Menu
▾
▴
[Libpki-users] Fwd: ejbca does not recognize
|
From: pradeep r. <pra...@gm...> - 2011-02-23 08:56:01
|
Hi Max,
I used the first method, using PKI_X509_PKCS7 structures.
And EJBCA is sending the sucess response.But response mesage does not
contain created certificate
I am running folowing code:
URL_put_data_url ( url, scepmem, (char *) mime, &sceprespmem, 60, 0, ssl );
p7_resp = PKI_X509_PKCS7_get_mem ( p7_resp_mem, NULL );
PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_PEM, "scep-resp.pem",NULL,
cred, NULL );
PKI_X509_PKCS7_put ( p7_resp, PKI_DATA_FORMAT_TXT, "scep-resp.txt",NULL,
cred, NULL );
int certnum = PKI_X509_PKCS7_get_certs_num( p7_resp );
Here certnum returns -1. Below o/p, certificates fields is NULL, though in
ejbca logs I see certificate is added to response message.
Let me know if this is the correct way to get the certificate from response
message.
scep-resp.txt:
PKCS#7 Message:
Message Type:
Signed
Message Data:
Size=2280 bytes
Encrypted=no
Signer Info:
[1 of 1] Signer Details:
Serial=783996641852637500
Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
Encryption Algoritm=rsaEncryption
Digest Algorithm=sha256
Signed Attributes:
SCEP Message Type=3
Status=0
contentType=pkcs7-data
signingTime=Feb 23 08:44:47 2011 GMT
Sender Nonce=5d:ad:28:5c:d3:58:85:d7:75:42:91:e2:bf:3d:ca:08
Recipient Nonce=df:5b:f8:13:68:ff:a5:b0:e4:13:f1:a3:10:74:f5:4f
Message Digest:
42:2d:9e:2f:eb:a7:d0:99:ff:71:72:5f:12:cd:ff:be:74:09:2f:60:
f6:8c:67:4d:f9:41:f7:e8:fa:5e:25:b7
Transaction
Identifier=81:8c:9f:e9:95:d6:56:03:ef:62:fc:48:f5:9d:8e:3f:cf:15:a6:48:64:54:dd:23:b7:a3:69:76:75:8b:4d:7b
Non Signed Attributes:
None.
Recipients Info:
No Recipients
Certificates:
None.
Certificate Revocation Lists:
None.
Thanks.
On Mon, Feb 21, 2011 at 9:46 PM, Massimiliano Pala <
Mas...@da...> wrote:
> Hi,
>
> you should try to use different functions that ease encoding of the
> message.
> I think you are missing the final step - the encoding part. To make things
> easier, you should use the following function:
>
> // Generates and encodes a new PKI Cert Request (SCEP)
> PKI_X509_SCEP_MSG * PKI_X509_SCEP_MSG_new_certreq ( PKI_X509_KEYPAIR
> *key,
> PKI_X509_REQ *req, PKI_X509_CERT *signer,
> PKI_X509_CERT_STACK *recipients );
>
> Alternatively, you can do things on your own. First you generate the scep
> "DATA" - which is the core of the SCEP message:
>
> ...
>
> // Allocates the memory
>
> scep_data = PKI_X509_SCEP_DATA_new();
>
> // Add a Recipient
> PKI_X509_SCEP_DATA_add_recipient( scep_data, cacert );
>
> // Now put the data (PKCS#10 request or any other PKI_X509 object - it
> // could be a certificate, a crl, etc.. it depends on the type of message)
> PKI_X509_SCEP_DATA_set_x509_obj( scep_data, req );
>
> Supposing you have the scep_data, now you have to encode the message.
> Here's an example:
>
> // Alloc the memory
> msg = PKI_X509_SCEP_MSG_new(PKI_X509_SCEP_MSG_PKCSREQ);
>
> // Adds the signer (outer PKCS#7 envelope)
> PKI_X509_SCEP_MSG_add_signer(msg, signerCert,
> signerKey, PKI_DIGEST_ALG_SHA1);
>
> // Sets the NONCE
> PKI_X509_SCEP_MSG_set_sender_nonce( msg, NULL );
>
> // Sets the message type (in this case a PKCSREQ)
> PKI_X509_SCEP_MSG_set_type(msg, PKI_X509_SCEP_MSG_PKCSREQ );
>
> // Final Step - encoding of the data
> PKI_X509_SCEP_MSG_encode(msg, scep_data);
>
>
> Another possibility - but the API requires more work - is to generate a
> "generic" PKI request message and encode it in the SCEP format. Here's
> an example:
>
> // Generates a generic PKI Request Message
> PKI_MSG_REQ *msg = NULL;
> msg = PKI_MSG_REQ_new ( PKI_MSG_REQ_ACTION_CERTREQ,
> subject, NULL, tk->keypair, NULL, cacert );
>
> // Sets some properties of the request
> PKI_MSG_REQ_set_loa ( msg, "2");
> PKI_MSG_REQ_set_template ( msg, "CA Operator");
>
> // Sets the Encoding protocol
> PKI_MSG_REQ_set_proto( msg, PKI_MSG_PROTO_SCEP );
>
> // Now you can save the message
> PKI_MSG_REQ_put ( msg, PKI_DATA_FORMAT_PEM, "scep.pem",
> NULL, NULL, NULL, 0 );
>
> // Or simply send it to the recipient (the CA)
> if(( r = PKI_MSG_REQ_send ( msg, tk, url_s )) == NULL ) {
> // ERROR!
> return 1;
> }
>
> // Save the Response
> PKI_MSG_RESP_put ( r, PKI_DATA_FORMAT_PEM, "out/scep.pem",
> NULL, NULL, NULL );
>
> In the future versions I will probably add the possibility to pick the
> Digest algor in the PKI_X509_SCEP_MSG_new_certreq() directly :) But the
> new SCEP draft should allow you to use SHA2 algorithms as well... :D
>
> Let me know,
>
> Cheers,
> Max
>
>
>
> On 02/21/2011 09:03 AM, pradeep reddy wrote:
>
>> Hi Max,
>> At last ejbca accepting the message.
>> I have used, PKI_X509_PKCS7_put( scep_msg, PKI_DATA_FORMAT_ASN1, urlStr,
>> NULL, cred, NULL);
>> It is failing the message with, POPO verification failed.
>> I debugging the error.
>> BTW, can you let me know, how to make digest use the sha1. instead of
>> sha256.
>>
>> On Mon, Feb 21, 2011 at 6:07 PM, pradeep reddy
>> <pra...@gm... <mailto:pra...@gm...>> wrote:
>>
>> Hi Max,
>> Thanks you for the pointers:
>> I am not aware of ejbca internals. But EJBCA is tested with other
>> openssl used libs, I guess libpki will also work.
>> 1. I have following piece of code:
>> pkey = PKI_X509_KEYPAIR_new( PKI_SCHEME_RSA, 2048, NULL, NULL, NULL );
>> digest = PKI_DIGEST_ALG_get_by_key( pkey );
>> PKI_X509_CERT *signer = PKI_X509_CERT_new ( cacert, pkey, pkcs10req,
>> NULL, serialbuf, PKI_VALIDITY_ONE_MONTH, NULL, NULL, NULL, NULL );
>> PKI_X509_SCEP_MSG_add_signer ( scep_msg, signer, pkey, digest);
>> I set in pki_digest.h, I set the default, #define
>> PKI_DIGEST_DEFAULT_ALG PKI_DIGEST_ALG_SHA1
>> But in signer info digest algorithm is still sha256.
>> Signer Info:
>> [1 of 1] Signer Details:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Encryption Algoritm=rsaEncryption
>> Digest Algorithm=sha256
>> 2. I have the following code:
>> scep_data = PKI_X509_SCEP_DATA_new();
>> scep_msg = PKI_X509_SCEP_MSG_new(PKI_X509_PKCS7_TYPE_ENCRYPTED))
>> In creating scep_msg, though I pass PKI_X509_PKCS7_TYPE_ENCRYPTED,
>> internally scep_msg calls
>> with PKI_X509_PKCS7_new (PKI_X509_PKCS7_TYPE_SIGNED)
>> But still receipient(CA) details are not printing and PKCS#7
>> Message:Message Type: Signed
>> I have used the libpki default code. Did not make any changes to
>> libpki code.
>> And I have folowing piece of code to send to ejbca:
>> PKI_MEM *p7mem = PKI_X509_PKCS7_get_raw_data( scep_msg );
>> char* urlStr = "*MailScanner warning: numerical links are often
>> malicious:* http://192.168.0.1:8080/ejbca";
>> <http://192.168.0.1:8080/ejbca%22;>
>>
>> URL_put_data ( urlStr, p7mem, "scep client", NULL, 0, 20000, NULL );
>> Let me know, where I may be going wrong.
>>
>> On Fri, Feb 18, 2011 at 10:27 PM, Massimiliano Pala
>> <Mas...@da...
>> <mailto:Mas...@da...>> wrote:
>>
>> Hi,
>>
>> I actually never tried the SCEP code with ejbca :( Do you know
>> the internals of
>> EJBCA ? It seems like an error in the message encoding.. but the
>> error message is
>> not very useful... Some thoughts:
>> - Maybe you should use SHA1 instead of SHA256 ?
>> - Shouldn't the request be encrypted with the CA certificate
>> (Message Type:
>> encryptedContentData -- PKI_X509_PKCS7_TYPE_ENCRYPTED ?)
>>
>> Cheers,
>> Max
>>
>>
>>
>> On 02/18/2011 06:24 AM, pradeep reddy wrote:
>>
>> Hi,
>> I am still stuck at this error.
>> Please confirm whether libpki scep client works with ejbca CA.
>> More information. Here Iam printing the pkcs7 structure:
>> Here, BEGIN CERTIFICATE REQUEST is PKCS 10 structure.
>> And When printing the pkcs7, it is saying receipient info is
>> missing,
>> but I have added ca certificate in to scep_data.
>>
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_keypair.c:49]::DEBUG::Getting Default HSM
>> (0xb77863e0/0xb77863e0)
>> generated a new Keypair!
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> -----BEGIN CERTIFICATE REQUEST-----
>>
>> MIICfzCCAWcCAQIwOjEUMBIGA1UEAxMLc2NlcGNsaWVudCAxFTATBgNVBAoTDEVK
>>
>> QkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
>>
>> ggEKAoIBAQCpFdqYl5lQErTbWlQRfzuB7FzKqFNK06t1Hdvp4MppudCBZJAX3tqz
>>
>> gpITfLpBp+b2l8tJwasgj+yEPo9NWE5KB70IOKP6csG1JU4Y1CE0mWzwQfxFGYLZ
>>
>> MeiYfXv6nshethMQigAxLXBQ6uhAWmHbNsG9Na7z2KpawghESfcXJ44ALBe0eNek
>>
>> fp5Z+XSjf6FNdIM75d2Qq2OhmX3XWRQ3u4zc6yCIEaoJqB5dX5YEAHuILszekG/Y
>>
>> ej9uGxi/yc8m8SLZ+kBJXSeCjE0PzVbSVHZCosuI/oJfgbokI1WoMF2gkx+9dSCo
>>
>> H5ZXTh9Us+QWVjxMBHRIr4/bqAefCdN9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
>>
>> AQEACpu/yavA35kr5nCh+DS4SlbMYl6Cxgs+jKnsM0rX85fuiBmVnqlXWr61UDgp
>>
>> v7mwlAj1hyIYufgbawI0uEKBpcLfD0i2tP4utaNEPHiEcgVQCkM0BSCABgkBl9p2
>>
>> fube42Quw5nT1LD0O85t8mGgrK2RGDv2wQQVZzgm4HLP7NhudD6axFYfU8o8sfBB
>>
>> BpN9Twcm6h/JYHRKMFa/RNqJ38WkAC9BO8PTKJuVd2z8w5V4+ndNg6cRUE8by+tO
>>
>> hJf7y1PmSiQTuTl0SGkmLINTXGp06xIlcY9yAVo4esnn+8GFnvXLHUlqtQCwmY/E
>> YDkEnJ9Y7QcWfK5XKvaDlPkwlg==
>> -----END CERTIFICATE REQUEST-----
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_algor.c:479]::DEBUG::pki_algor.c:479::PKI_DIGEST_ALG_get_by_key()::Return
>> Value is 0xb75b80e0
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:408]::DEBUG::Using
>> HSM for Key Operations
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [hsm_main.c:416]::DEBUG::HSM
>> sign() callback called
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>>
>> [pki_x509_scep_attr.c:120]::DEBUG::PKI_X509_SCEP_MSG_set_attribute()::Start
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [io/pki_x509_pkcs7_io.c:282]::DEBUG::B64_DEBUG
>> ptype = 22PKCS#7 Message:
>> Message Type:
>> Signed
>> Message Data:
>> Size=1087 bytes
>> Encrypted=no
>> Signer Info:
>> [1 of 1] Signer Details:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Encryption Algoritm=rsaEncryption
>> Digest Algorithm=sha256
>> Signed Attributes:
>> SCEP Message Type=19
>> contentType=pkcs7-data
>> signingTime=Feb 18 11:15:22 2011 GMT
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Sender
>> Nonce=c0:b0:e5:2c:d6:fe:64:4d:b2:d2:b9:31:e7:2e:4c:c4
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Recipient
>> Nonce=e5:89:4d:3f:95:2c:c9:58:e1:42:68:e3:30:08:b3:79
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [pki_string.c:140]::DEBUG::Error,
>> can not convert string to utf8! [type 4]
>> Message Digest:
>>
>> 5d:40:11:25:b3:c7:cd:43:37:6f:7f:c4:2d:56:aa:4c:0b:60:c2:11:
>> 86:b3:85:f0:d3:85:21:1b:df:32:2b:0b
>> Transaction
>>
>> Identifier=fb:09:84:3d:d9:4c:3e:34:d2:9f:ee:a1:e8:22:58:1f:20:89:ee:e0:ac:e9:38:a8:6e:46:0c:38:f6:47:b0:8f
>> Non Signed Attributes:
>> None.
>> Recipients Info:
>> No Recipients
>> Certificates:
>> [1 of 1] Certificate:
>> Serial=4294967295
>> Issuer=CN=AdminCA1, O=EJBCA Sample, C=SE
>> Subject=CN=scepclient , O=EJBCA Sample, C=SE
>> Fingerprint [SHA256]:
>>
>> 2c:11:0a:7d:c3:3d:fc:bf:41:15:fd:65:54:73:ad:bd:c0:11:f0:2f:
>> 2b:41:a1:df:10:7c:44:0a:25:65:88:fe
>> Certificate Revocation Lists:
>> None.
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/pki_socket.c:123]::DEBUG::Creating a simple connection
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/sock.c:323]::DEBUG::Connection Successful to
>> *MailScanner warning:
>> numerical links are often malicious:* *MailScanner warning:
>>
>> numerical links are often malicious:* 127.0.0.1:8080
>> <http://127.0.0.1:8080/> <*MailScanner warning: numerical
>> links are often malicious:* http://127.0.0.1:8080
>>
>> <http://127.0.0.1:8080/>>
>>
>> Feb 18 11:15:22 2011 GMT [10771] INFO:
>> [net/http_s.c:227]::DEBUG::HTTP
>> DATA => size (356->1235)
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>> Let me know, Iam scratching my head since few days.
>> On Thu, Feb 17, 2011 at 4:39 PM, pradeep reddy
>> <pra...@gm...
>> <mailto:pra...@gm...>
>> <mailto:pra...@gm...
>> <mailto:pra...@gm...>>> wrote:
>>
>> Hi,
>> I coded scep client with libpki. I am using ejbca as ca
>> server
>> Does libpki scep client works with ejbca CA?
>> As when I send the scep request message, ejbca errors it
>> with below
>> print:
>> 10:44:46,179 INFO [ScepServlet] Received a SCEP message
>> from 127.0.0.1.
>> 10:44:46,187 ERROR [ScepServlet] Error processing SCEP
>> request.
>> java.lang.ClassCastException:
>> org.bouncycastle.asn1.DERSequence
>> cannot be cast to org.bouncycastle.asn1.ASN1TaggedObject
>> at
>> org.bouncycastle.asn1.cms.ContentInfo.<init>(Unknown Source)
>> at
>>
>> org.bouncycastle.asn1.cms.ContentInfo.getInstance(Unknown
>> Source)
>> at
>> org.bouncycastle.asn1.cms.SignedData.<init>(Unknown Source)
>> at
>> org.bouncycastle.asn1.cms.SignedData.getInstance(Unknown
>> Source)
>> at
>> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> at
>> org.bouncycastle.cms.CMSSignedData.<init>(Unknown Source)
>> Thanks.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R)
>> Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the
>> development cycle.
>> Locate bottlenecks in serial and parallel code that limit
>> performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>>
>>
>>
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> <mailto:Lib...@li...>
>>
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>>
>>
>> --
>>
>> Best Regards,
>>
>> Massimiliano Pala
>>
>>
>> --o------------------------------------------------------------------------
>> Massimiliano Pala [OpenCA Project Manager] op...@ac...
>> <mailto:op...@ac...>
>> pro...@op... <mailto:pro...@op...>
>>
>>
>> Dartmouth Computer Science Dept Home Phone: +1
>> (603) 369-9332
>> PKI/Trust Laboratory Work Phone: +1
>> (603) 646-8734
>>
>> --o------------------------------------------------------------------------
>> People who think they know everything are a great annoyance to
>> those of us
>> who do.
>> --
>> Isaac Asimov
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel
>> Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development
>> cycle.
>> Locate bottlenecks in serial and parallel code that limit
>> performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> <mailto:Lib...@li...>
>>
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>>
>>
>>
>> _______________________________________________
>> Libpki-users mailing list
>> Lib...@li...
>> https://lists.sourceforge.net/lists/listinfo/libpki-users
>>
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager]
> op...@ac...
> pro...@op...
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
> PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
> --o------------------------------------------------------------------------
> People who think they know everything are a great annoyance to those of us
> who do.
> -- Isaac Asimov
>
>
|
