Re: [OpenCA-Devel] Adding an automatic certificate issuance

[Michael Bell]

Hi Diego,

Diego de Felice wrote:

I've succeded in storing and approving the CSR in the system from the
RA side. Now the problem is the issue of the certificate, in
particular with the line:

my $cert = libIssueCertificate (KEY      => $new_serial,     DATATYPE =>
"APPROVED_REQUEST");

this function shows always a form that asks for the CA password. I've
inspected other scripts and found something for the Token of the CA.
So I've inserted something like this before making the call to
libIssueCertificate:

    our $ca_token        = $crypto_layer->getToken ('CA');

but the form always appear, so I've inserset

    our $ca_token        = $crypto_layer->getToken ('CA');
    $ca_token->login if (not $ca_token->keyOnline);

but the problem is the same. How can I resolve this problem ? (if it's
possible to resolve it). I want also to make a general routine that
works also in the presence of an HSM (this is the scenario that I
seek, but now the CA certificate is a standard certificate saved on
the server with it's own password (the same asked from OpenCA in the
form)).

Index: OpenSSL.pm
===================================================================

retrieving revision 1.11.2.1
diff -r1.11.2.1 OpenSSL.pm
131,134c131,139
<     my @result = ($self->{CRYPTO}->getAccessControl())->getTokenParam (
<                   $self->{NAME},
<                   $self->{PASSWD_PARTS});
<     $self->{PASSWD} = join '', @result;
---
>     if ($_[0])
>     {
>         $self->{PASSWD} = shift;
>     } else {

>                       $self->{NAME},
>                       $self->{PASSWD_PARTS});
>         $self->{PASSWD} = join '', @result;
>     }



$ca_token->login($passwd) if (not $ca_token->keyOnline);

You must have a source for the passphrase of course.



Michael
--
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
[EMAIL PROTECTED]   D-10099 Berlin
_______________________________________________________________

If you want a clean solution then you must edit src/modules/openca-crypto/Token/OpenSSL.pm too. The fix is simple: RCS file: /cvsroot/openca/openca-0.9/src/modules/openca-crypto/Token/OpenSSL.pm,v > my @result = ($self->{CRYPTO}->getAccessControl())->getTokenParam ( This patch adds support for a parameter to the login function of the crypto token OpenSSL. You can call login now this way: If you use a HSM like LunaCA for example then you can activate the device and simply use it but the operational questions for LunaCA devices are not my main interest. Bahaa, Chris and Martin are the guys who really use HSMs.

smime.p7s
Description: S/MIME Cryptographic Signature