[Openca-Users] FIX --> OpenCA 1.0.2 signing a CSR -> Error 7221014

Thu, 23 Oct 2008 20:22:08 -0700 

Hi Guys,

I found the error --- it was in the approveCSR command -> the update
dataType was wrongly set to "RENEW_APPROVED" instead of "APPROVED_REQUEST".

I attach the new version of the command that fixes the problem. To fix
your installation, just copy the attached file in:

        PREFIX/lib/openca/cmds

(NOTE: in binary distros PREFIX=/opt/openca).

Please let me know if this fixes your installations or not...

Later,
Max


Sam Morrison wrote:

Yes I am also getting this exact same issue too.
Can't find anything in the logs of any use.



--
People who think they know everything are a great annoyance to those of us
who do.
                                                           -- Isaac Asimov

## OpenCA - RA Server Command
## (c) 1998-2001 by Massimiliano Pala and OpenCA Group
## (c) Copyright 2001-2004 The OpenCA Project
##
##   File Name: approveCSR
##       Brief: approve Request
##     Version: $Revision: 1.2 $
## Description: Adds a confirmed request into the APPROVED_REQUEST dB
##  Parameters: key, dataType, text, signature

use strict;

sub cmdApproveCSR {

our ($query, $db, $errno, $errval, $cryptoShell);

## Get the parameters
my $key         = $query->param( 'key' );
my $dataType    = $query->param( 'dataType' );
my $text        = $query->param( 'text' );
my $head        = $query->param( 'head' );
my $signature   = $query->param( 'signature' );
my $inform      = "PEM";

## Get Conf Parameters
my $tempDir     = getRequired('tempDir');

my ( $req, $item, $sig, $sigStatus, $signer );

$signature =~ s/\n*$//;

$text  = "$head" . "$text\n";
if ($signature !~ /^\s*$/) {
    $text .= "-----BEGIN PKCS7-----\n";
    $text .= "$signature\n";
    $text .= "-----END PKCS7-----\n";
}

print STDERR $text;

if( not $req = $db->getItem( DATATYPE=>$dataType, KEY=>$key) ) {
        generalError( i18nGettext ("Cannot find __DATATYPE__ REQ in DB!", 
"__DATATYPE__", $dataType));
}

$text .= $req->getParsed()->{KEY};

## FIXME: should we check the subject here if it is not dynamic via serials?

if ($dataType !~ /RENEW/i and not $req->getParsed()->{HEADER}->{RENEW}) {
        # check the public key
        ## Check if there are certificates with the same keys
        my @certList = $db->searchItems( DATATYPE=>    "CERTIFICATE",
                                        PUBKEY => $req->getParsed()->{PUBKEY});
 
        my $errorString = gettext ("A Certificate with the same public key 
exists!")."<br>\n".
                        gettext ("This is a keycompromise of the certificates 
with the serial:")."\n".
                        "<ul>\n";
        foreach my $h (@certList) {
                $errorString .= "<li>".$h->getSerial()."</li>\n";
        }
        $errorString .= gettext ("Please revoke the certificates and delete the 
request.")."\n";
 
        generalError( $errorString ) if($#certList > -1);
}

if( $req->getParsed()->{HEADER}->{TYPE} =~ /(PKCS#10|IE)/i ) {
        $inform = "PEM";
} else {
        $inform = $req->getParsed()->{HEADER}->{TYPE};
}

if( not $item = new OpenCA::REQ ( SHELL   => $cryptoShell, 
                                  GETTEXT => \&i18nGettext,
                                  INFORM  => $inform,
                                  DATA    => $text )) {
        generalError( i18nGettext ("Cannot create a new REQ object (__KEY__)!", 
"__KEY__", $key).
                  "<br>\n".$OpenCA::REQ::errval, $OpenCA::REQ::errno );
}

$signer = libGetSignatureObject( OBJECT=>$item );
if ( not $signer ) {
        generalError ($errval, $errno);
}

libCheckSignature (OBJECT=>$item);
$sigStatus = $errval;

## check signaturestate - explaination:
## $errno gets only set by libCheckSignature in case of real error
## $errval gets always set, also in success by libCheckSignature!
generalError ( $errval ) if $errno;

## get signer certificate
my $tmpCert = libGetSignerCertificateDB( SIGNATURE=>$signer );
if( not $tmpCert ) {
        generalError ($errval, $errno);
}
## check validity of signer certificate
if ($tmpCert->getStatus() =~ /revoked/ || $tmpCert->getStatus() =~ /suspended/
                                       || $tmpCert->getStatus() =~ /expired/ ) {
        generalError ( i18nGettext ("Cannot approve request! Invalid 
Operator-Certificate detected!").
                                    "<br>\n".$errval, $errno);
}

if (not crypto_check_lifetime ($item, $req->getParsed()->{HEADER}->{ROLE}))
{
    generalError ($errval, $errval);
}

if ( not $db->updateStatus ( DATATYPE=>$dataType, 
                                OBJECT => $item, NEWTYPE=>"APPROVED_REQUEST")) {
                generalError( i18nGettext ("Error while updating the status of 
the request (__KEY__)!", "__KEY__", $key).
                    "<br>\n".$OpenCA::DB::errval, $OpenCA::REQ::errno);
}

return libSendReply (
                     "TIMESTAMP"   => 1,
                     "NAME"        => gettext ("Certificate Signing Request 
Approved"),
                     "EXPLANATION" => gettext ("Certificate Request 
Successfully approved.")."\n".
                                      i18nGettext ("Signature: __SIGSTATUS__",
                                                   "__SIGSTATUS__", $sigStatus)
                    );
}

1;

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to