Re: CMP mock server OldCertID check behavior

2021-07-12 Thread David von Oheimb 
Hello Petr,

thank you for your message and filing the related issue at
https://github.com/openssl/openssl/issues/16041.
I very much appreciate such feedback on the new CMP implementation and
its tests.

You are right that the behavior of the mock server appears pretty
strange regarding the checks on the |oldCertID| in |kur| messages.
This is because for the HTTP-based OpenSSL-internal CMP test cases the
mock server deals, as you noticed, with just a single certificate.
For this reason, the short-circuit comparison given in |cmp_mock_srv.c|
is sufficient but at least would have deserved an explaining comment and
documentation.

In order to make the mock server more generally useful, I've extended it
in https://github.com/openssl/openssl/pull/16050
by giving the option -ref_cert to specify an independent reference
certificate to be used for the checks done for |kur| and |rr| messages.

Kind regards,

    David

On 08.07.21 13:17, Petr Gotthard wrote:
>
> Hello,
>
>  
>
> I am trying to renew a certificate via CMP and authenticate the
> request using the same cert.
>
>  
>
> I start the mock server:
>
> openssl cmp -port 8080 -srv_trusted test-ca-cert.pem \
>
>     -srv_key test-server-key.pem -srv_cert test-server-cert.pem \
>
>     -rsp_cert test-client-cert2.pem -rsp_capubs test-ca-cert.pem &
>
>  
>
> And run the client:
>
> openssl cmp -cmd kur -server localhost:8080/pkix/ -srvcert
> test-server-cert.pem \
>
>     -key test-client-key.pem -cert test-my-cert.pem \
>
>     -newkey test-client-key2.pem -certout test-my-cert2.pem
>
>  
>
> However, the CMP server(?) compares the serial number of the old
> client certificate with the serial of the new (enrolled) certificate
> and fails. (I can make the enrollment succeed if I force the old and
> the new certificate to have the same serial.)
>
>  
>
> CMP error: received error:PKIStatus: rejection; PKIFailureInfo:
> badRequest; StatusString: "wrong certid"; errorCode: 1DBD;
> errorDetails: CMP routines, wrong certid
>
>  
>
> What am I doing wrong, please? It is quite obvious the new certificate
> will have a different certid, isn’t it?
>
>  
>
>  
>
> Kind Regards,
>
> Petr
>

CMP mock server OldCertID check behavior

2021-07-08 Thread Petr Gotthard 
Hello,

I am trying to renew a certificate via CMP and authenticate the request using 
the same cert.

I start the mock server:
openssl cmp -port 8080 -srv_trusted test-ca-cert.pem \
-srv_key test-server-key.pem -srv_cert test-server-cert.pem \
-rsp_cert test-client-cert2.pem -rsp_capubs test-ca-cert.pem &

And run the client:
openssl cmp -cmd kur -server localhost:8080/pkix/ -srvcert test-server-cert.pem 
\
-key test-client-key.pem -cert test-my-cert.pem \
-newkey test-client-key2.pem -certout test-my-cert2.pem

However, the CMP server(?) compares the serial number of the old client 
certificate with the serial of the new (enrolled) certificate and fails. (I can 
make the enrollment succeed if I force the old and the new certificate to have 
the same serial.)

CMP error: received error:PKIStatus: rejection; PKIFailureInfo: badRequest; 
StatusString: "wrong certid"; errorCode: 1DBD; errorDetails: CMP routines, 
wrong certid

What am I doing wrong, please? It is quite obvious the new certificate will 
have a different certid, isn't it?


Kind Regards,
Petr