Menu
▾
▴
Re: [Libpki-users] ejbca does not recognize
|
From: pradeep r. <pra...@gm...> - 2011-02-21 12:37:31
|
Hi Max,
Thanks you for the pointers:
I am not aware of ejbca internals. But EJBCA is tested with other openssl
used libs, I guess libpki will also work.
1. I have following piece of code:
pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
digest = PKI_DIGEST_ALG_get_by_key( pkey );
PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req, NULL,
serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
I set in pki_digest.h, I set the default, #define PKI_DIGEST_DEFAULT_ALG
PKI_DIGEST_ALG_SHA1
But in signer info digest algorithm is still sha256.
Signer Info:
[1 of 1] Signer Details:
Serial=4294967295
Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
Encryption Algoritm=rsaEncryption
Digest Algorithm=sha256
2. I have the following code:
scep_data = PKI_X509_SCEP_DATA_new();
scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
internally scep_msg calls
with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
But still receipient(CA) details are not printing and PKCS#7 Message:Message
Type: Signed
I have used the libpki default code. Did not make any changes to libpki
code.
And I have folowing piece of code to send to ejbca:
PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
char* urlStr = "http://192.168.0.1:8080/ejbca";
URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
Let me know, where I may be going wrong.
On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala <
Mas...@da...> wrote:
> Hi,
>
> I actually never tried the SCEP code with ejbca :( Do you know the
> internals of
> EJBCA ? It seems like an error in the message encoding.. but the error
> message is
> not very useful... Some thoughts:
> - Maybe you should use SHA1 instead of SHA256 ?
> - Shouldn't the request be encrypted with the CA certificate (Message Type:
> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>
> Cheers,
> Max
>
>
>
> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>
>> Hi,
>> I am still stuck at this error.
>> Please confirm whether libpki scep client works with ejbca CA.
>> More information. Here Iam printing the pkcs7 structure:
>> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
>> And When printing the pkcs7, it is saying receipient info is missing,
>> but I have added ca certificate in to scep_data.
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_keypair.c:49]::DEBUG::Getting Default HSM (0xb77863e0/0xb77863e0)
>> generated a new Keypair!
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> -----BEGIN CERTIFICATE REQUEST-----
>> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
>> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
>> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
>> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
>> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
>> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
>> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
>> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
>> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
>> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
>> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
>> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
>> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
>> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
>> -----END CERTIFICATE REQUEST-----
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
>> Value is 0xb75b80e0
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
>> ptype = 22PKCS#7 Message:
>> Message Type:
>> Signed
>> Message Data:
>> Size=1087 bytes
>> Encrypted=no
>> Signer Info:
>> [1 of 1] Signer Details:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Encryption Algoritm=rsaEncryption
>> Digest Algorithm=sha256
>> Signed Attributes:
>> SCEP Message Type=19
>> contentType=pkcs7-data
>> signingTime=Feb 18 11:15:22 2011 GMT
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Sender Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Recipient
>> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Message Digest:
>>
>> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
>> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
>> Transaction
>>
>> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
>> Non Signed Attributes:
>> None.
>> Recipients Info:
>> No Recipients
>> Certificates:
>> [1 of 1] Certificate:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Subject=CN=scepclient , O=EJBCA Sample, C=SE
>> Fingerprint [SHA256]:
>>
>> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
>> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
>> Certificate Revocation Lists:
>> None.
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/sock.c:323]::DEBUG::Connection Successful to *MailScanner warning:
>> numerical links are often malicious:* 127.0.0.1:8080 <
>> http://127.0.0.1:8080>
>>
>> Feb 18 11:15:22 2011 GMT [10771] INFO: [net/http_s.c:227]::DEBUG::HTTP
>> DATA => size (356->1235)
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>> Let me know, Iam scratching my head since few days.
>> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
>> <pra...@gm... <mailto:pra...@gm...>> wrote:
>>
>> Hi,
>> I coded scep client with libpki. I am using ejbca as ca server
>> Does libpki scep client works with ejbca CA?
>> As when I send the scep request message, ejbca errors it with below
>> print:
>> 10:44:46,179 INFO [ScepServlet] Received a SCEP message from
>> 127.0.0.1.
>> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP request.
>> java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence
>> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
>> at org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown
>> Source)
>> at
>> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown Source)
>> at org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
>> at org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
>> Source)
>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> Thanks.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>>
>>
>>
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager]
> op...@ac...
> pro...@op...
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to those of us
> who do.
> -- Isaac Asimov
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libpki-users
>
>
|
