Hi,
I have done some debugging, commenting out the "unlink"-statements in
CLI.pm so the files would stay under /var/tmp for analysis. I have come
that far:
OpenXPKI was started with:
openxpkictl start --debug OpenXPKI::Crypto::CLI:128
2011-03-30 23:09:23.996493 DEBUG:1 PID:12245
OpenXPKI::Crypto::CLI::prepare (line 76): start
2011-03-30 23:09:23.996627 DEBUG:2 PID:12245
OpenXPKI::Crypto::CLI::prepare (line 78): handle parameter COMMAND
2011-03-30 23:09:23.996904 DEBUG:4 PID:12245
OpenXPKI::Crypto::CLI::prepare (line 93): prepared command:
/usr/bin/openca-sv verify -in /var/tmp/openxpkiAhYhyo -data
/var/tmp/openxpkigFRhUb 1>>/var/tmp/openxpki8dSKJh
2>>/var/tmp/openxpkijzlYtt
2011-03-30 23:09:23.997091 DEBUG:1 PID:12245
OpenXPKI::Crypto::CLI::prepare (line 95): end
2011-03-30 23:09:23.997246 DEBUG:1 PID:12245
OpenXPKI::Crypto::CLI::execute (line 110): start
2011-03-30 23:09:23.997382 DEBUG:2 PID:12245
OpenXPKI::Crypto::CLI::execute (line 124): execute commands
2011-03-30 23:09:23.997580 DEBUG:4 PID:12245
OpenXPKI::Crypto::CLI::execute (line 127): command: /usr/bin/openca-sv
verify -in /var/tmp/openxpkiAhYhyo -data /var/tmp/openxpkigFRhUb
1>>/var/tmp/openxpki8dSKJh 2>>/var/tmp/openxpkijzlYtt
2011-03-30 23:09:24.095248 DEBUG:64 PID:12245
OpenXPKI::Crypto::CLI::execute (line 181): CHILD_ERROR: 256
2011-03-30 23:09:24.104578 DEBUG:1 PID:12245
OpenXPKI::Crypto::CLI::cleanup (line 270): start
2011-03-30 23:09:24.112553 DEBUG:1 PID:12245
OpenXPKI::Crypto::CLI::cleanup (line 283): end
I also got hold of the input- and output files, they are attached.
The output openca-sv generates seems to be:
[Error]: Digest mismatch. Signature is wrong.
What can be wrong?
Regards,
Marc
On 30.03.2011 4:19, Marc Posch wrote:
Hi again,
I have worked through a "test plan" which I have set up for myself with
the default TESTDUMMYCA and got to the following point:
- Sign in as root and unlock CA key -> successful
- Issue CRL -> successful
- Request CA Operator Certificate using basic template -> successful
- Login as raop and approve CSR without signature -> successful
- Request RA Operator Certificate using basic template -> successful
- Login as root using external static mode and approve CSR without
signature -> successful
- Login as John Doe and request User Certificate using basic template ->
successful
- Login as raop with digital signature -> successful
- Approve CSR with digital signature -> error
I have already configured my trust_anchors in auth.xml,
workflow_validator_certificate_revocation_request.xml and
workflow_validator_certificate_signing_request.xml
to
I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA.
Here is what the webinterface returns:
--------------------------------------------
Error
I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID
Raw Error Data:
{
'LIST' => [
{
'LABEL' =>
'I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID',
'PARAMS' => {}
}
],
'SERVICE_MSG' => 'ERROR'
}
Certificate Revocation Request: Approval
To approve this certificate revocation request, you can either approve
with out without signature. Please choose the appropriate button to
approve the certificate revocation request.
--------------------------------------------
I can still approve the CSR without signature after that. This is the
content of /var/log/openxpki.log during approval:
--------------------------------------------
2011/03/30 13:48:54 openxpki.system.DEBUG [OpenXPKI::Crypto::CLI
(/usr/lib/perl5/OpenXPKI/Crypto/CLI.pm:182); raop(RA Operator)@f644]
Exception: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_CHILD_ERROR; _
_SIGNAL__ => 0; __EXIT_CODE__ => 1
2011/03/30 13:48:54 openxpki.system.DEBUG [OpenXPKI::Crypto::CLI
(/usr/lib/perl5/OpenXPKI/Crypto/CLI.pm:182); raop(RA Operator)@f644]
Exception: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_CHILD_ERROR; _
_SIGNAL__ => 0; __EXIT_CODE__ => 1
2011/03/30 13:48:54 openxpki.system.DEBUG [OpenXPKI::Crypto::Toolkit
(/usr/lib/perl5/OpenXPKI/Crypto/Toolkit.pm:464); raop(RA Operator)@f644]
Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; _
_COMMAND__ => OpenXPKI::Crypto::Tool::PKCS7::Command::verify; __ERRVAL__
=> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_CHILD_ERROR; __SIGNAL__ => 0;
__EXIT_CODE__ => 1
2011/03/30 13:48:54 openxpki.system.DEBUG [OpenXPKI::Crypto::Toolkit
(/usr/lib/perl5/OpenXPKI/Crypto/Toolkit.pm:464); raop(RA Operator)@f644]
Exception: I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; _
_COMMAND__ => OpenXPKI::Crypto::Tool::PKCS7::Command::verify; __ERRVAL__
=> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_CHILD_ERROR; __SIGNAL__ => 0;
__EXIT_CODE__ => 1
2011/03/30 13:48:54 openxpki.system.WARN
[OpenXPKI::Server::Workflow::Validator::ApprovalSignature
(/usr/lib/perl5/OpenXPKI/Server/Workflow/Validator/ApprovalSignature.pm:159);
raop(RA Operato
r)@f644] Exception:
I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID
2011/03/30 13:48:54 openxpki.system.WARN
[OpenXPKI::Server::Workflow::Validator::ApprovalSignature
(/usr/lib/perl5/OpenXPKI/Server/Workflow/Validator/ApprovalSignature.pm:159);
raop(RA Operato
r)@f644] Exception:
I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID
2011/03/30 13:48:54 Workflow.ERROR Caught exception from action:
I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID;
reset workflow to old state 'PENDING'
2011/03/30 13:48:54 Workflow.ERROR Caught exception from action:
I18N_OPENXPKI_SERVER_WORKFLOW_VALIDATOR_APPROVALSIGNATURE_SIGNATURE_INVALID;
reset workflow to old state 'PENDING'
--------------------------------------------
I will try to investigate a little bit more by activating debug logging...
Regards,
Marc
depth:0 serial:02DF687F2ADC4D88CAFF subject:UID=raop+CN=RA Operator,DC=Test
Deployment,DC=OpenXPKI,DC=org
-----BEGIN PKCS7-----
MIIIFgYJKoZIhvcNAQcCoIIIBzCCCAMCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCBfQwggXwMIIE2KADAgECAgoC32h/KtxNiMr/MA0GCSqGSIb3DQEBBQUA
MFYxEzARBgoJkiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxl
MRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEQMA4GA1UEAxMHVGVzdCBDQTAeFw0xMTAz
MzAxMTQ0MjdaFw0xMTA5MzAxMTQ0MjdaMHoxEzARBgoJkiaJk/IsZAEZFgNvcmcx
GDAWBgoJkiaJk/IsZAEZFghPcGVuWFBLSTEfMB0GCgmSJomT8ixkARkWD1Rlc3Qg
RGVwbG95bWVudDEoMBIGA1UEAwwLUkEgT3BlcmF0b3IwEgYKCZImiZPyLGQBAQwE
cmFvcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiP6SnIQ/S1nPNm
ZGuRLieT7JKIXvcanWxNZL0mhOSB+M5NPjN1xo/DmdD5sPOOIuZUgTTG0Mose1mN
Tziay3+uFc73QN9jGPr/oZhOqIrlM7d1CNuBBKN6j1k4UjUhJTpFDxLZZ+P9c8UQ
t0ktnaeUrr2ql7E2VQd9/h2Ee+0lPbwWiVxgeaO0b4XI11LN0b3lCJw4qKLO3Z4I
9Cd6hB+ERBZp+sotLzbJva3dwyciR+nC7wcvIBmIBAZsuwrZgXP+ZB7oqiBibS08
ry1jcPF5UIgZ+5hGZm5b4UaAQq1ZoMY3cx1oCNUfiN32NZx/UXd+8TnkwpZ/wNBy
zgOKsJsCAwEAAaOCApowggKWMF4GCCsGAQUFBwEBBFIwUDAnBggrBgEFBQcwAoYb
aHR0cDovL2xvY2FsaG9zdC9jYWNlcnQuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8v
b2NzcC5vcGVueHBraS5vcmcvMH4GA1UdIwR3MHWAFDf4yZNDmB3a8ItJO6hIKBUA
L68loVqkWDBWMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYKCZImiZPyLGQBGRYH
ZXhhbXBsZTEUMBIGA1UECxMLVHJ1c3RjZW50ZXIxEDAOBgNVBAMTB1Rlc3QgQ0GC
AQEwDAYDVR0TAQH/BAIwADBhBgNVHR8EWjBYMCCgHqAchhpodHRwOi8vbG9jYWxo
b3N0L2NhY3JsLmNydDA0oDKgMIYubGRhcDovL2xvY2FsaG9zdC9jbj1NeSUyMENB
LGRjPU9wZW5YUEtJLGRjPW9yZzAfBgNVHSUEGDAWBggrBgEFBQcDBAYKKwYBBAGC
NxQCAjALBgNVHQ8EBAMCA/gwKQYJYIZIAYb4QgEEBBwWGmh0dHA6Ly9sb2NhbGhv
c3QvY2FjcmwuY3J0MCkGCWCGSAGG+EIBAwQcFhpodHRwOi8vbG9jYWxob3N0L2Nh
Y3JsLmNydDARBglghkgBhvhCAQEEBAMCBLAwXgYJYIZIAYb4QgENBFEWT1RoaXMg
aXMgYSB1c2VyIGNlcnRpZmljYXRlLlxuCSAgICBHZW5lcmF0ZWQgd2l0aCBPcGVu
WFBLSSB0cnVzdGNlbnRlciBzb2Z0d2FyZS4wEAYDVR0gBAkwBzAFBgMqAwQwGwYD
VR0RBBQwEoEQcmFvcEBleGFtcGxlLmNvbTAdBgNVHQ4EFgQUpZbs6bvGiZzbqlqF
yAEGOySLgzkwDQYJKoZIhvcNAQEFBQADggEBAIMi3EHuCYwbIZJo1vk/zr7jECSL
oJbtr6gVLBs0+rtG54RcNqFPXi8sBcnRd4NkAgFBtGwIRKF2vLb9c9kxIQI2lTOV
0prlU+4RzIBpFMPbUThr0bHn7JsqiYzAh/Dm1J2iM5rpNfGCwDStb0ZjMiJQPAu9
fkEMiT01TiWwjAVhJBe10L6ei/Y2WOHaqQalggc/hifDyhL3byxk9cDAXGBtJhQ5
5Hv5ZWTpPCq7ZCtNmJGvGwBi1V8Llrlj6x1bkdbBQCMInpzTm8nVRl+j53OofhU9
BG3HnXgbdUbZW8UtMfRj2YQ9o7noNxFmMpD5wjYRi4DgVPxRXKxqzji8hPcxggHq
MIIB5gIBATBkMFYxEzARBgoJkiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZ
FgdleGFtcGxlMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEQMA4GA1UEAxMHVGVzdCBD
QQIKAt9ofyrcTYjK/zAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwMzMwMjEwODI5WjAjBgkqhkiG9w0BCQQx
FgQUOYTyW4Dk969A6HIf4fWRiG7kjUAwDQYJKoZIhvcNAQEBBQAEggEAPy3nfwCq
iIc+YC3v1EeMpBiKr2tRCws83HpIN2Hf6H2fe9alqCyQ+EN4NrDrynvNFcgyEpFg
HAYscoxIh1/HQVP8PlJbWmFqd98jOsxFvjltNzalxApJl7d89bXJyrrSY5/tgqf/
zANdWZoGJGrzG1YCq0cHGzBckosqoU6Xqo7IOpWuwBN7yTlTa1Vje5FsbCpSg/gD
VOYnA3olSvwtf38WEvixkBrLKsmeh6MHmMB5dGT/5JZjxmWSwPtBRFE0lnHBW+GO
UkodhLffD8PGZZyahUdI1JWRE/9prWA3UF6ong63Zav3J3zBilCWc10ceLv3g8Yj
QgcEZRoxBzbSTg==
-----END PKCS7-----
I approve the CRR for workflow 9727.
ID of the certificate to be revoked:
3bB6OOHm5m-EmKhpVN1UpGfJtDw
SHA1-Hash of the session ID:
4euGQYxdX7E0SCHx4Nn8jVcNHEs
[Error]: Digest mismatch. Signature is wrong.
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
