Hi Guys, I found the error --- it was in the approveCSR command -> the update dataType was wrongly set to "RENEW_APPROVED" instead of "APPROVED_REQUEST".
I attach the new version of the command that fixes the problem. To fix
your installation, just copy the attached file in:
PREFIX/lib/openca/cmds
(NOTE: in binary distros PREFIX=/opt/openca).
Please let me know if this fixes your installations or not...
Later,
Max
Sam Morrison wrote:
Yes I am also getting this exact same issue too. Can't find anything in the logs of any use.
--
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
## OpenCA - RA Server Command
## (c) 1998-2001 by Massimiliano Pala and OpenCA Group
## (c) Copyright 2001-2004 The OpenCA Project
##
## File Name: approveCSR
## Brief: approve Request
## Version: $Revision: 1.2 $
## Description: Adds a confirmed request into the APPROVED_REQUEST dB
## Parameters: key, dataType, text, signature
use strict;
sub cmdApproveCSR {
our ($query, $db, $errno, $errval, $cryptoShell);
## Get the parameters
my $key = $query->param( 'key' );
my $dataType = $query->param( 'dataType' );
my $text = $query->param( 'text' );
my $head = $query->param( 'head' );
my $signature = $query->param( 'signature' );
my $inform = "PEM";
## Get Conf Parameters
my $tempDir = getRequired('tempDir');
my ( $req, $item, $sig, $sigStatus, $signer );
$signature =~ s/\n*$//;
$text = "$head" . "$text\n";
if ($signature !~ /^\s*$/) {
$text .= "-----BEGIN PKCS7-----\n";
$text .= "$signature\n";
$text .= "-----END PKCS7-----\n";
}
print STDERR $text;
if( not $req = $db->getItem( DATATYPE=>$dataType, KEY=>$key) ) {
generalError( i18nGettext ("Cannot find __DATATYPE__ REQ in DB!",
"__DATATYPE__", $dataType));
}
$text .= $req->getParsed()->{KEY};
## FIXME: should we check the subject here if it is not dynamic via serials?
if ($dataType !~ /RENEW/i and not $req->getParsed()->{HEADER}->{RENEW}) {
# check the public key
## Check if there are certificates with the same keys
my @certList = $db->searchItems( DATATYPE=> "CERTIFICATE",
PUBKEY => $req->getParsed()->{PUBKEY});
my $errorString = gettext ("A Certificate with the same public key
exists!")."<br>\n".
gettext ("This is a keycompromise of the certificates
with the serial:")."\n".
"<ul>\n";
foreach my $h (@certList) {
$errorString .= "<li>".$h->getSerial()."</li>\n";
}
$errorString .= gettext ("Please revoke the certificates and delete the
request.")."\n";
generalError( $errorString ) if($#certList > -1);
}
if( $req->getParsed()->{HEADER}->{TYPE} =~ /(PKCS#10|IE)/i ) {
$inform = "PEM";
} else {
$inform = $req->getParsed()->{HEADER}->{TYPE};
}
if( not $item = new OpenCA::REQ ( SHELL => $cryptoShell,
GETTEXT => \&i18nGettext,
INFORM => $inform,
DATA => $text )) {
generalError( i18nGettext ("Cannot create a new REQ object (__KEY__)!",
"__KEY__", $key).
"<br>\n".$OpenCA::REQ::errval, $OpenCA::REQ::errno );
}
$signer = libGetSignatureObject( OBJECT=>$item );
if ( not $signer ) {
generalError ($errval, $errno);
}
libCheckSignature (OBJECT=>$item);
$sigStatus = $errval;
## check signaturestate - explaination:
## $errno gets only set by libCheckSignature in case of real error
## $errval gets always set, also in success by libCheckSignature!
generalError ( $errval ) if $errno;
## get signer certificate
my $tmpCert = libGetSignerCertificateDB( SIGNATURE=>$signer );
if( not $tmpCert ) {
generalError ($errval, $errno);
}
## check validity of signer certificate
if ($tmpCert->getStatus() =~ /revoked/ || $tmpCert->getStatus() =~ /suspended/
|| $tmpCert->getStatus() =~ /expired/ ) {
generalError ( i18nGettext ("Cannot approve request! Invalid
Operator-Certificate detected!").
"<br>\n".$errval, $errno);
}
if (not crypto_check_lifetime ($item, $req->getParsed()->{HEADER}->{ROLE}))
{
generalError ($errval, $errval);
}
if ( not $db->updateStatus ( DATATYPE=>$dataType,
OBJECT => $item, NEWTYPE=>"APPROVED_REQUEST")) {
generalError( i18nGettext ("Error while updating the status of
the request (__KEY__)!", "__KEY__", $key).
"<br>\n".$OpenCA::DB::errval, $OpenCA::REQ::errno);
}
return libSendReply (
"TIMESTAMP" => 1,
"NAME" => gettext ("Certificate Signing Request
Approved"),
"EXPLANATION" => gettext ("Certificate Request
Successfully approved.")."\n".
i18nGettext ("Signature: __SIGSTATUS__",
"__SIGSTATUS__", $sigStatus)
);
}
1;
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
