Michael Bell schrieb:
Michael Konietzka wrote:
I have the same problem here: Signing of CSR, CRR don't work correctly.
CSRs are working now for me. There were three nice reasons:
1. SQL databases can have problems with umlauts like "ü". 2. REQ.pm has a wrong regex for the extraction of the BODY. 3. crypot-utils.lib merges HEADER and BODY with LF and not CRLF
Fixes are commited to CVS. CRRs are not tested until now because I have to setup up a complete new installation because of an old bug in OpenCA::Token::OpenSC (the signatures in my certs are broken).
The most important question is now, what is broken after this fix. It's a little bit frustrating but we have to identify all places were CRLF and LF can cause problems.
I just updated form CVS and now signing CSR and signing CRR with RA-Operator certificate
works fine. On the ra-interface and on the ca-interface the signatures are valid.
Problems occur with user initiated revoke via CRIN. The CRIN is accepted, then has to retyped and finally there is the button to sign the crr. I wanted to use to sign this with certificate which i want to revoke, but i get in the stderr:
Cannot build object from signature (CRR: 800).
RAWDATA:
-----BEGIN HEADER-----
TYPE = CRR
SERIAL = 800
SSL_CERT_SERIAL = n/a
SSL_CERT_DN =
SSL_CERT_ISSUER =
-----END HEADER-----
SUBMIT_DATE = Thu Jul 8 09:05:41 2004 UTC
CRIN = 7HOG5pbPVolNWeDARUjv5A==
REVOKE_REASON = Private key compromised.
REVOKE_CERTIFICATE_DN = serialNumber=3,CN=Michael Konietzka,OU=Schlund,O=United Internet,C=DE
REVOKE_CERTIFICATE_NOTBEFORE = Jul 8 08:48:24 2004 GMT
REVOKE_CERTIFICATE_NOTAFTER = Jul 8 08:48:24 2005 GMT
REVOKE_CERTIFICATE_SERIAL = 3
REVOKE_CERTIFICATE_ISSUER_DN = CN=United Internet CA,OU=PKI,O=United Internet,C=DE
REVOKE_CERTIFICATE_KEY_DIGEST = e17a2972bcde81e5adad5ffd6e52be03#####
Cannot build object from signature (CRR: 800).
Additional note:
I just tested CRIN-revoke again. The signing by the user works without complains in the webUI.
But when looking for "active CRR" on the ra-interface
i get "Cannot build PKCS#7-object from signature!" with
following in stderr.log:
Looks like OpenCA does not detect that this CRR is not signed. Does the attached listReqs work? Additonally an if-clause only tests for PENDING and not for NEW. This is wrong too.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
## OpenCA - Command ## (c) 1998-2001 by Massimiliano Pala and OpenCA Group ## ## File Name: listReqs ##// Brief: Build Requests' Listing ##// Description: Build Requests' Listing given correct dataType ## Parameters: viewFrom, dataType, ra
sub cmdListReqs {
my $from = ( $query->param( 'viewFrom' ) or 0 );
my $dataType = $query->param( 'dataType' );
my ($name, $exp);
my ($item_list, $cmd_panel) = (undef, undef);
my ( $dateColTitle, $rows, @cols, @list );
## Differentiate the list parameters
if( $dataType eq "PENDING_REQUEST" ) {
$name = "Pending Certificate Signing Requests";
$item_list->{HEAD}->[0] = gettext ("Serial");
$item_list->{HEAD}->[1] = gettext ("Submit Name");
$item_list->{HEAD}->[2] = gettext ("Submitted On");
$item_list->{HEAD}->[3] = gettext ("Requested Role");
$item_list->{HEAD}->[4] = gettext ("Requested LOA");
} elsif( $dataType eq "NEW_REQUEST" ) {
$name = "New Certificate Signing Requests";
$item_list->{HEAD}->[0] = gettext ("Serial");
$item_list->{HEAD}->[1] = gettext ("Submit Name");
$item_list->{HEAD}->[2] = gettext ("Submitted On");
$item_list->{HEAD}->[3] = gettext ("Requested Role");
$item_list->{HEAD}->[4] = gettext ("Requested LOA");
} elsif ( $dataType eq "RENEW_REQUEST" ) {
$name = "Renewed Certificate Signing Requests";
$item_list->{HEAD}->[0] = gettext ("Operator");
$item_list->{HEAD}->[1] = gettext ("Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Renewed On");
$item_list->{HEAD}->[4] = gettext ("Requested Role");
$item_list->{HEAD}->[5] = gettext ("Requested LOA");
} elsif( $dataType eq "SIGNED_REQUEST" ) {
$name = "Signed Certificate Signing Requests";
$item_list->{HEAD}->[0] = gettext ("Operator");
$item_list->{HEAD}->[1] = gettext ("Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Signed On");
$item_list->{HEAD}->[4] = gettext ("Requested Role");
$item_list->{HEAD}->[5] = gettext ("Requested LOA");
} elsif( $dataType eq "APPROVED_REQUEST" ) {
$name = "Approved Certificate Signing Requests";
$item_list->{HEAD}->[0] = gettext ("Operator");
$item_list->{HEAD}->[1] = gettext ("Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Approved On");
$item_list->{HEAD}->[4] = gettext ("Requested Role");
$item_list->{HEAD}->[5] = gettext ("Requested LOA");
} elsif ( $dataType eq "DELETED_REQUEST" ) {
$name = "Deleted Certificate Signing Requests";
$item_list->{HEAD}->[0] = gettext ("Operator");
$item_list->{HEAD}->[1] = gettext ("Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Deleted On");
$item_list->{HEAD}->[4] = gettext ("Requested Role");
$item_list->{HEAD}->[5] = gettext ("Requested LOA");
} elsif ( $dataType eq "ARCHIVED_REQUEST" ) {
$name = "Archived Certificate Signing Requests";
$item_list->{HEAD}->[0] = gettext ("Operator");
$item_list->{HEAD}->[1] = gettext ("Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Archived On");
$item_list->{HEAD}->[4] = gettext ("Requested Role");
$item_list->{HEAD}->[5] = gettext ("Requested LOA");
} elsif ( $dataType eq "NEW_CRR" ) {
$name = "New Certificate Revocation Requests";
$item_list->{HEAD}->[0] = gettext ("Sender");
$item_list->{HEAD}->[1] = gettext ("Certificate's Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Submitted On");
$item_list->{HEAD}->[4] = gettext ("Affected Role");
} elsif ( $dataType eq "PENDING_CRR" ) {
$name = "Pending Certificate Revocation Requests";
$item_list->{HEAD}->[0] = gettext ("Sender");
$item_list->{HEAD}->[1] = gettext ("Certificate's Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Submitted On");
$item_list->{HEAD}->[4] = gettext ("Affected Role");
} elsif ( $dataType eq "SIGNED_CRR" ) {
$name = "Signed Certificate Revocation Requests";
$item_list->{HEAD}->[0] = gettext ("Operator");
$item_list->{HEAD}->[1] = gettext ("Certificate's Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Signed On");
$item_list->{HEAD}->[4] = gettext ("Affected Role");
} elsif ( $dataType eq "APPROVED_CRR" ) {
$name = "Approved Certificate Revocation Requests";
$item_list->{HEAD}->[0] = gettext ("Operator");
$item_list->{HEAD}->[1] = gettext ("Certificate's Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Approved On");
$item_list->{HEAD}->[4] = gettext ("Affected Role");
} elsif ( $dataType eq "ARCHIVED_CRR" ) {
$name = "Archived Certificate Revocation Requests";
$item_list->{HEAD}->[0] = gettext ("Operator");
$item_list->{HEAD}->[1] = gettext ("Certificate's Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Archived On");
$item_list->{HEAD}->[4] = gettext ("Affected Role");
} elsif ( $dataType eq "DELETED_CRR" ) {
$name = "Archived Certificate Revocation Requests";
$item_list->{HEAD}->[0] = gettext ("Operator");
$item_list->{HEAD}->[1] = gettext ("Certificate's Serial");
$item_list->{HEAD}->[2] = gettext ("Submit Name");
$item_list->{HEAD}->[3] = gettext ("Deleted On");
$item_list->{HEAD}->[4] = gettext ("Affected Role");
} else {
configError(gettext("Requested List NOT available"));
}
#$DEBUG =1;
## Get required parameters ( return only the value string )
my $maxItems = getRequired( "maxReturnedItems" );
my $elements = $db->elements( DATATYPE=>$dataType );
## Get the base Page ( got in $page variable )
my $ra = ( $query->param('ra') or "All" );
my $loa = ( $query->param('loa') or "All" );
$ra = "All" if $ra eq gettext("All");
$loa = "All" if $loa eq gettext("All");
## this if both have all selected
if( (not $ra) or (($ra =~ /All/i) and ($loa =~/All/i) )) {
$rows = $elements;
@list = $db->listItems( DATATYPE=>$dataType,
ITEMS=>$maxItems, FROM=>$from );
## if the ra has all selected but
}elsif ((not $ra) or ($ra =~ /All/i)){
$rows = $db->elements(DATATYPE=>$dataType);
@list = $db->searchItems( DATATYPE=>$dataType,
ITEMS=>$maxItems, FROM=>$from,
LOA=>$query->param('loa'));
## if the loa has all selected
}elsif ((not $ra) or ($ra =~ /All/i)){
$rows = $db->elements(DATATYPE=>$dataType);
@list = $db->searchItems( DATATYPE=>$dataType,
ITEMS=>$maxItems, FROM=>$from,
RA=>$query->param('ra'));
##if All was not selected in either the RA or LOA
} else {
## $rows = $db->rows(DATATYPE=>$dataType, RA=>$query->param('ra'));
$rows = $db->elements(DATATYPE=>$dataType);
@list = $db->searchItems( DATATYPE=>$dataType,
ITEMS=>$maxItems, FROM=>$from,
RA=>$query->param('ra'),
LOA=>$query->param('loa'));
}
if (not @list) {
$cmd_panel->[0] = $query->buildRefs(
ELEMENTS => $rows,
MAXITEMS => $maxItems,
FACTOR => 5,
MODE => "EXP",
NOW_FIRST => 0,
NOW_LAST => 0,
FIRST => 0,
LAST => 0);
} else {
$cmd_panel->[0] = $query->buildRefs(
ELEMENTS => $rows,
MAXITEMS => $maxItems,
FACTOR => 5,
MODE => "EXP",
NOW_FIRST => $list[0]->getSerial($dataType),
NOW_LAST => $list[scalar (@list)
-1]->getSerial($dataType),
FIRST => libDBGetFirstItem
($dataType)->getSerial($dataType),
LAST => libDBGetLastItem
($dataType)->getSerial($dataType));
}
## get list of the LOAs type
my $loaOption = getRequired('USE_LOAS');
my ($loaTwig, $xmlLOA, %LOALevels, );
if ($loaOption =~ m/yes/i)
{
$loaTwig = loadConfigXML ('LOAConfiguration');
if (not $loaTwig) {
generalError (gettext ("Cannot load menu configration"));
}
#$xmlLOA = $twig->get_xpath('loa');
my @loaList;
for my $al ($loaTwig->get_xpath("loa"))
{
$xmlLOA = gettext(($al->first_child('name'))->field);
$LOALevels{gettext(($al->first_child('level'))->field)}=$xmlLOA;
push (@loaList, $xmlLOA);
debug_cmds ("listReqs: [EMAIL PROTECTED] @loaList");
debug_cmds ("listReqs: LOALevel 10: $LOALevels{10}");
}
}
## Process all Files
$item_list->{BODY} = [];
foreach $req ( @list ) {
my ( $head, $parsed, $format, $key, $ser_col, $serial, $date, $loa );
my @vals;
## We have no problem either if it is a PEM or SPKAC
## request as the REQ mod will try to recognize it.
## my $req = new OpenCA::REQ( SHELL=>$openssl,
## DATA=>$reqData);
next if (not $req);
my $pos = scalar @{$item_list->{BODY}};
my $index = 0;
if ( $dataType =~ /REQUEST/ ) {
$parsed = $req->getParsed();
$head = $parsed->{HEADER};
$key = $req->getSerial();
$serial = $req->getSerial();
$date = ( $parsed->{NOTBEFORE} or $head->{NOTBEFORE} or
"---" );
if ( not $serial ) {
$serial = "<CENTER>---</CENTER>";
};
$lnk = new CGI({cmd=>"viewCSR", dataType=>"$dataType",
key=>$key});
$ser_col = $lnk->a({-class=>"list",
-href=>"?".$lnk->query_string()}, "$serial");
### get the name of the loa to display
if ($loaOption =~ m/yes/i)
{
$loa = $LOALevels{$head->{LOA}};
debug_cmds ("listReqs: LOA in head is $head->{LOA} and
loa is $loa");
}
if ($dataType !~ /(NEW|PENDING)/) {
## get operator from first signature
if (my $sig = libGetSignatureObject ( OBJECT => $req
)) {
if (my $cert = libGetSignerCertificateDB(
SIGNATURE=> $sig )) {
$item_list->{BODY}->[$pos]->[$index++]
=
"<a class=\"list\"
href=\"$self?cmd=viewCert&key=".
$cert->getSerial()."\">".
$cert->getSerial()."</a>";
} else {
$item_list->{BODY}->[$pos]->[$index++]
=
gettext ("Cannot determine
certificate from signature!");
print STDERR i18nGettext ("Cannot
determine certificate from signature (CRR: __SERIAL__).",
"__SERIAL__", $key)."\n";
}
} else {
if (not $req->getParsed()->{SIGNATURE}) {
my $operator = (
$parsed->{OPERATOR} or $head->{OPERATOR} or gettext("n/a"));
if ($operator =~ /n\/a/i) {
$operator = gettext("n/a");
}
$item_list->{BODY}->[$pos]->[$index++] = $operator;
} else {
$item_list->{BODY}->[$pos]->[$index++] =
gettext ("Cannot build
PKCS#7-object from signature!");
print STDERR i18nGettext
("Cannot build object from signature (CSR: __SERIAL__).",
"__SERIAL__", $key)."\n";
}
}
}
$item_list->{BODY}->[$pos]->[$index++] = $ser_col;
if ( $head->{SUBJECT} ) {
$item_list->{BODY}->[$pos]->[$index++] =
$head->{SUBJECT};
} elsif ( $parsed->{DN} ) {
$item_list->{BODY}->[$pos]->[$index++] = $parsed->{DN};
} else {
$item_list->{BODY}->[$pos]->[$index++] =
"<CENTER>---</CENTER>";
}
if ( $dataType !~ /(NEW|PENDING|RENEW)/i ) {
$item_list->{BODY}->[$pos]->[$index++] =
( $head->{DELETED} or $head->{APPROVED} or
gettext("n/a"));
} else {
$item_list->{BODY}->[$pos]->[$index++] =
( $head->{NOTBEFORE} or gettext("n/a"));
}
$item_list->{BODY}->[$pos]->[$index++] =
($head->{ROLE} or gettext("n/a"));
$item_list->{BODY}->[$pos]->[$index++] =
($loa or gettext("n/a"));
} else {
## CRR
$parsed = $req->getParsed ();
$head = $parsed->{HEADER};
$key = $req->getSerial ();
$serial = $parsed->{REVOKE_CERTIFICATE_SERIAL};
my $crr_cert = $db->getItem (DATATYPE => "CERTIFICATE", KEY =>
$serial);
$date = ( $parsed->{SUBMIT_DATE} or "---" );
if ( not $serial ) {
$serial = "<CENTER>---</CENTER>";
};
if ($dataType =~ /(NEW|PENDING)/) {
if ($parsed->{SIGNATURE}) {
## signature-based revocation
if (my $sig = libGetSignatureObject ( OBJECT
=> $req )) {
if (my $cert =
libGetSignerCertificateDB( SIGNATURE=> $sig )) {
$item_list->{BODY}->[$pos]->[$index++] =
$cert->getParsed()->{DN};
} else {
$item_list->{BODY}->[$pos]->[$index++] =
gettext ("Cannot determine
certificate from signature!");
print STDERR i18nGettext
("Cannot determine certificate from signature (CRR: __SERIAL__).",
"__SERIAL__", $key)."\n";
}
} else {
$item_list->{BODY}->[$pos]->[$index++]
=
gettext("Cannot build object from
signature!");
print STDERR i18nGettext ("Cannot
build object from signature (CRR: __SERIAL__).",
"__SERIAL__", $key)."\n";
}
} elsif ($parsed->{REVOKE_CERTIFICATE_DN}) {
## pin-based revocation
$item_list->{BODY}->[$pos]->[$index++] =
$parsed->{REVOKE_CERTIFICATE_DN};
} else {
## last chance by strong ssl-authentication
$item_list->{BODY}->[$pos]->[$index++] =
$head->{SSL_CERT_DN};
print STDERR i18nGettext ("submitter of CRR
not determinable (CRR: __SERIAL__).",
"__SERIAL__",
$key)."\n";
}
} else {
# get operator from first signature
if (not $req->getParsed()->{SIGNATURE}) {
$item_list->{BODY}->[$pos]->[$index++] =
gettext("Request was not signed!");
} else {
if (my $sig = libGetSignatureObject ( OBJECT =>
$req )) {
if (my $cert = libGetSignerCertificateDB(
SIGNATURE=> $sig )) {
$item_list->{BODY}->[$pos]->[$index++]
=
"<a class=\"list\"
href=\"$self?cmd=viewCert&key=".
$cert->getSerial()."\">".
$cert->getSerial()."</a>";
} else {
$item_list->{BODY}->[$pos]->[$index++]
=
gettext ("Cannot determine
certificate from signature!");
print STDERR i18nGettext ("Cannot
determine certificate from signature (CRR: __SERIAL__).",
"__SERIAL__", $key)."\n";
}
} else {
$item_list->{BODY}->[$pos]->[$index++]
=
gettext ("Cannot build
PKCS#7-object from signature!");
print STDERR i18nGettext ("Cannot
build object from signature (CRR: __SERIAL__).",
"__SERIAL__", $key)."\n";
}
}
}
$ser_col = "<a class=\"list\"
href=\"$self?cmd=viewCRR&dataType=$dataType" .
"&key=$key\">". $serial ."</a>";
$item_list->{BODY}->[$pos]->[$index++] = $ser_col;
$item_list->{BODY}->[$pos]->[$index++] =
( $parsed->{REVOKE_CERTIFICATE_DN} or
"<CENTER>---</CENTER>" );
if ( $dataType !~ /PENDING/i ) {
$item_list->{BODY}->[$pos]->[$index++] =
( $parsed->{DELETED_DATE} or
$parsed->{APPROVED_DATE} or gettext ("n/a"));
} else {
$item_list->{BODY}->[$pos]->[$index++] =
( $date or "<CENTER>---</CENTER>" );
}
if ($crr_cert) {
$item_list->{BODY}->[$pos]->[$index++] =
($crr_cert->getParsed()->{HEADER}->{ROLE} or
gettext("n/a"));
} else {
$item_list->{BODY}->[$pos]->[$index++] =
gettext("Cannot load affected certificate!");
}
}
}
return libSendReply (
"NAME" => gettext ($name),
"ITEM_LIST" => $item_list,
"CMD_PANEL" => $cmd_panel,
"TIMESTAMP" => 1
);
}
1;
