Michael Konietzka wrote:
Michael Bell schrieb:
Michael Konietzka wrote:
I have the same problem here: Signing of CSR, CRR don't work correctly.
CSRs are working now for me. There were three nice reasons:
1. SQL databases can have problems with umlauts like "ü". 2. REQ.pm has a wrong regex for the extraction of the BODY. 3. crypot-utils.lib merges HEADER and BODY with LF and not CRLF
Fixes are commited to CVS. CRRs are not tested until now because I have to setup up a complete new installation because of an old bug in OpenCA::Token::OpenSC (the signatures in my certs are broken).
The most important question is now, what is broken after this fix. It's a little bit frustrating but we have to identify all places were CRLF and LF can cause problems.
I just updated form CVS and now signing CSR and signing CRR with RA-Operator certificate
works fine. On the ra-interface and on the ca-interface the signatures are valid.
Problems occur with user initiated revoke via CRIN. The CRIN is accepted, then has to retyped and finally there is the button to sign the crr. I wanted to use to sign this with certificate which i want to revoke, but i get in the stderr:
Cannot build object from signature (CRR: 800).
RAWDATA:
-----BEGIN HEADER-----
TYPE = CRR
SERIAL = 800
SSL_CERT_SERIAL = n/a
SSL_CERT_DN =
SSL_CERT_ISSUER =
-----END HEADER-----
SUBMIT_DATE = Thu Jul 8 09:05:41 2004 UTC
CRIN = 7HOG5pbPVolNWeDARUjv5A==
REVOKE_REASON = Private key compromised.
REVOKE_CERTIFICATE_DN = serialNumber=3,CN=Michael Konietzka,OU=Schlund,O=United Internet,C=DE
REVOKE_CERTIFICATE_NOTBEFORE = Jul 8 08:48:24 2004 GMT
REVOKE_CERTIFICATE_NOTAFTER = Jul 8 08:48:24 2005 GMT
REVOKE_CERTIFICATE_SERIAL = 3
REVOKE_CERTIFICATE_ISSUER_DN = CN=United Internet CA,OU=PKI,O=United Internet,C=DE
REVOKE_CERTIFICATE_KEY_DIGEST = e17a2972bcde81e5adad5ffd6e52be03#####
Cannot build object from signature (CRR: 800).
Additional note:
I just tested CRIN-revoke again. The signing by the user works without complains in the webUI.
But when looking for "active CRR" on the ra-interface
i get "Cannot build PKCS#7-object from signature!" with
following in stderr.log:
Looks like OpenCA does not detect that this CRR is not signed. Does the attached listReqs work? Additonally an if-clause only tests for PENDING and not for NEW. This is wrong too.
The output in the webUI sligthly changed: "Cannot build object from signature!"
The stderr.log:
RAWDATA: -----BEGIN HEADER----- TYPE = CRR SERIAL = 1312 SSL_CERT_SERIAL = n/a SSL_CERT_DN = SSL_CERT_ISSUER = -----END HEADER----- SUBMIT_DATE = Thu Jul 8 10:01:20 2004 UTC CRIN = YOj8d6nQfz56UrDa+Mn/JQ== REVOKE_REASON = Private key compromised. REVOKE_CERTIFICATE_DN = serialNumber=4,CN=Michael Konietzka,OU=Schlund,O=United Internet,C=DE REVOKE_CERTIFICATE_NOTBEFORE = Jul 8 08:48:42 2004 GMT REVOKE_CERTIFICATE_NOTAFTER = Jul 8 08:48:42 2005 GMT REVOKE_CERTIFICATE_SERIAL = 4 REVOKE_CERTIFICATE_ISSUER_DN = CN=United Internet CA,OU=PKI,O=United Internet,C=DE REVOKE_CERTIFICATE_KEY_DIGEST = 728b97f4772f4dbd00563a960118999b##### Cannot build object from signature (CRR: 1312).
-- Dipl.-Inform. Michael Konietzka Schlund + Partner AG - Development UNIX - Brauerstraße 48 Webservices D-76135 Karlsuhe http://www.schlund.de/ Germany
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel
