Menu
▾
▴
Re: [Libpki-users] ejbca does not recognize
|
From: Massimiliano P. <Massimiliano.Pala@Dartmouth.edu> - 2011-02-21 16:15:24
|
Hi,
you should try to use different functions that ease encoding of the message.
I think you are missing the final step - the encoding part. To make things
easier, you should use the following function:
// Generates and encodes a new PKI Cert Request (SCEP)
PKI_X509_SCEP_MSG * PKI_X509_SCEP_MSG_new_certreq ( PKI_X509_KEYPAIR *key,
PKI_X509_REQ *req, PKI_X509_CERT *signer,
PKI_X509_CERT_STACK *recipients );
Alternatively, you can do things on your own. First you generate the scep
"DATA" - which is the core of the SCEP message:
...
// Allocates the memory
scep_data = PKI_X509_SCEP_DATA_new();
// Add a Recipient
PKI_X509_SCEP_DATA_add_recipient( scep_data, cacert );
// Now put the data (PKCS#10 request or any other PKI_X509 object - it
// could be a certificate, a crl, etc.. it depends on the type of message)
PKI_X509_SCEP_DATA_set_x509_obj( scep_data, req );
Supposing you have the scep_data, now you have to encode the message.
Here's an example:
// Alloc the memory
msg = PKI_X509_SCEP_MSG_new(PKI_X509_SCEP_MSG_PKCSREQ);
// Adds the signer (outer PKCS#7 envelope)
PKI_X509_SCEP_MSG_add_signer(msg, signerCert,
signerKey, PKI_DIGEST_ALG_SHA1);
// Sets the NONCE
PKI_X509_SCEP_MSG_set_sender_nonce( msg, NULL );
// Sets the message type (in this case a PKCSREQ)
PKI_X509_SCEP_MSG_set_type(msg, PKI_X509_SCEP_MSG_PKCSREQ );
// Final Step - encoding of the data
PKI_X509_SCEP_MSG_encode(msg, scep_data);
Another possibility - but the API requires more work - is to generate a
"generic" PKI request message and encode it in the SCEP format. Here's
an example:
// Generates a generic PKI Request Message
PKI_MSG_REQ *msg = NULL;
msg = PKI_MSG_REQ_new ( PKI_MSG_REQ_ACTION_CERTREQ,
subject, NULL, tk->keypair, NULL, cacert );
// Sets some properties of the request
PKI_MSG_REQ_set_loa ( msg, "2");
PKI_MSG_REQ_set_template ( msg, "CA Operator");
// Sets the Encoding protocol
PKI_MSG_REQ_set_proto( msg, PKI_MSG_PROTO_SCEP );
// Now you can save the message
PKI_MSG_REQ_put ( msg, PKI_DATA_FORMAT_PEM, "scep.pem",
NULL, NULL, NULL, 0 );
// Or simply send it to the recipient (the CA)
if(( r = PKI_MSG_REQ_send ( msg, tk, url_s )) == NULL ) {
// ERROR!
return 1;
}
// Save the Response
PKI_MSG_RESP_put ( r, PKI_DATA_FORMAT_PEM, "out/scep.pem",
NULL, NULL, NULL );
In the future versions I will probably add the possibility to pick the
Digest algor in the PKI_X509_SCEP_MSG_new_certreq() directly :) But the
new SCEP draft should allow you to use SHA2 algorithms as well... :D
Let me know,
Cheers,
Max
On 02/21/2011 09:03 AM, pradeep reddy wrote:
> Hi Max,
> At last ejbca accepting the message.
> I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr,
> NULL, cred, NULL);
> It is failing the message with, POPO verification failed.
> I debugging the error.
> BTW, can you let me know, how to make digest use the sha1. instead of
> sha256.
>
> On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy
> <pra...@gm... <mailto:pra...@gm...>> wrote:
>
> Hi Max,
> Thanks you for the pointers:
> I am not aware of ejbca internals. But EJBCA is tested with other
> openssl used libs, I guess libpki will also work.
> 1. I have following piece of code:
> pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
> digest = PKI_DIGEST_ALG_get_by_key( pkey );
> PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req,
> NULL, serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
> PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
> I set in pki_digest.h, I set the default, #define
> PKI_DIGEST_DEFAULT_ALG PKI_DIGEST_ALG_SHA1
> But in signer info digest algorithm is still sha256.
> Signer Info:
> [1 of 1] Signer Details:
> Serial=4294967295
> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
> Encryption Algoritm=rsaEncryption
> Digest Algorithm=sha256
> 2. I have the following code:
> scep_data = PKI_X509_SCEP_DATA_new();
> scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
> In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
> internally scep_msg calls
> with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
> But still receipient(CA) details are not printing and PKCS#7
> Message:Message Type: Signed
> I have used the libpki default code. Did not make any changes to
> libpki code.
> And I have folowing piece of code to send to ejbca:
> PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
> char* urlStr = "*MailScanner warning: numerical links are often
> malicious:* http://192.168.0.1:8080/ejbca";
> <http://192.168.0.1:8080/ejbca%22;>
> URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
> Let me know, where I may be going wrong.
>
> On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala
> <Mas...@da...
> <mailto:Mas...@da...>> wrote:
>
> Hi,
>
> I actually never tried the SCEP code with ejbca :( Do you know
> the internals of
> EJBCA ? It seems like an error in the message encoding.. but the
> error message is
> not very useful... Some thoughts:
> - Maybe you should use SHA1 instead of SHA256 ?
> - Shouldn't the request be encrypted with the CA certificate
> (Message Type:
> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>
> Cheers,
> Max
>
>
>
> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>
> Hi,
> I am still stuck at this error.
> Please confirm whether libpki scep client works with ejbca CA.
> More information. Here Iam printing the pkcs7 structure:
> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
> And When printing the pkcs7, it is saying receipient info is
> missing,
> but I have added ca certificate in to scep_data.
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_keypair.c:49]::DEBUG::Getting Default HSM
> (0xb77863e0/0xb77863e0)
> generated a new Keypair!
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:408]::DEBUG::Using
> HSM for Key Operations
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:416]::DEBUG::HSM
> sign() callback called
> -----BEGIN CERTIFICATE REQUEST-----
> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
> -----END CERTIFICATE REQUEST-----
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
> Value is 0xb75b80e0
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:408]::DEBUG::Using
> HSM for Key Operations
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [hsm_main.c:416]::DEBUG::HSM
> sign() callback called
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
> ptype = 22PKCS#7 Message:
> Message Type:
> Signed
> Message Data:
> Size=1087 bytes
> Encrypted=no
> Signer Info:
> [1 of 1] Signer Details:
> Serial=4294967295
> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
> Encryption Algoritm=rsaEncryption
> Digest Algorithm=sha256
> Signed Attributes:
> SCEP Message Type=19
> contentType=pkcs7-data
> signingTime=Feb 18 11:15:22 2011 GMT
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_string.c:140]::DEBUG::Error,
> can not convert string to utf8! [type 4]
> Sender
> Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_string.c:140]::DEBUG::Error,
> can not convert string to utf8! [type 4]
> Recipient
> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [pki_string.c:140]::DEBUG::Error,
> can not convert string to utf8! [type 4]
> Message Digest:
>
> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
> Transaction
> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
> Non Signed Attributes:
> None.
> Recipients Info:
> No Recipients
> Certificates:
> [1 of 1] Certificate:
> Serial=4294967295
> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
> Subject=CN=scepclient , O=EJBCA Sample, C=SE
> Fingerprint [SHA256]:
>
> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
> Certificate Revocation Lists:
> None.
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [net/sock.c:323]::DEBUG::Connection Successful to
> *MailScanner warning:
> numerical links are often malicious:* *MailScanner warning:
> numerical links are often malicious:* 127.0.0.1:8080
> <http://127.0.0.1:8080/> <*MailScanner warning: numerical
> links are often malicious:* http://127.0.0.1:8080
> <http://127.0.0.1:8080/>>
>
> Feb 18 11:15:22 2011 GMT [10771] INFO:
> [net/http_s.c:227]::DEBUG::HTTP
> DATA => size (356->1235)
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
> Let me know, Iam scratching my head since few days.
> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
> <pra...@gm...
> <mailto:pra...@gm...>
> <mailto:pra...@gm...
> <mailto:pra...@gm...>>> wrote:
>
> Hi,
> I coded scep client with libpki. I am using ejbca as ca
> server
> Does libpki scep client works with ejbca CA?
> As when I send the scep request message, ejbca errors it
> with below
> print:
> 10:44:46,179 INFO [ScepServlet] Received a SCEP message
> from 127.0.0.1.
> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP
> request.
> java.lang.ClassCastException:
> org.bouncycastle.asn1.DERSequence
> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
> at
> org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source)
> at
>
> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown
> Source)
> at
> org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
> at
> org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
> Source)
> at
> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
> at
> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
> Thanks.
>
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R)
> Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the
> development cycle.
> Locate bottlenecks in serial and parallel code that limit
> performance.
> http://p.sf.net/sfu/intel-dev2devfeb
>
>
>
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> <mailto:Lib...@li...>
> https://lists.sourceforge.net/lists/listinfo/libpki-users
>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager] op...@ac...
> <mailto:op...@ac...>
> pro...@op... <mailto:pro...@op...>
>
> Dartmouth Computer Science Dept Home Phone: +1
> (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1
> (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to
> those of us
> who do.
> --
> Isaac Asimov
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel
> Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development
> cycle.
> Locate bottlenecks in serial and parallel code that limit
> performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> <mailto:Lib...@li...>
> https://lists.sourceforge.net/lists/listinfo/libpki-users
>
>
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
>
>
>
> _______________________________________________
> Libpki-users mailing list
> Lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libpki-users
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] op...@ac...
pro...@op...
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
|