------- >>> Let me know, Iam scratching my head since few days. >>> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy >>> <pra...@gm... <mailto:pra...@gm...>> wrote: >>> >>> Hi, >>> I coded scep client with libpki. I am using ejbca as ca server >>> Does libpki scep client works with ejbca CA? >>> As when I send the scep request message, ejbca errors it with below >>> print: >>> 10:44:46,179 INFO [ScepServlet] Received a SCEP message from >>> 127.0.0.1. >>> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP request. >>> java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence >>> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject >>> at org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown >>> Source) >>> at >>> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown Source) >>> at org.bouncycastle.asn1.cms.SignedData.<init>(Unknown >>> Source) >>> at org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown >>> Source) >>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source) >>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source) >>> Thanks. >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >>> Pinpoint memory and threading errors before they happen. >>> Find and fix more than 250 security defects in the development cycle. >>> Locate bottlenecks in serial and parallel code that limit performance. >>> http://p.sf.net/sfu/intel-dev2devfeb >>> >>> >>> >>> _______________________________________________ >>> Libpki-users mailing list >>> Lib...@li... >>> https://lists.sourceforge.net/lists/listinfo/libpki-users >>> >> >> >> -- >> >> Best Regards, >> >> Massimiliano Pala >> >> >> --o------------------------------------------------------------------------ >> Massimiliano Pala [OpenCA Project Manager] >> op...@ac... >> >> pro...@op... >> >> Dartmouth Computer Science Dept Home Phone: +1 (603) >> 369-9332 >> PKI/Trust Laboratory Work Phone: +1 (603) >> 646-8734 >> >> --o------------------------------------------------------------------------ >> People who think they know everything are a great annoyance to those of us >> who do. >> -- Isaac Asimov >> >> >> >> ------------------------------------------------------------------------------ >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >> Pinpoint memory and threading errors before they happen. >> Find and fix more than 250 security defects in the development cycle. >> Locate bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> Libpki-users mailing list >> Lib...@li... >> https://lists.sourceforge.net/lists/listinfo/libpki-users >> >> > |
|
From: Massimiliano P. <Mas...@Da...> - 2011-02-21 16:15:24
Attachments:
smime.p7s
|
Hi,
you should try to use different functions that ease encoding of the message.
I think you are missing the final step - the encoding part. To make things
easier, you should use the following function:
// Generates and encodes a new PKI Cert Request (SCEP)
PKI_X509_SCEP_MSG * PKI_X509_SCEP_MSG_new_certreq ( PKI_X509_KEYPAIR *key,
PKI_X509_REQ *req, PKI_X509_CERT *signer,
PKI_X509_CERT_STACK *recipients );
Alternatively, you can do things on your own. First you generate the scep
"DATA" - which is the core of the SCEP message:
...
// Allocates the memory
scep_data = PKI_X509_SCEP_DATA_new();
// Add a Recipient
PKI_X509_SCEP_DATA_add_recipient( scep_data, cacert );
// Now put the data (PKCS#10 request or any other PKI_X509 object - it
// could be a certificate, a crl, etc.. it depends on the type of message)
PKI_X509_SCEP_DATA_set_x509_obj( scep_data, req );
Supposing you have the scep_data, now you have to encode the message.
Here's an example:
// Alloc the memory
msg = PKI_X509_SCEP_MSG_new(PKI_X509_SCEP_MSG_PKCSREQ);
// Adds the signer (outer PKCS#7 envelope)
PKI_X509_SCEP_MSG_add_signer(msg, signerCert,
signerKey, PKI_DIGEST_ALG_SHA1);
// Sets the NONCE
PKI_X509_SCEP_MSG_set_sender_nonce( msg, NULL );
// Sets the message type (in this case a PKCSREQ)
PKI_X509_SCEP_MSG_set_type(msg, PKI_X509_SCEP_MSG_PKCSREQ );
// Final Step - encoding of the data
PKI_X509_SCEP_MSG_encode(msg, scep_data);
Another possibility - but the API requires more work - is to generate a
"generic" PKI request message and encode it in the SCEP format. Here's
an example:
// Generates a generic PKI Request Message
PKI_MSG_REQ *msg = NULL;
msg = PKI_MSG_REQ_new ( PKI_MSG_REQ_ACTION_CERTREQ,
subject, NULL, tk->keypair, NULL, cacert );
// Sets some properties of the request
PKI_MSG_REQ_set_loa ( msg, "2");
PKI_MSG_REQ_set_template ( msg, "CA Operator");
// Sets the Encoding protocol
PKI_MSG_REQ_set_proto( msg, PKI_MSG_PROTO_SCEP );
// Now you can save the message
PKI_MSG_REQ_put ( msg, PKI_DATA_FORMAT_PEM, "scep.pem",
NULL, NULL, NULL, 0 );
// Or simply send it to the recipient (the CA)
if(( r = PKI_MSG_REQ_send ( msg, tk, url_s )) == NULL ) {
// ERROR!
return 1;
}
// Save the Response
PKI_MSG_RESP_put ( r, PKI_DATA_FORMAT_PEM, "out/scep.pem",
NULL, NULL, NULL );
In the future versions I will probably add the possibility to pick the
Digest algor in the PKI_X509_SCEP_MSG_new_certreq() directly :) But the
new SCEP draft should allow you to use SHA2 algorithms as well... :D
Let me know,
Cheers,
Max
On 02/21/2011 09:03 AM, pradeep reddy wrote:
> Hi Max,
> At last ejbca accepting the message.
> I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr,
> NULL, cred, NULL);
> It is failing the message with, POPO verification failed.
> I debugging the error.
> BTW, can you let me know, how to make digest use the sha1. instead of
> sha256.
>
> On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy
> <pra...@gm... <mailto:pra...@gm...>> wrote:
>
> Hi Max,
> Thanks you for the pointers:
> I am not aware of ejbca internals. But EJBCA is tested with other
> openssl used libs, I guess libpki will also work.
> 1. I have following piece of code:
> pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
> digest = PKI_DIGEST_ALG_get_by_key( pkey );
> PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req,
> NULL, serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
> PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
> I set in pki_digest.h, I set the default, #define
> PKI_DIGEST_DEFAULT_ALG PKI_DIGEST_ALG_SHA1
> But in signer info digest algorithm is still sha256.
> Signer Info:
> [1 of 1] Signer Details:
> Serial=4294967295
> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
> Encryption Algoritm=rsaEncryption
> Digest Algorithm=sha256
> 2. I have the following code:
> scep_data = PKI_X509_SCEP_DATA_new();
> scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
> In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
> internally scep_msg calls
> with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
> But still receipient(CA) details are not printing and PKCS#7
> Message:Message Type: Signed
> I have used the libpki default code. Did not make any changes to
> libpki code.
> And I have folowing piece of code to send to ejbca:
> PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
> char* urlStr = "*MailScanner warning: numerical links are often
> malicious:* http://192.168.0.1:8080/ejbca";
> <http://192.168.0.1:8080/ejbca%22;>
> URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
> Let me know, where I may be going wrong.
>
> On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala
> <Mas...@da...
> <mailto:Mas...@da...>> wrote:
>
> Hi,
>
> I actually never tried the SCEP code with ejbca :( Do you know
> the internals of
> EJBCA ? It seems like an error in the message encoding.. but the
> error message is
> not very useful... Some thoughts:
> - Maybe you should use SHA1 instead of SHA256 ?
> - Shouldn't the request be encrypted with the CA certificate
> (Message Type:
> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>
> Cheers,
> Max
>
>
>
> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>
> Hi,
> I am still stuck at this error.
> Please confirm whether libpki scep client works with ejbca CA.
> More information. Here Iam printing the pkcs7 structure:
> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
> And When printing the pkcs7, it is saying receipient info is
> missing,
> but I have added ca certificate in to scep_data.
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_keypair.c:49]::DEBUG::Getting Default HSM
> (0xb77863e0/0xb77863e0)
> generated a new Keypair!
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:408]::DEBUG::Using
> HSM for Key Operations
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:416]::DEBUG::HSM
> sign() callback called
> -----BEGIN CERTIFICATE REQUEST-----
> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
> -----END CERTIFICATE REQUEST-----
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
> Value is 0xb75b80e0
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:408]::DEBUG::Using
> HSM for Key Operations
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:416]::DEBUG::HSM
> sign() callback called
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
> ptype = 22PKCS#7 Message:
> Message Type:
> Signed
> Message Data:
> Size=1087 bytes
> Encrypted=no
> Signer Info:
> [1 of 1] Signer Details:
> Serial=4294967295
> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
> Encryption Algoritm=rsaEncryption
> Digest Algorithm=sha256
> Signed Attributes:
> SCEP Message Type=19
> contentType=pkcs7-data
> signingTime=Feb 18 11:15:22 2011 GMT
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_string.c:140]::DEBUG::Error,
> can not convert string to utf8! [type 4]
> Sender
> Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_string.c:140]::DEBUG::Error,
> can not convert string to utf8! [type 4]
> Recipient
> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_string.c:140]::DEBUG::Error,
> can not convert string to utf8! [type 4]
> Message Digest:
>
> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
> Transaction
> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
> Non Signed Attributes:
> None.
> Recipients Info:
> No Recipients
> Certificates:
> [1 of 1] Certificate:
> Serial=4294967295
> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
> Subject=CN=scepclient , O=EJBCA Sample, C=SE
> Fingerprint [SHA256]:
>
> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
> Certificate Revocation Lists:
> None.
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [net/sock.c:323]::DEBUG::Connection Successful to
> *MailScanner warning:
> numerical links are often malicious:* *MailScanner warning:
> numerical links are often malicious:* 127.0.0.1:8080
> <http://127.0.0.1:8080/> <*MailScanner warning: numerical
> links are often malicious:* http://127.0.0.1:8080
> <http://127.0.0.1:8080/>>
>
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [net/http_s.c:227]::DEBUG::HTTP
> DATA => size (356->1235)
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
> Let me know, Iam scratching my head since few days.
> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
> <pra...@gm...
> <mailto:pra...@gm...>
> <mailto:pra...@gm...
> <mailto:pra...@gm...>>> wrote:
>
> Hi,
> I coded scep client with libpki. I am using ejbca as ca
> server
> Does libpki scep client works with ejbca CA?
> As when I send the scep request message, ejbca errors it
> with below
> print:
> 10:44:46,179 INFO [ScepServlet] Received a SCEP message
> from 127.0.0.1.
> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP
> request.
> java.lang.ClassCastException:
> org.bouncycastle.asn1.DERSequence
> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
> at
> org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source)
> at
>
> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown
> Source)
> at
> org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
> at
> org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
> Source)
> at
> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
> at
> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
> Thanks.
>
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R)
> Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the
> development cycle.
> Locate bottlenecks in serial and parallel code that limit
> performance.
> http://p.sf.net/sfu/intel-dev2devfeb
>
>
>
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> <mailto:Lib...@li...>
> https://lists.sourceforge.net/lists/listinfo/libpki-users
>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager] op...@ac...
> <mailto:op...@ac...>
> pro...@op... <mailto:pro...@op...>
>
> Dartmouth Computer Science Dept Home Phone: +1
> (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1
> (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to
> those of us
> who do.
> --
> Isaac Asimov
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel
> Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development
> cycle.
> Locate bottlenecks in serial and parallel code that limit
> performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> <mailto:Lib...@li...>
> https://lists.sourceforge.net/lists/listinfo/libpki-users
>
>
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
>
>
>
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libpki-users
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] op...@ac...
pro...@op...
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
|
|
From: pradeep r. <pra...@gm...> - 2011-02-23 08:56:01
|
Hi Max,
I used the first method, using PKI_X509_PKCS7 structures.
And EJBCA is sending the sucess response.But response mesage does not
contain created certificate
I am running folowing code:
URL_put_data_url ( url, scepmem, (char *) mime, &sceprespmem, 60, 0, ssl );
p7_resp = PKI_X509_PKCS7_get_mem ( p7_resp_mem, NULL );
PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_PEM, "scep-resp.pem",NULL,
cred, NULL );
PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_TXT, "scep-resp.txt",NULL,
cred, NULL );
int certnum = PKI_X509_PKCS7_get_certs_num( p7_resp );
Here certnum returns -1. Below o/p, certificates fields is NULL, though in
ejbca logs I see certificate is added to response message.
Let me know if this is the correct way to get the certificate from response
message.
scep-resp.txt:
PKCS#7 Message:
Message Type:
Signed
Message Data:
Size=2280 bytes
Encrypted=no
Signer Info:
[1 of 1] Signer Details:
Serial=783996641852637500
Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
Encryption Algoritm=rsaEncryption
Digest Algorithm=sha256
Signed Attributes:
SCEP Message Type=3
Status=0
contentType=pkcs7-data
signingTime=Feb 23 08:44:47 2011 GMT
Sender Nonce=5d:ad:28:5c:d3:58:85:d7:75:42:91:e2:bf:3d:ca:08
Recipient Nonce=df:5b:f8:13:68:ff:a5:b0:e4:13:f1:a3:10:74:f5:4f
Message Digest:
42:2d:9e:2f:eb:a7:d0:99:ff:71:72:5f:12:cd:ff:be:74:09:2f:60:
f6:8c:67:4d:f9:41:f7:e8:fa:5e:25:b7
Transaction
Identifier=81:8c:9f:e9:95:d6:56:03:ef:62:fc:48:f5:9d:8e:3f:cf:15:a6:48:64:54:dd:23:b7:a3:69:76:75:8b:4d:7b
Non Signed Attributes:
None.
Recipients Info:
No Recipients
Certificates:
None.
Certificate Revocation Lists:
None.
Thanks.
On Mon, Feb 21, 2011 at 9:46 PM, Massimiliano Pala <
Mas...@da...> wrote:
> Hi,
>
> you should try to use different functions that ease encoding of the
> message.
> I think you are missing the final step - the encoding part. To make things
> easier, you should use the following function:
>
> // Generates and encodes a new PKI Cert Request (SCEP)
> PKI_X509_SCEP_MSG * PKI_X509_SCEP_MSG_new_certreq ( PKI_X509_KEYPAIR
> *key,
> PKI_X509_REQ *req, PKI_X509_CERT *signer,
> PKI_X509_CERT_STACK *recipients );
>
> Alternatively, you can do things on your own. First you generate the scep
> "DATA" - which is the core of the SCEP message:
>
> ...
>
> // Allocates the memory
>
> scep_data = PKI_X509_SCEP_DATA_new();
>
> // Add a Recipient
> PKI_X509_SCEP_DATA_add_recipient( scep_data, cacert );
>
> // Now put the data (PKCS#10 request or any other PKI_X509 object - it
> // could be a certificate, a crl, etc.. it depends on the type of message)
> PKI_X509_SCEP_DATA_set_x509_obj( scep_data, req );
>
> Supposing you have the scep_data, now you have to encode the message.
> Here's an example:
>
> // Alloc the memory
> msg = PKI_X509_SCEP_MSG_new(PKI_X509_SCEP_MSG_PKCSREQ);
>
> // Adds the signer (outer PKCS#7 envelope)
> PKI_X509_SCEP_MSG_add_signer(msg, signerCert,
> signerKey, PKI_DIGEST_ALG_SHA1);
>
> // Sets the NONCE
> PKI_X509_SCEP_MSG_set_sender_nonce( msg, NULL );
>
> // Sets the message type (in this case a PKCSREQ)
> PKI_X509_SCEP_MSG_set_type(msg, PKI_X509_SCEP_MSG_PKCSREQ );
>
> // Final Step - encoding of the data
> PKI_X509_SCEP_MSG_encode(msg, scep_data);
>
>
> Another possibility - but the API requires more work - is to generate a
> "generic" PKI request message and encode it in the SCEP format. Here's
> an example:
>
> // Generates a generic PKI Request Message
> PKI_MSG_REQ *msg = NULL;
> msg = PKI_MSG_REQ_new ( PKI_MSG_REQ_ACTION_CERTREQ,
> subject, NULL, tk->keypair, NULL, cacert );
>
> // Sets some properties of the request
> PKI_MSG_REQ_set_loa ( msg, "2");
> PKI_MSG_REQ_set_template ( msg, "CA Operator");
>
> // Sets the Encoding protocol
> PKI_MSG_REQ_set_proto( msg, PKI_MSG_PROTO_SCEP );
>
> // Now you can save the message
> PKI_MSG_REQ_put ( msg, PKI_DATA_FORMAT_PEM, "scep.pem",
> NULL, NULL, NULL, 0 );
>
> // Or simply send it to the recipient (the CA)
> if(( r = PKI_MSG_REQ_send ( msg, tk, url_s )) == NULL ) {
> // ERROR!
> return 1;
> }
>
> // Save the Response
> PKI_MSG_RESP_put ( r, PKI_DATA_FORMAT_PEM, "out/scep.pem",
> NULL, NULL, NULL );
>
> In the future versions I will probably add the possibility to pick the
> Digest algor in the PKI_X509_SCEP_MSG_new_certreq() directly :) But the
> new SCEP draft should allow you to use SHA2 algorithms as well... :D
>
> Let me know,
>
> Cheers,
> Max
>
>
>
> On 02/21/2011 09:03 AM, pradeep reddy wrote:
>
>> Hi Max,
>> At last ejbca accepting the message.
>> I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr,
>> NULL, cred, NULL);
>> It is failing the message with, POPO verification failed.
>> I debugging the error.
>> BTW, can you let me know, how to make digest use the sha1. instead of
>> sha256.
>>
>> On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy
>> <pra...@gm... <mailto:pra...@gm...>> wrote:
>>
>> Hi Max,
>> Thanks you for the pointers:
>> I am not aware of ejbca internals. But EJBCA is tested with other
>> openssl used libs, I guess libpki will also work.
>> 1. I have following piece of code:
>> pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
>> digest = PKI_DIGEST_ALG_get_by_key( pkey );
>> PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req,
>> NULL, serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
>> PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
>> I set in pki_digest.h, I set the default, #define
>> PKI_DIGEST_DEFAULT_ALG PKI_DIGEST_ALG_SHA1
>> But in signer info digest algorithm is still sha256.
>> Signer Info:
>> [1 of 1] Signer Details:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Encryption Algoritm=rsaEncryption
>> Digest Algorithm=sha256
>> 2. I have the following code:
>> scep_data = PKI_X509_SCEP_DATA_new();
>> scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
>> In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
>> internally scep_msg calls
>> with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
>> But still receipient(CA) details are not printing and PKCS#7
>> Message:Message Type: Signed
>> I have used the libpki default code. Did not make any changes to
>> libpki code.
>> And I have folowing piece of code to send to ejbca:
>> PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
>> char* urlStr = "*MailScanner warning: numerical links are often
>> malicious:* http://192.168.0.1:8080/ejbca";
>> <http://192.168.0.1:8080/ejbca%22;>
>>
>> URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
>> Let me know, where I may be going wrong.
>>
>> On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala
>> <Mas...@da...
>> <mailto:Mas...@da...>> wrote:
>>
>> Hi,
>>
>> I actually never tried the SCEP code with ejbca :( Do you know
>> the internals of
>> EJBCA ? It seems like an error in the message encoding.. but the
>> error message is
>> not very useful... Some thoughts:
>> - Maybe you should use SHA1 instead of SHA256 ?
>> - Shouldn't the request be encrypted with the CA certificate
>> (Message Type:
>> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>>
>> Cheers,
>> Max
>>
>>
>>
>> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>>
>> Hi,
>> I am still stuck at this error.
>> Please confirm whether libpki scep client works with ejbca CA.
>> More information. Here Iam printing the pkcs7 structure:
>> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
>> And When printing the pkcs7, it is saying receipient info is
>> missing,
>> but I have added ca certificate in to scep_data.
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_keypair.c:49]::DEBUG::Getting Default HSM
>> (0xb77863e0/0xb77863e0)
>> generated a new Keypair!
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> -----BEGIN CERTIFICATE REQUEST-----
>>
>> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
>>
>> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
>>
>> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
>>
>> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
>>
>> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
>>
>> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
>>
>> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
>>
>> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
>>
>> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
>>
>> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
>>
>> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
>>
>> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
>>
>> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
>> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
>> -----END CERTIFICATE REQUEST-----
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
>> Value is 0xb75b80e0
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
>> ptype = 22PKCS#7 Message:
>> Message Type:
>> Signed
>> Message Data:
>> Size=1087 bytes
>> Encrypted=no
>> Signer Info:
>> [1 of 1] Signer Details:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Encryption Algoritm=rsaEncryption
>> Digest Algorithm=sha256
>> Signed Attributes:
>> SCEP Message Type=19
>> contentType=pkcs7-data
>> signingTime=Feb 18 11:15:22 2011 GMT
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Sender
>> Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Recipient
>> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Message Digest:
>>
>> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
>> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
>> Transaction
>>
>> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
>> Non Signed Attributes:
>> None.
>> Recipients Info:
>> No Recipients
>> Certificates:
>> [1 of 1] Certificate:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Subject=CN=scepclient , O=EJBCA Sample, C=SE
>> Fingerprint [SHA256]:
>>
>> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
>> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
>> Certificate Revocation Lists:
>> None.
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/sock.c:323]::DEBUG::Connection Successful to
>> *MailScanner warning:
>> numerical links are often malicious:* *MailScanner warning:
>>
>> numerical links are often malicious:* 127.0.0.1:8080
>> <http://127.0.0.1:8080/> <*MailScanner warning: numerical
>> links are often malicious:* http://127.0.0.1:8080
>>
>> <http://127.0.0.1:8080/>>
>>
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/http_s.c:227]::DEBUG::HTTP
>> DATA => size (356->1235)
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>> Let me know, Iam scratching my head since few days.
>> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
>> <pra...@gm...
>> <mailto:pra...@gm...>
>> <mailto:pra...@gm...
>> <mailto:pra...@gm...>>> wrote:
>>
>> Hi,
>> I coded scep client with libpki. I am using ejbca as ca
>> server
>> Does libpki scep client works with ejbca CA?
>> As when I send the scep request message, ejbca errors it
>> with below
>> print:
>> 10:44:46,179 INFO [ScepServlet] Received a SCEP message
>> from 127.0.0.1.
>> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP
>> request.
>> java.lang.ClassCastException:
>> org.bouncycastle.asn1.DERSequence
>> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
>> at
>> org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source)
>> at
>>
>> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown
>> Source)
>> at
>> org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
>> at
>> org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
>> Source)
>> at
>> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> at
>> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> Thanks.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R)
>> Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the
>> development cycle.
>> Locate bottlenecks in serial and parallel code that limit
>> performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>>
>>
>>
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> <mailto:Lib...@li...>
>>
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>>
>>
>> --
>>
>> Best Regards,
>>
>> Massimiliano Pala
>>
>>
>> --o------------------------------------------------------------------------
>> Massimiliano Pala [OpenCA Project Manager] op...@ac...
>> <mailto:op...@ac...>
>> pro...@op... <mailto:pro...@op...>
>>
>>
>> Dartmouth Computer Science Dept Home Phone: +1
>> (603) 369-9332
>> PKI/Trust Laboratory Work Phone: +1
>> (603) 646-8734
>>
>> --o------------------------------------------------------------------------
>> People who think they know everything are a great annoyance to
>> those of us
>> who do.
>> --
>> Isaac Asimov
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel
>> Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development
>> cycle.
>> Locate bottlenecks in serial and parallel code that limit
>> performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> <mailto:Lib...@li...>
>>
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>>
>>
>>
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager]
> op...@ac...
> pro...@op...
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to those of us
> who do.
> -- Isaac Asimov
>
>
|
|
From: Massimiliano P. <Mas...@Da...> - 2011-02-23 15:57:04
Attachments:
smime.p7s
|
Hi,
you should not use the _get_certs_num() as that will return the number
of signing certificates - that is when the PKCS#7 file has been signed.
Since the data in the response is the certificate and it is not encrypted,
you should just retrieve the bytes from the PKCS#7 and generate a new
cert. I should add the function to the SCEP API, for now, try this:
// Assuming you have your data in p7 variables (PKI_X509_PKCS7)
PKI_MEM *mem = NULL;
PKI_X509_CERT *cert = NULL;
if((mem = PKI_X509_PKCS7_get_data( p7, NULL, NULL )) == NULL ) {
// Memory error
...
}
if( cert = PKI_X509_get_mem( mem, PKI_DATATYPE_X509_CERT,
NULL, NULL) == PKI_ERR) {
// An error occurred
};
// Now you can safely save the certificate
rv = PKI_X509_CERT_put( cert, PKI_DATA_FORMAT_PEM, "cert.pem",
NULL, NULL, NULL);
if( rv == PKI_ERR ) {
// Error while saving...
...
};
Let me know if this works. This might become the core of a new function:
PKI_X509 * obj = PKI_SCEP_DATA_get_x509_obj( PKI_X509_PKCS7 *p7,
PKI_DATATYPE type );
Cheers,
Max
On 02/23/2011 03:55 AM, pradeep reddy wrote:
>
>
> Hi Max,
> I used the first method, using PKI_X509_PKCS7 structures.
> And EJBCA is sending the sucess response.But response mesage does not
> contain created certificate
> I am running folowing code:
> URL_put_data_url ( url, scepmem, (char *) mime, &sceprespmem, 60, 0, ssl );
> p7_resp = PKI_X509_PKCS7_get_mem ( p7_resp_mem, NULL );
> PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_PEM, "scep-resp.pem",NULL,
> cred, NULL );
> PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_TXT, "scep-resp.txt",NULL,
> cred, NULL );
> int certnum = PKI_X509_PKCS7_get_certs_num( p7_resp );
> Here certnum returns -1. Below o/p, certificates fields is NULL, though
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] op...@ac...
pro...@op...
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
|
|
From: pradeep r. <pra...@gm...> - 2011-02-25 03:12:54
|
Hi Max,
This did not work.Data in received response seems to be in asn1/der format.
As outer envelope is in signed and inner envelope which should contain the
certificate would be in encrypted( as per standard)
Do we need to run any decode/decrypt calls to extract the signed and
encrypted data?
Thanks,
Pradeep.
On Wed, Feb 23, 2011 at 9:28 PM, Massimiliano Pala <
Mas...@da...> wrote:
> Hi,
>
> you should not use the _get_certs_num() as that will return the number
> of signing certificates - that is when the PKCS#7 file has been signed.
>
> Since the data in the response is the certificate and it is not encrypted,
> you should just retrieve the bytes from the PKCS#7 and generate a new
> cert. I should add the function to the SCEP API, for now, try this:
>
> // Assuming you have your data in p7 variables (PKI_X509_PKCS7)
>
> PKI_MEM *mem = NULL;
> PKI_X509_CERT *cert = NULL;
>
> if((mem = PKI_X509_PKCS7_get_data( p7, NULL, NULL )) == NULL ) {
> // Memory error
> ...
> }
>
> if( cert = PKI_X509_get_mem( mem, PKI_DATATYPE_X509_CERT,
> NULL, NULL) == PKI_ERR) {
> // An error occurred
> };
>
> // Now you can safely save the certificate
> rv = PKI_X509_CERT_put( cert, PKI_DATA_FORMAT_PEM, "cert.pem",
> NULL, NULL, NULL);
>
> if( rv == PKI_ERR ) {
> // Error while saving...
> ...
> };
>
> Let me know if this works. This might become the core of a new function:
>
> PKI_X509 * obj = PKI_SCEP_DATA_get_x509_obj( PKI_X509_PKCS7 *p7,
> PKI_DATATYPE type );
>
> Cheers,
> Max
>
>
>
> On 02/23/2011 03:55 AM, pradeep reddy wrote:
>
>>
>>
>> Hi Max,
>>
>> I used the first method, using PKI_X509_PKCS7 structures.
>> And EJBCA is sending the sucess response.But response mesage does not
>> contain created certificate
>> I am running folowing code:
>> URL_put_data_url ( url, scepmem, (char *) mime, &sceprespmem, 60, 0, ssl
>> );
>> p7_resp = PKI_X509_PKCS7_get_mem ( p7_resp_mem, NULL );
>> PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_PEM, "scep-resp.pem",NULL,
>> cred, NULL );
>> PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_TXT, "scep-resp.txt",NULL,
>> cred, NULL );
>> int certnum = PKI_X509_PKCS7_get_certs_num( p7_resp );
>> Here certnum returns -1. Below o/p, certificates fields is NULL, though
>>
>
>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager]
> op...@ac...
> pro...@op...
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to those of us
> who do.
> -- Isaac Asimov
>
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X