Hello all, just joined the dev mailing list.
I'm going after a bug in scepclient and so far it looks like the problem is not
in scepclient code, but in libstrongswan.
When one uses scepclient for certificate enrollment, there are a few
parameters, including this particular one: the CA certificate, which was
previously obtained.
Scepclient sends a message to the CA in order to request a certificate. This
message contains some information about the CA certificate.
This is the function that gets that information.
- METHOD(certificate_t, get_encoding, bool, private_x509_cert_t *this,
cred_encoding_type_t type, chunk_t *encoding)
What it does in pratice is chunk_clone(this->encoding).
According to the draft, the first part of this information should be:
certificate { -- requester self-signed or CA-issued certificate
version 3
serialNumber "the transaction id associated with enrollment"
signature {pkcs-1 4} -- md5WithRSAEncryption
..................
My CA certificate, according to openssl, is version 3 and has
md5withRSAEncryption signature.
But what is actually cloned by that function for my CA certificate is:
certificate { -- requester self-signed or CA-issued certificate
context 0 {
version 3
}
version 2
serialNumber "the transaction id associated with enrollment"
signature {pkcs-1 4} -- sha-1WithRSAEncryption
..................
Problem 1) There is this context 0 thing which contains the right version
number, and the actual version might be wrong (2).
Problem 2) My certificate is md5WithRSAEncryption, but it read
sha-1withRSAEncryption. The former is defined as 92 while the latter as 93. +1
bug somewhere?
Conclusion:
Since get_encoding just copies a chunk from certificate->encoding, it seems
that
- lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE,
path, BUILD_END);
is not doing what it shoud do.
Opinions?
Thanks,
Germano Veit Michel
[email protected]
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
