Michael Bell schrieb:
Michael Konietzka wrote:
Michael Bell schrieb:
Michael Konietzka wrote:
I have the same problem here: Signing of CSR, CRR don't work correctly.
CSRs are working now for me. There were three nice reasons:
1. SQL databases can have problems with umlauts like "ü". 2. REQ.pm has a wrong regex for the extraction of the BODY. 3. crypot-utils.lib merges HEADER and BODY with LF and not CRLF
Fixes are commited to CVS. CRRs are not tested until now because I have to setup up a complete new installation because of an old bug in OpenCA::Token::OpenSC (the signatures in my certs are broken).
The most important question is now, what is broken after this fix. It's a little bit frustrating but we have to identify all places were CRLF and LF can cause problems.
I just updated form CVS and now signing CSR and signing CRR with RA-Operator certificate
works fine. On the ra-interface and on the ca-interface the signatures are valid.
Problems occur with user initiated revoke via CRIN. The CRIN is accepted, then has to retyped and finally there is the button to sign the crr. I wanted to use to sign this with certificate which i want to revoke, but i get in the stderr:
Cannot build object from signature (CRR: 800).
RAWDATA:
-----BEGIN HEADER-----
TYPE = CRR
SERIAL = 800
SSL_CERT_SERIAL = n/a
SSL_CERT_DN =
SSL_CERT_ISSUER =
-----END HEADER-----
SUBMIT_DATE = Thu Jul 8 09:05:41 2004 UTC
CRIN = 7HOG5pbPVolNWeDARUjv5A==
REVOKE_REASON = Private key compromised.
REVOKE_CERTIFICATE_DN = serialNumber=3,CN=Michael Konietzka,OU=Schlund,O=United Internet,C=DE
REVOKE_CERTIFICATE_NOTBEFORE = Jul 8 08:48:24 2004 GMT
REVOKE_CERTIFICATE_NOTAFTER = Jul 8 08:48:24 2005 GMT
REVOKE_CERTIFICATE_SERIAL = 3
REVOKE_CERTIFICATE_ISSUER_DN = CN=United Internet CA,OU=PKI,O=United Internet,C=DE
REVOKE_CERTIFICATE_KEY_DIGEST = e17a2972bcde81e5adad5ffd6e52be03#####
Cannot build object from signature (CRR: 800).
Additional note:
I just tested CRIN-revoke again. The signing by the user works without complains in the webUI.
But when looking for "active CRR" on the ra-interface
i get "Cannot build PKCS#7-object from signature!" with
following in stderr.log:
Looks like OpenCA does not detect that this CRR is not signed. Does the attached listReqs work? Additonally an if-clause only tests for PENDING and not for NEW. This is wrong too.
The output in the webUI sligthly changed: "Cannot build object from signature!"
Ok, listReqs is too big and complicated for me. I split it up into listCRR and listCSR this should be better managable.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
