Re: [Openca-Users] difference between the archived requested and the signed cert inCAServer

Michael Bell Sat, 04 Aug 2001 13:44:07 -0700

Robert Hannemann wrote:
> 
> Robert Hannemann wrote:
> > when i request a cert trough the public interface, i can use two
> > OrganizationalUnits - than i approve the request in the raserver and
> > export him to the CA. In the ca i sign the request and export the cert (
> > can�t import in RAServer ).
> >
> > Now in the CAServer i can see the archived Cert Request with two
> > OrganizationalUnits in the DN, but the signed Cert contains only one
> > OrganizationalUnit i the DN.
> 
> Can somebody help to solve this ?

Sorry, we are no fulltimeprogrammers ;-D

It is a mistake in the RAServer. The script appreq in cmds/
damages the SPKAC-requests. Line 105 is missing and so the
OUs get wrong names.
(there are only 1.OUs and not 1.OU, 2.OU ...)
 
 101         # Let's add all the OUs
 102         $i = 1;
 103         foreach $tmp ( @ouList ) {
 104                 $text .= "$i.OU = $tmp\n" if ($tmp);
 105                 $i++;  ## NEW NEW NEW ##
 106         }

Perhaps this is the reason why all signatures of the requests are broken
(not the signature is broken by the software but the data is/was
"broken" by the software).

Cheers Michael
----------------------------------------------------------------------------
Michael Bell                             Email: [EMAIL PROTECTED]
Rechenzentrum - Datacenter        Email (work):
[EMAIL PROTECTED]
Humboldt-University of Berlin       Tel.(work): +49 (0)30-2093 2482
Unter den Linden 6                  Fax.(work): +49 (0)30-2093 2959
10099 Berlin
Germany                                              [OpenCA Core
Developer]

http://openca.sourceforge.net

## OpenCA - RA Server Command
## (c) 1998-2001 by Massimiliano Pala and OpenCA Group
##
##   File Name: appReq
##       Brief: Approve Request
## Description: Send out the form to approve and sign a request
##              after having verified request data
##  Parameters: key, dataType, EMAIL, CN, O, C, S, L

my $cmdName = "appReq";
if ( $cmd !~ /$cmdName/i ) {
        configError( "Wrong Command Usage ($cmd over $cmdName)!" );
        exit 1;
}

## To aprove a Request, we need it signed by the RA operator
my $beginHeader = "-----BEGIN HEADER-----";
my $endHeader = "-----END HEADER-----";

## Get Configuration needed parameters ...
my $doc     = getRequired('ApproveRequestSheet');

## Get the parameters
my $key         = $query->param('key');
my $dataType    = $query->param('dataType');

my $email       = $query->param('EMAIL');
my $cname       = $query->param('CN');
my $org         = $query->param('O');
my $country     = $query->param('C');
my $state       = $query->param('S');
my $locality    = $query->param('L');

my $req         = $db->getItem( DATATYPE=>$dataType, KEY=>$key);
my $parsed      = $req->getParsed();

my ( $head, $text, $newREQ, $tmp, $tmpOU, $i, @ouList, @ouInput, $format );

## If it doesn't exists the file, report error
if( not $req ) {
        configError("Error: Request $serial ($key) Not found!");
        exit;
}

$parsed->{EMAIL}    = $query->param('EMAIL');
$parsed->{CN}       = $query->param('CN');
$parsed->{O}        = $query->param('O');
$parsed->{C}        = $query->param('C');
$parsed->{S}        = $query->param('S');
$parsed->{L}        = $query->param('L');

$parsed->{HEADER}->{APPROVED} = $tools->getDate();
$parsed->{HEADER}->{ROLE}     = $query->param('ROLE');

$i = 1;
while ( $tmp = $query->param( "$i.OU" ) ) {
        push( @ouList, $tmp );
        $i++;
}
$parsed->{OU} = [ @ouList ];

$tmpOU = "";
foreach $tmp ( @ouList ) {
        $tmpOU .= "<BR>" if( $tmpOU ne "" );
        $tmpOU .= "$tmp";
}

## Get the Operator Serial Number ( Whatch out, only authorized
## people should get here in, please verify your web configuration,
## this is not matter of this program but access control )
$parsed->{HEADER}->{OPERATOR} = $ENV{'SSL_CLIENT_M_SERIAL'};

if( $parsed->{HEADER}->{OPERATOR} eq "" ) {
        $parsed->{HEADER}->{OPERATOR} = "n/a";
} else {
        if ( length( $parsed->{HEADER}->{OPERATOR} ) % 2 ) {
                $parsed->{HEADER}->{OPERATOR} = "0" . 
                                        $parsed->{HEADER}->{OPERATOR};
        }
}

## Set Text to sign
$head  = "$beginHeader\n";
$head .= "RA = $parsed->{HEADER}->{RA}\n";
$head .= "TYPE = $parsed->{TYPE}\n";
$head .= "SERIAL = $parsed->{HEADER}->{SERIAL}\n";
$head .= "OPERATOR = $parsed->{HEADER}->{OPERATOR}\n";
$head .= "NOTBEFORE = $parsed->{HEADER}->{NOTBEFORE}\n";
$head .= "APPROVED = $parsed->{HEADER}->{APPROVED}\n";
$head .= "PIN = $parsed->{HEADER}->{PIN}\n";
$head .= "ROLE = $parsed->{HEADER}->{ROLE}\n";
$head .= "$endHeader\n";

if ( $parsed->{TYPE} =~ /(PKCS#10|IE)/ ) {
        $text .= $req->getParsed()->{BODY};
        $format = "PEM";
} else {
        $text .= "Email = $parsed->{EMAIL}\n" if ( $parsed->{EMAIL} );
        $text .= "CN = $parsed->{CN}\n" if ( $parsed->{CN} );

        # Let's add all the OUs
        $i = 1;
        foreach $tmp ( @ouList ) {
                $text .= "$i.OU = $tmp\n" if ($tmp);
                $i++;
        }

        $text .= "S = $parsed->{S}\n" if ($parsed->{S});
        $text .= "L = $parsed->{L}\n" if ($parsed->{L});
        $text .= "O = $parsed->{O}\n" if ($parsed->{O});
        $text .= "C = $parsed->{C}\n" if ($parsed->{C});

        $text .= "SPKAC = $parsed->{SPKAC}\n";
        $format = "SPKAC";
}

## Create a new REQ object (if we modified something we should
## store modifications) and save the value.
$newREQ = $head . $text;

my $item = new OpenCA::REQ( SHELL=>$cryptoShell, DATA=>$newREQ,
                                                INFORM=>$format);
if( not $item ) {
        configError( "Cannot create a new REQ object." );
}

if( not $db->storeItem( DATATYPE=>$dataType, MODE=>"UPDATE",
                                KEY=>$key, OBJECT=>$item ) ) {
        configError( "Error while storing REQ ($dbDir)!" );
}

## Get the sheet page
$page = $tools->getFile( $doc );

## Substitute variables
$page = $query->subVar( $page, '@CN@',          $parsed->{CN} );
$page = $query->subVar( $page, '@OU@',          $tmpOU );
$page = $query->subVar( $page, '@S@',           $parsed->{S} );
$page = $query->subVar( $page, '@L@',           $parsed->{L} );
$page = $query->subVar( $page, '@O@',           $parsed->{O} );
$page = $query->subVar( $page, '@C@',           $parsed->{C} );
$page = $query->subVar( $page, '@EMAIL@',       $parsed->{EMAIL} );

$page = $query->subVar( $page, '@PIN@', 
                        ( $parsed->{PIN} or $parsed->{HEADER}->{PIN}));
$page = $query->subVar( $page, '@SERIAL@', 
                        ( $parsed->{SERIAL} or $parsed->{HEADER}->{SERIAL}));
$page = $query->subVar( $page, '@NOTBEFORE@',   
                        $parsed->{HEADER}->{NOTBEFORE});
$page = $query->subVar( $page, '@ROLE@',
                        $parsed->{HEADER}->{ROLE});

$page = $query->subVar( $page, '@KEYSIZE@',     $parsed->{KEYSIZE} );

$page = $query->subVar( $page, '@TEXT@',        $text );

$page = $query->subVar( $page, '@KEY@',         $key );
$page = $query->subVar( $page, '@DATATYPE@',    $dataType );
$page = $query->subVar( $page, '@HEADER@',      $head );

print "$page";

1;

S/MIME Cryptographic Signature

Re: [Openca-Users] difference between the archived requested and the signed cert inCAServer

Reply via email to