[Openca-Users] Solution of problem with approving CRRs in RA interface

Emir Imamagic Thu, 16 Aug 2007 10:29:18 -0700

Hello to all,

I found a solution to the problem described in messages:
http://sourceforge.net/mailarchive/message.php?msg_id=4660460B.4020608%40mail.yerphi.am
and
http://sourceforge.net/mailarchive/message.php?msg_id=442D09BD.9050607%40mondedeu.com

Problem is in the cgi script viewCRR. In viewCRR header and body of request are defined manually and end of lines are set to CRLF instead of just LF. Because of that digest calculated by first OpenCA component is different than digest calculated by second and the approval fails with "Digest mismatch". I didn't dig too far so I don't know for sure which are those two components.

Also, I noticed that with some older versions of Firefox (<2.0) this problem didn't exist. I assume that was the case because old Firefox removed CRs from form fields.


Solution is simply to remove '\r' in viewCRR. Diff is below.

Cheers,
emir

# diff viewCRR.my viewCRR.orig
99,105c99,105
<     $header  = "$beginHeader\n";
<     $header .= "TYPE = CRR\n";
<     $header .= "SERIAL = $key\n";

< $header .= "SSL_CERT_SERIAL = " . ($req->getParsed()->{HEADER}->{SSL_CERT_SERIAL} or gettext("n/a")) . "\n"; < $header .= "SSL_CERT_DN = " . ($req->getParsed()->{HEADER}->{SSL_CERT_DN} or gettext("n/a")) . "\n"; < $header .= "SSL_CERT_ISSUER = " . ($req->getParsed()->{HEADER}->{SSL_CERT_ISSUER} or gettext("n/a")) . "\n";

<     $header .= "$endHeader\n";
---
>     $header  = "$beginHeader\r\n";
>     $header .= "TYPE = CRR\r\n";
>     $header .= "SERIAL = $key\r\n";

> $header .= "SSL_CERT_SERIAL = " . ($req->getParsed()->{HEADER}->{SSL_CERT_SERIAL} or gettext("n/a")) . "\r\n"; > $header .= "SSL_CERT_DN = " . ($req->getParsed()->{HEADER}->{SSL_CERT_DN} or gettext("n/a")) . "\r\n"; > $header .= "SSL_CERT_ISSUER = " . ($req->getParsed()->{HEADER}->{SSL_CERT_ISSUER} or gettext("n/a")) . "\r\n";

>     $header .= "$endHeader\r\n";
107,117c107,117
<     $text  = "SUBMIT_DATE = " . $req->getParsed()->{SUBMIT_DATE}. "\n";
<     $text .= "APPROVED_DATE = " . $tools->getDate() . "\n";

< $text .= "CRIN = ".($req->getParsed()->{CRIN} or gettext("n/a")) . "\n"; < $text .= "REVOKE_REASON = ".($parsed_req->{REVOKE_REASON} or gettext("n/a")) . "\n"; < $text .= "REVOKE_CERTIFICATE_DN = " . ($req->getParsed()->{REVOKE_CERTIFICATE_DN} or gettext("n/a")) . "\n"; < $text .= "REVOKE_CERTIFICATE_NOTBEFORE = " . ($req->getParsed()->{REVOKE_CERTIFICATE_NOTBEFORE} or gettext("n/a")) . "\n"; < $text .= "REVOKE_CERTIFICATE_NOTAFTER = " . ($req->getParsed()->{REVOKE_CERTIFICATE_NOTAFTER} or gettext("n/a")) . "\n"; < $text .= "REVOKE_CERTIFICATE_SERIAL = " . ($req->getParsed()->{REVOKE_CERTIFICATE_SERIAL} or gettext("n/a")) . "\n"; < $text .= "REVOKE_CERTIFICATE_ISSUER_DN = " . ($req->getParsed()->{REVOKE_CERTIFICATE_ISSUER_DN} or gettext("n/a")) . "\n"; < $text .= "REVOKE_CERTIFICATE_KEY_DIGEST = " . ($req->getParsed()->{REVOKE_CERTIFICATE_KEY_DIGEST} or gettext("n/a")) . ""; < $text .= "\nUSER_CRR = ". $req->getParsed()->{USER_CRR} . "" if ($req->getParsed()->{USER_CRR});

---
>     $text  = "SUBMIT_DATE = " . $req->getParsed()->{SUBMIT_DATE}. "\r\n";
>     $text .= "APPROVED_DATE = " . $tools->getDate() . "\r\n";

> $text .= "CRIN = ".($req->getParsed()->{CRIN} or gettext("n/a")) . "\r\n"; > $text .= "REVOKE_REASON = ".($parsed_req->{REVOKE_REASON} or gettext("n/a")) . "\r\n"; > $text .= "REVOKE_CERTIFICATE_DN = " . ($req->getParsed()->{REVOKE_CERTIFICATE_DN} or gettext("n/a")) . "\r\n"; > $text .= "REVOKE_CERTIFICATE_NOTBEFORE = " . ($req->getParsed()->{REVOKE_CERTIFICATE_NOTBEFORE} or gettext("n/a")) . "\r\n"; > $text .= "REVOKE_CERTIFICATE_NOTAFTER = " . ($req->getParsed()->{REVOKE_CERTIFICATE_NOTAFTER} or gettext("n/a")) . "\r\n"; > $text .= "REVOKE_CERTIFICATE_SERIAL = " . ($req->getParsed()->{REVOKE_CERTIFICATE_SERIAL} or gettext("n/a")) . "\r\n"; > $text .= "REVOKE_CERTIFICATE_ISSUER_DN = " . ($req->getParsed()->{REVOKE_CERTIFICATE_ISSUER_DN} or gettext("n/a")) . "\r\n"; > $text .= "REVOKE_CERTIFICATE_KEY_DIGEST = " . ($req->getParsed()->{REVOKE_CERTIFICATE_KEY_DIGEST} or gettext("n/a")) . "\r\n"; > $text .= "USER_CRR = ". $req->getParsed()->{USER_CRR} . "\r\n" if ($req->getParsed()->{USER_CRR});

smime.p7s
Description: S/MIME Cryptographic Signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Solution of problem with approving CRRs in RA interface

Reply via email to