Re: [Libpki-users] ejbca does not recognize

[pradeep r. <pra...@gm...>]

Hi Max,

At last ejbca accepting the message.

I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr,
NULL, cred, NULL);

It is failing the message with, POPO verification failed.
I debugging the error.
BTW, can you let me know, how to make digest use the sha1. instead of
sha256.


On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy
<pra...@gm...>wrote:

>  Hi Max,
>
> Thanks you for the pointers:
>
> I am not aware of ejbca internals. But EJBCA is tested with other openssl
> used libs, I guess libpki will also work.
> 1. I have following piece of code:
>
> pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
> digest = PKI_DIGEST_ALG_get_by_key( pkey );
> PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req, NULL,
> serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
> PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
>
> I set in pki_digest.h, I set the default, #define PKI_DIGEST_DEFAULT_ALG
> PKI_DIGEST_ALG_SHA1
> But in signer info digest algorithm is still sha256.
>  Signer Info:
>         [1 of 1] Signer Details:
>             Serial=4294967295
>             Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>             Encryption Algoritm=rsaEncryption
>             Digest Algorithm=sha256
>
> 2. I have the following code:
>
> scep_data = PKI_X509_SCEP_DATA_new();
> scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
> In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
> internally scep_msg calls
> with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
> But still receipient(CA) details are not printing and PKCS#7
> Message:Message Type: Signed
>
> I have used the libpki default code. Did not make any changes to libpki
> code.
>
> And I have folowing piece of code to send to ejbca:
>
> PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
> char* urlStr = "http://192.168.0.1:8080/ejbca";
> URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
> Let me know, where I may be going wrong.
>
>   On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala <
> Mas...@da...> wrote:
>
>> Hi,
>>
>> I actually never tried the SCEP code with ejbca :( Do you know the
>> internals of
>> EJBCA ? It seems like an error in the message encoding.. but the error
>> message is
>> not very useful... Some thoughts:
>> - Maybe you should use SHA1 instead of SHA256 ?
>> - Shouldn't the request be encrypted with the CA certificate (Message
>> Type:
>>  encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>>
>> Cheers,
>> Max
>>
>>
>>
>> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>>
>>>  Hi,
>>> I am still stuck at this error.
>>> Please confirm whether libpki scep client works with ejbca CA.
>>> More information. Here Iam printing the pkcs7 structure:
>>> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
>>> And When printing the pkcs7, it is saying receipient info is missing,
>>> but I have added ca certificate in to scep_data.
>>>
>>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>>
>>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>> [hsm_keypair.c:49]::DEBUG::Getting Default HSM (0xb77863e0/0xb77863e0)
>>> generated a new Keypair!
>>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using
>>> HSM for Key Operations
>>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM
>>> sign() callback called
>>> -----BEGIN CERTIFICATE REQUEST-----
>>> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
>>> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
>>> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
>>> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
>>> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
>>> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
>>> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
>>> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
>>> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
>>> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
>>> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
>>> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
>>> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
>>> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
>>> -----END CERTIFICATE REQUEST-----
>>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>>
>>> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
>>> Value is 0xb75b80e0
>>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:408]::DEBUG::Using
>>> HSM for Key Operations
>>> Feb 18 11:15:22 2011 GMT [10771] INFO: [hsm_main.c:416]::DEBUG::HSM
>>> sign() callback called
>>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>>
>>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>>
>>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>>
>>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>>
>>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
>>> ptype = 22PKCS#7 Message:
>>>     Message Type:
>>>         Signed
>>>     Message Data:
>>>         Size=1087 bytes
>>>         Encrypted=no
>>>     Signer Info:
>>>         [1 of 1] Signer Details:
>>>             Serial=4294967295
>>>             Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>>>             Encryption Algoritm=rsaEncryption
>>>             Digest Algorithm=sha256
>>>         Signed Attributes:
>>>             SCEP Message Type=19
>>>             contentType=pkcs7-data
>>>             signingTime=Feb 18 11:15:22 2011 GMT
>>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>>> can not convert string to utf8! [type 4]
>>>             Sender Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
>>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>>> can not convert string to utf8! [type 4]
>>>             Recipient
>>> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
>>> Feb 18 11:15:22 2011 GMT [10771] INFO: [pki_string.c:140]::DEBUG::Error,
>>> can not convert string to utf8! [type 4]
>>>             Message Digest:
>>>
>>> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
>>>                 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
>>>             Transaction
>>>
>>> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
>>>         Non Signed Attributes:
>>>             None.
>>>     Recipients Info:
>>>         No Recipients
>>>     Certificates:
>>>         [1 of 1] Certificate:
>>>             Serial=4294967295
>>>             Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>>>             Subject=CN=scepclient , O=EJBCA Sample, C=SE
>>>             Fingerprint [SHA256]:
>>>
>>> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
>>>                 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
>>>     Certificate Revocation Lists:
>>>             None.
>>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
>>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>> [net/sock.c:323]::DEBUG::Connection Successful to *MailScanner warning:
>>> numerical links are often malicious:* 127.0.0.1:8080 <
>>> http://127.0.0.1:8080>
>>>
>>> Feb 18 11:15:22 2011 GMT [10771] INFO: [net/http_s.c:227]::DEBUG::HTTP
>>> DATA => size (356->1235)
>>>
>>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>>>
>>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>>> Let me know, Iam scratching my head since few days.
>>> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
>>> <pra...@gm... <mailto:pra...@gm...>> wrote:
>>>
>>>    Hi,
>>>    I coded scep client with libpki. I am using ejbca as ca server
>>>    Does libpki scep client works with ejbca CA?
>>>    As when I send the scep request message, ejbca errors it with below
>>>    print:
>>>    10:44:46,179 INFO  [ScepServlet] Received a SCEP message from
>>> 127.0.0.1.
>>>    10:44:46,187 ERROR [ScepServlet] Error processing SCEP request.
>>>    java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence
>>>    cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
>>>             at org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown
>>> Source)
>>>             at
>>>    org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown Source)
>>>             at org.bouncycastle.asn1.cms.SignedData.<init>(Unknown
>>> Source)
>>>             at org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
>>>    Source)
>>>             at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>>>             at org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>>>    Thanks.
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>> Pinpoint memory and threading errors before they happen.
>>> Find and fix more than 250 security defects in the development cycle.
>>> Locate bottlenecks in serial and parallel code that limit performance.
>>> http://p.sf.net/sfu/intel-dev2devfeb
>>>
>>>
>>>
>>> _______________________________________________
>>> Libpki-users mailing list
>>> Lib...@li...
>>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>>
>>
>>
>> --
>>
>> Best Regards,
>>
>>        Massimiliano Pala
>>
>>
>> --o------------------------------------------------------------------------
>> Massimiliano Pala [OpenCA Project Manager]
>> op...@ac...
>>
>> pro...@op...
>>
>> Dartmouth Computer Science Dept               Home Phone: +1 (603)
>> 369-9332
>> PKI/Trust Laboratory                          Work Phone: +1 (603)
>> 646-8734
>>
>> --o------------------------------------------------------------------------
>> People who think they know everything are a great annoyance to those of us
>> who do.
>>                                                           -- Isaac Asimov
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>>
>