From: Massimiliano P. <Massimiliano.Pala@Dartmouth.edu> - 2011-02-21 16:15:24
|
Hi, you should try to use different functions that ease encoding of the message. I think you are missing the final step - the encoding part. To make things easier, you should use the following function: // Generates and encodes a new PKI Cert Request (SCEP) PKI_X509_SCEP_MSG * PKI_X509_SCEP_MSG_new_certreq ( PKI_X509_KEYPAIR *key, PKI_X509_REQ *req, PKI_X509_CERT *signer, PKI_X509_CERT_STACK *recipients ); Alternatively, you can do things on your own. First you generate the scep "DATA" - which is the core of the SCEP message: ... // Allocates the memory scep_data = PKI_X509_SCEP_DATA_new(); // Add a Recipient PKI_X509_SCEP_DATA_add_recipient( scep_data, cacert ); // Now put the data (PKCS#10 request or any other PKI_X509 object - it // could be a certificate, a crl, etc.. it depends on the type of message) PKI_X509_SCEP_DATA_set_x509_obj( scep_data, req ); Supposing you have the scep_data, now you have to encode the message. Here's an example: // Alloc the memory msg = PKI_X509_SCEP_MSG_new(PKI_X509_SCEP_MSG_PKCSREQ); // Adds the signer (outer PKCS#7 envelope) PKI_X509_SCEP_MSG_add_signer(msg, signerCert, signerKey, PKI_DIGEST_ALG_SHA1); // Sets the NONCE PKI_X509_SCEP_MSG_set_sender_nonce( msg, NULL ); // Sets the message type (in this case a PKCSREQ) PKI_X509_SCEP_MSG_set_type(msg, PKI_X509_SCEP_MSG_PKCSREQ ); // Final Step - encoding of the data PKI_X509_SCEP_MSG_encode(msg, scep_data); Another possibility - but the API requires more work - is to generate a "generic" PKI request message and encode it in the SCEP format. Here's an example: // Generates a generic PKI Request Message PKI_MSG_REQ *msg = NULL; msg = PKI_MSG_REQ_new ( PKI_MSG_REQ_ACTION_CERTREQ, subject, NULL, tk->keypair, NULL, cacert ); // Sets some properties of the request PKI_MSG_REQ_set_loa ( msg, "2"); PKI_MSG_REQ_set_template ( msg, "CA Operator"); // Sets the Encoding protocol PKI_MSG_REQ_set_proto( msg, PKI_MSG_PROTO_SCEP ); // Now you can save the message PKI_MSG_REQ_put ( msg, PKI_DATA_FORMAT_PEM, "scep.pem", NULL, NULL, NULL, 0 ); // Or simply send it to the recipient (the CA) if(( r = PKI_MSG_REQ_send ( msg, tk, url_s )) == NULL ) { // ERROR! return 1; } // Save the Response PKI_MSG_RESP_put ( r, PKI_DATA_FORMAT_PEM, "out/scep.pem", NULL, NULL, NULL ); In the future versions I will probably add the possibility to pick the Digest algor in the PKI_X509_SCEP_MSG_new_certreq() directly :) But the new SCEP draft should allow you to use SHA2 algorithms as well... :D Let me know, Cheers, Max On 02/21/2011 09:03 AM, pradeep reddy wrote: > Hi Max, > At last ejbca accepting the message. > I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr, > NULL, cred, NULL); > It is failing the message with, POPO verification failed. > I debugging the error. > BTW, can you let me know, how to make digest use the sha1. instead of > sha256. > > On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy > <pra...@gm... <mailto:pra...@gm...>> wrote: > > Hi Max, > Thanks you for the pointers: > I am not aware of ejbca internals. But EJBCA is tested with other > openssl used libs, I guess libpki will also work. > 1. I have following piece of code: > pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL ); > digest = PKI_DIGEST_ALG_get_by_key( pkey ); > PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req, > NULL, serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL ); > PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest); > I set in pki_digest.h, I set the default, #define > PKI_DIGEST_DEFAULT_ALG PKI_DIGEST_ALG_SHA1 > But in signer info digest algorithm is still sha256. > Signer Info: > [1 of 1] Signer Details: > Serial=4294967295 > Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE > Encryption Algoritm=rsaEncryption > Digest Algorithm=sha256 > 2. I have the following code: > scep_data = PKI_X509_SCEP_DATA_new(); > scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED)) > In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED, > internally scep_msg calls > with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED) > But still receipient(CA) details are not printing and PKCS#7 > Message:Message Type: Signed > I have used the libpki default code. Did not make any changes to > libpki code. > And I have folowing piece of code to send to ejbca: > PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg ); > char* urlStr = "*MailScanner warning: numerical links are often > malicious:* http://192.168.0.1:8080/ejbca"; > <http://192.168.0.1:8080/ejbca%22;> > URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL ); > Let me know, where I may be going wrong. > > On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala > <Mas...@da... > <mailto:Mas...@da...>> wrote: > > Hi, > > I actually never tried the SCEP code with ejbca :( Do you know > the internals of > EJBCA ? It seems like an error in the message encoding.. but the > error message is > not very useful... Some thoughts: > - Maybe you should use SHA1 instead of SHA256 ? > - Shouldn't the request be encrypted with the CA certificate > (Message Type: > encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?) > > Cheers, > Max > > > > On 02/18/2011 06:24 AM, pradeep reddy wrote: > > Hi, > I am still stuck at this error. > Please confirm whether libpki scep client works with ejbca CA. > More information. Here Iam printing the pkcs7 structure: > Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure. > And When printing the pkcs7, it is saying receipient info is > missing, > but I have added ca certificate in to scep_data. > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Feb 18 11:15:22 2011 GMT [10771] INFO: > [hsm_keypair.c:49]::DEBUG::Getting Default HSM > (0xb77863e0/0xb77863e0) > generated a new Keypair! > Feb 18 11:15:22 2011 GMT [10771] INFO: > [hsm_main.c:408]::DEBUG::Using > HSM for Key Operations > Feb 18 11:15:22 2011 GMT [10771] INFO: > [hsm_main.c:416]::DEBUG::HSM > sign() callback called > -----BEGIN CERTIFICATE REQUEST----- > MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK > QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw > ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz > gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ > MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek > fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y > ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo > H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC > AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp > v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2 > fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB > BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO > hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E > YDkEnJ9Y7QcWfK5XKvaDlPkwlg== > -----END CERTIFICATE REQUEST----- > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return > Value is 0xb75b80e0 > Feb 18 11:15:22 2011 GMT [10771] INFO: > [hsm_main.c:408]::DEBUG::Using > HSM for Key Operations > Feb 18 11:15:22 2011 GMT [10771] INFO: > [hsm_main.c:416]::DEBUG::HSM > sign() callback called > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start > Feb 18 11:15:22 2011 GMT [10771] INFO: > [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG > ptype = 22PKCS#7 Message: > Message Type: > Signed > Message Data: > Size=1087 bytes > Encrypted=no > Signer Info: > [1 of 1] Signer Details: > Serial=4294967295 > Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE > Encryption Algoritm=rsaEncryption > Digest Algorithm=sha256 > Signed Attributes: > SCEP Message Type=19 > contentType=pkcs7-data > signingTime=Feb 18 11:15:22 2011 GMT > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_string.c:140]::DEBUG::Error, > can not convert string to utf8! [type 4] > Sender > Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4 > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_string.c:140]::DEBUG::Error, > can not convert string to utf8! [type 4] > Recipient > Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79 > Feb 18 11:15:22 2011 GMT [10771] INFO: > [pki_string.c:140]::DEBUG::Error, > can not convert string to utf8! [type 4] > Message Digest: > > 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11: > 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b > Transaction > Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f > Non Signed Attributes: > None. > Recipients Info: > No Recipients > Certificates: > [1 of 1] Certificate: > Serial=4294967295 > Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE > Subject=CN=scepclient , O=EJBCA Sample, C=SE > Fingerprint [SHA256]: > > 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f: > 2b:41:a1:df:10:7c:44:0a:25:65:88:fe > Certificate Revocation Lists: > None. > Feb 18 11:15:22 2011 GMT [10771] INFO: > [net/pki_socket.c:123]::DEBUG::Creating a simple connection > Feb 18 11:15:22 2011 GMT [10771] INFO: > [net/sock.c:323]::DEBUG::Connection Successful to > *MailScanner warning: > numerical links are often malicious:* *MailScanner warning: > numerical links are often malicious:* 127.0.0.1:8080 > <http://127.0.0.1:8080/> <*MailScanner warning: numerical > links are often malicious:* http://127.0.0.1:8080 > <http://127.0.0.1:8080/>> > > Feb 18 11:15:22 2011 GMT [10771] INFO: > [net/http_s.c:227]::DEBUG::HTTP > DATA => size (356->1235) > --------------------------------------------------------------------------------------------------------------------------------------------------------- > --------------------------------------------------------------------------------------------------------------------------------------------------------- > Let me know, Iam scratching my head since few days. > On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy > <pra...@gm... > <mailto:pra...@gm...> > <mailto:pra...@gm... > <mailto:pra...@gm...>>> wrote: > > Hi, > I coded scep client with libpki. I am using ejbca as ca > server > Does libpki scep client works with ejbca CA? > As when I send the scep request message, ejbca errors it > with below > print: > 10:44:46,179 INFO [ScepServlet] Received a SCEP message > from 127.0.0.1. > 10:44:46,187 ERROR [ScepServlet] Error processing SCEP > request. > java.lang.ClassCastException: > org.bouncycastle.asn1.DERSequence > cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject > at > org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source) > at > > org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown > Source) > at > org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source) > at > org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown > Source) > at > org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source) > at > org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source) > Thanks. > > > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) > Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the > development cycle. > Locate bottlenecks in serial and parallel code that limit > performance. > http://p.sf.net/sfu/intel-dev2devfeb > > > > _______________________________________________ > Libpki-users mailing list > Lib...@li... > <mailto:Lib...@li...> > https://lists.sourceforge.net/lists/listinfo/libpki-users > > > > -- > > Best Regards, > > Massimiliano Pala > > --o------------------------------------------------------------------------ > Massimiliano Pala [OpenCA Project Manager] op...@ac... > <mailto:op...@ac...> > pro...@op... <mailto:pro...@op...> > > Dartmouth Computer Science Dept Home Phone: +1 > (603) 369-9332 > PKI/Trust Laboratory Work Phone: +1 > (603) 646-8734 > --o------------------------------------------------------------------------ > People who think they know everything are a great annoyance to > those of us > who do. > -- > Isaac Asimov > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel > Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development > cycle. > Locate bottlenecks in serial and parallel code that limit > performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > Libpki-users mailing list > Lib...@li... > <mailto:Lib...@li...> > https://lists.sourceforge.net/lists/listinfo/libpki-users > > > > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > > > > _______________________________________________ > Libpki-users mailing list > Lib...@li... > https://lists.sourceforge.net/lists/listinfo/libpki-users -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] op...@ac... pro...@op... Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o------------------------------------------------------------------------ People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov |